Microsoft Iis 5.0 Ssl Remote Exploit (ms04-011)

Full Version: Microsoft Iis 5.0 Ssl Remote Exploit (ms04-011)

GovernmentSecurity.org > The Archives > Exploit Articles

Pages: 1, 2

Gurou

Apr 21 2004, 11:08 AM

Microsoft IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)

http://www.k-otik.com/exploits/04212004.THCIISSLame.c.php

Khran

Apr 21 2004, 11:47 AM

Compiled version here:

http://www.thc.org/download.php?t=e&f=THCIISSLame.zip

jead99

Apr 21 2004, 11:57 AM

Anyone tried it ?

Alien

Apr 21 2004, 12:19 PM

I try a few IP:

CODE

[*] building buffer
[*] connecting the target
[*] Exploit send successfully ! Sleeping a while ....
[*] Trying to get a shell

can't connect to port 31337;( maybe firewalled ...

MxMx

Apr 21 2004, 12:23 PM

you should scan 4 pcs which have iis 5.0 installed and are running on SSL

Deltax

Apr 21 2004, 12:31 PM

QUOTE (jead99 @ Apr 21 2004, 11:57 AM)

Anyone tried it ?

yeah

i've got some shells so it works

MxMx

Apr 21 2004, 12:31 PM

you have got a scanner 4 us?

Deltax

Apr 21 2004, 12:32 PM

QUOTE (MxMx @ Apr 21 2004, 12:31 PM)

you have got a scanner 4 us?

just do a banner scan on port 80

cyrixx

Apr 21 2004, 12:55 PM

sounds very intresting!

FakoLy

Apr 21 2004, 01:30 PM

did somone know how to patchthe hole ?

101

Apr 21 2004, 01:34 PM

QUOTE (FakoLy @ Apr 21 2004, 01:30 PM)

did somone know how to patchthe hole ?

mspatch.exe -q (computer will reboot then)

Nightdemon

Apr 21 2004, 01:46 PM

should I do a portscan on p443 and than bannerscan the results on p80?

cyrixx

Apr 21 2004, 01:57 PM

works great

Divx_dude

Apr 21 2004, 02:24 PM

tested @ some pc's no shell @ all

going further for more mabey i get some

and thx for the Exploit

Nurgle

Apr 21 2004, 02:56 PM

QUOTE (Deltax @ Apr 21 2004, 12:32 PM)

QUOTE (MxMx @ Apr 21 2004, 12:31 PM)

you have got a scanner 4 us?

just do a banner scan on port 80

Sorry what is a Banner Scan first Scan Port 443 and the resulst then on Port 80.

Please Answer

Divx_dude

Apr 21 2004, 03:04 PM

QUOTE (Nurgle @ Apr 21 2004, 02:56 PM)

QUOTE (Deltax @ Apr 21 2004, 12:32 PM)

QUOTE (MxMx @ Apr 21 2004, 12:31 PM)

you have got a scanner 4 us?

just do a banner scan on port 80

Sorry what is a Banner Scan first Scan Port 443 and the resulst then on Port 80.

Please Answer

before u ask search google :-)

try searching for SL.exe

greetz

will_do

Apr 21 2004, 03:10 PM

Is this what we want?

195.*.*.*
Responds with ICMP unreachable: No
TCP ports: 80

TCP 80:
[HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: http://10.41.2.20/Default.htm Date: Wed, 21 Apr 2004 14:47:12 GMT Content-Type: text/html Accept-]

night^man

Apr 21 2004, 03:21 PM

I build a auto one and steal trying to get a shell / nothing..

x1`

Apr 21 2004, 04:08 PM

thanks for the sploit

charon255

Apr 21 2004, 04:19 PM

Exploit works perfectly, IIS 5 on Win2k Server W/SSL

S'pose it would make sense to recompile the sploit with the remote shell port as a command line option, since most firewalls aren't going to allow an inbound connection on port 31337. Maybe I'll do that tonight.

ivan288

Apr 21 2004, 05:01 PM

yea tru, that would be cool if you could do that.

x1`

Apr 21 2004, 05:07 PM

yeh also a nice batch autohacker would be nice ,
thanks for the exploit

Alien

Apr 21 2004, 05:16 PM

yeah good sploit ;]

[*] connecting the target
[*] Exploit send successfully ! Sleeping a while ....
[*] Trying to get a shell

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

BuzzDee

Apr 21 2004, 05:22 PM

got about 50 shells by now. the sploit is nice

x1`

Apr 21 2004, 05:26 PM

sl.exe -bhpt 80,443 -f scan.txt -o vulnerable.txt

thats what u use to get results with port 80 and 443 open

Eyeless

Apr 21 2004, 06:03 PM

are yall using the compilied or .c sploit?

