[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <59505.66.192.0.71.1045158172.squirrel@www.security-protocols.com>
From: badpack3t at security-protocols.com (badpack3t)
Subject: Unusual request
your a 'Adjunct Information Security Officer' and you cant even figure out
a simple IIS exploit? hahahahah or where to research for one? lame....
> On Thu, 2003-02-13 at 07:58, Rapaille Max wrote:
>> Hi,
>>
>> I did this kind of demo 2-3 times already, with a Win2k SP2 and IIS.
>> To add a layer, we just added a firewall between the ISS and the
>> attacker PC .. with just Port 80 incoming and, as (too)usual, All
>> port open for outgoing... Just using a unicode exploit, and then
>> loading some tools, defacing web page, taking remote control, etc...
>> A lot of fun for Us, and great astonishment for the public..
>> Certainly with the firewall.. A lot of them where just saying, before
>> the demo : We are secure, our integrator installed a firewall...
>> BTW, we also used some tools ike unicoder.pl and Upload.asp, to
>> demonstrate, in a second time, how easy it is, even if you don't know
>> what you do...
>>
>> Good effect of awareness for those managers, Engineer, etc...
>
> That's precisely what I have in mind.
>
> --
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/
> AVIEN Founding Member
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists