Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5

["Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>]

Took a better look at the included source, and modified the NOPs to 2200 (as
per the comments), and that worked (at least some of the time). It wasn't
100%, but I was no longer crashing the service.

-----Original Message-----
From: Marc Maiffret
To: PEN-TEST () SECURITYFOCUS COM
Sent: 11/5/00 10:36 AM
Subject: Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5

The reason this is happening is because we use a jmp eax from our
ole32.dll
version. Your ole32.dll is probably different therefore your jmp eax is
going to be different and if it is different then your not going to be
able
to jump back into the exploit code and therefore jmp to random memory
and
crash.

So your vulnerable, as you already know, its just a matter of tweaking
the
exploit a bit. Like maybe finding a better jmp eax in a dll that is
static
throughout more NT4+IIS4 versions.

Note for whowever: So once again if iishack1.5 is causing your server to
crash then your vulnerable, you just need to tweak some offsets to make
the
exploit work correctly. View the iishack1.5 source code and go from
there.
We might release another version with a better jmp eax location, however
this was for proof of concept not really to hold peoples hands in
breaking
servers.

Let me know if you run into any more technical problems.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com