Penetration Testing mailing list archives
Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5
From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Tue, 7 Nov 2000 07:32:51 -0800
Took a better look at the included source, and modified the NOPs to 2200 (as per the comments), and that worked (at least some of the time). It wasn't 100%, but I was no longer crashing the service. -----Original Message----- From: Marc Maiffret To: PEN-TEST () SECURITYFOCUS COM Sent: 11/5/00 10:36 AM Subject: Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5 The reason this is happening is because we use a jmp eax from our ole32.dll version. Your ole32.dll is probably different therefore your jmp eax is going to be different and if it is different then your not going to be able to jump back into the exploit code and therefore jmp to random memory and crash. So your vulnerable, as you already know, its just a matter of tweaking the exploit a bit. Like maybe finding a better jmp eax in a dll that is static throughout more NT4+IIS4 versions. Note for whowever: So once again if iishack1.5 is causing your server to crash then your vulnerable, you just need to tweak some offsets to make the exploit work correctly. View the iishack1.5 source code and go from there. We might release another version with a better jmp eax location, however this was for proof of concept not really to hold peoples hands in breaking servers. Let me know if you run into any more technical problems. Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com
Current thread:
- [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5 Marc Maiffret (Nov 05)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5 Loschiavo, Dave (Nov 06)
- Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5 Marc Maiffret (Nov 06)
- Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5 Loschiavo, Dave (Nov 08)