Full Disclosure mailing list archives
RE: Unusual request
From: "Timm, Kevin" <TimmK () netsolve net>
Date: Thu, 13 Feb 2003 08:58:01 -0600
Unicoder by HDmoore will do a lot of unicode checks , plus it can be used over SSL to evage a NID or through a proxy to obfuscate your ip. I wrote a little add on to it called firerunner that would actually do the exploit and ftp Netcat to the host. After that was finished it would connect back to a Netcat listener with a cmd prompt. The whole process took less than 10 seconds. I tracked down a copy of it. It is kind of old and there are probobaly some coding errors on my part, since it was really just a test and never released. Here it is. Keep in mind it's pretty old but with a little love should be able to demonstrate Unicode attacks and back channel connections as well as the ability to use a proxy. The script allows it to function as such Attack from IP 1 (which could be a proxy) FTP Netcat from another IP Create connection to a 3rd ip Good luck. Kevin -----Original Message----- From: Rapaille Max [mailto:Max.Rapaille () nbb be] Sent: Thursday, February 13, 2003 7:58 AM To: Schmehl, Paul L; Full-Disclosure Subject: RE: [Full-disclosure] Unusual request Hi, I did this kind of demo 2-3 times already, with a Win2k SP2 and IIS. To add a layer, we just added a firewall between the ISS and the attacker PC .. with just Port 80 incoming and, as (too)usual, All port open for outgoing... Just using a unicode exploit, and then loading some tools, defacing web page, taking remote control, etc... A lot of fun for Us, and great astonishment for the public.. Certainly with the firewall.. A lot of them where just saying, before the demo : We are secure, our integrator installed a firewall... BTW, we also used some tools ike unicoder.pl and Upload.asp, to demonstrate, in a second time, how easy it is, even if you don't know what you do... Good effect of awareness for those managers, Engineer, etc... Good luck. Max -----Original Message----- From: Schmehl, Paul L [mailto:pauls () utdallas edu] Sent: 13 February 2003 14:37 To: Full-Disclosure Subject: RE: [Full-disclosure] Unusual request Thanks to all who offered suggestions. I don't know why I couldn't remember "unicode" when I was googling, but then I've read thousands of man pages and docs since then, and my mind can only hold so much information. :-) What I plan to do is load a box with a default install of IIS and use a web browser based attack to demonstrate how easily a box can be compromised when it's unpatched. (I'll probably just deface a web page.) Since the audience will be "normal" users, I expect most of them to be astounded and incredulous, which is why I wanted to use something very simple to understand. If I ran a program through a netcat session, I suspect many of them wouldn't get it, but if I type a URL into a browser, I *hope* they will all see that *anyone* could do that, even with very little knowledge of exploits or security practices. And before you ask, no the box will not be connected to our LAN. Otherwise it would get Code Red and Nimda before I could even complete my demonstration. :-) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN Founding Member _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Attachment:
fire-runner.pl
Description:
Current thread:
- Re: Unusual request, (continued)
- Re: Unusual request Nexus (Feb 12)
- Re: Unusual request yossarian (Feb 12)
- Re: Unusual request aeonflux (Feb 12)
- RE: Unusual request Steve Wray (Feb 12)
- RE: Unusual request Paul Schmehl (Feb 13)
- RE: Unusual request badpack3t (Feb 13)