MxMx

Apr 21 2004, 07:10 PM

.exe I think

cyrixx

Apr 21 2004, 07:54 PM

LoL

Nurgle

Apr 21 2004, 08:03 PM

QUOTE (MxMx @ Apr 21 2004, 07:10 PM)

.exe I think

he he he, I am Working on an Authox0r. Till Tomorow it will be ready

BuzzDee

Apr 21 2004, 09:04 PM

anyone figured out how 2 secure the hacked boxes?

night^man

Apr 21 2004, 09:09 PM

close port 443
firewall.exe 443

BuzzDee

Apr 21 2004, 09:13 PM

but isnt port 443 required to be open for ssl? i dont think this is a good idea ^^

Fantafour

Apr 21 2004, 09:59 PM

dont publish this exploit to everybody

every leet scrip kiddie use it for his "ownage..." think about it

this thread is a really "how to hack iis 5 ssl remote exploit" thread...

Eyeless

Apr 21 2004, 10:15 PM

Anyone just crashing alot of machines with this sploit? Try nmapin them out again and check things out... Oh and yes Scriptys are using it for 0wnage.. But its avaliable EVERYWHERE if the can type gcc sploit.c -o 0wnage then they are gonna useit anyway, and in anthor thread there are auto hackers galore... Why complain and make a usless post?

charon255

Apr 21 2004, 10:16 PM

This is hardly the first spot in the world to post the exploit, it wasn't written by GSO.

This'll be a good motivator to get admins off their asses and patch.

Ooops, hearing reports from the field that the MS04-011 patch required is causing probs on a lot of systems... Slow Boot, BSOD, 100% utes eeeeek.

Thanks for the nice choice M$....

1) Apply patch = broken server

2) Don't apply patch = owned server

bah... doesn't matter anyhow, TCP RST DoS against all those BGP routers will be here soon and no one will be on the internet to even give a sheeeeeeeeiiiit.

Eyeless

Apr 21 2004, 10:19 PM

Lol and Micro$oft slowly collapses upon itsself, down with the internet micro$oft must survive..

ComSec

Apr 21 2004, 11:49 PM

here is a scanner for the MS04-011 vu

EDITED...program been posted but not original link...edited the Downloads section lsass thread to reflect Foundstone link

cheers

ivan288

Apr 22 2004, 04:54 AM

but i thought this vuln has nothing to do with the other LSASS one.

Stevy

Apr 22 2004, 12:05 PM

well the exploit works but not for me, can't code so have to wait on connect back version

DumpZ

Apr 22 2004, 12:26 PM

Some peeps said that they are working on an autohacker. but that's already included in the sploit right?

DumpZ

Apr 22 2004, 12:26 PM

Some peeps said that they are working on an autohacker. but that's already included in the sploit right?

/EDIT
Sorry for this double post something went wront with my inet connection could someone please delete this?

KoNh

Apr 22 2004, 01:46 PM

QUOTE (DumpZ @ Apr 22 2004, 12:26 PM)

Some peeps said that they are working on an autohacker. but that's already included in the sploit right?

one more time please i didn't understand ^^ ... hey just kidding m8

isaiah

Apr 22 2004, 01:46 PM

al there auto hackers are just really bats anyone can make them

marteltor

Apr 22 2004, 03:09 PM

looks like a good exploit, but i can`t really find lots of servers

DumpZ

Apr 22 2004, 03:14 PM

QUOTE (isaiah @ Apr 22 2004, 01:46 PM)

al there auto hackers are just really bats anyone can make them

Yeah but i thought that there was as autohacker included in the source of the sploit.

Because the syntax is,

CODE

sploit.exe c:\scan.txt

cyrixx

Apr 22 2004, 04:23 PM

this was the one which vnet576 has edited!

G36K

May 16 2004, 07:53 PM

QUOTE (Khran @ Apr 21 2004, 11:47 AM)

Compiled version here:

http://www.thc.org/download.php?t=e&f=THCIISSLame.zip

down ;(

brOmstar

May 16 2004, 08:39 PM

http://www.thc.org/download.php?t=e&f=THCIISSLame.c

...

Feanor

May 28 2004, 10:36 AM

When i compiled with Dev C++ it gave 1 error i couldn't understand:

CODE

C:\DEV-C_~1\Include\winsock2.h:46: unbalanced `#endif'

With /\/\$ Visual C++ it gave 120 errors.

Can somebody pls tell me what's wrong, or post a working compiled link?

Slann

Jun 3 2004, 12:26 PM

Very good Exploit guys

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.