Peter Van Eeckhoutte's Blog

Archive for the ‘Scripts’ Category

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc….  Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules…   Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …

After having to recover a broken Windows Server based print server yesterday, I decided to write this small article on how to set up print server backups, and describe the simple process of recovering the print server after a crash (or even roll back printer drivers in case a newly installed driver messes up your print server).
Backing up Windows 2000 / 2003 Print Server settings
Let’s assume you have one or more Windows server that hosts some or all of your network printers, so end users can connect & use these shared printers.  Each of these printers were probably added manually, a lot of drivers have been installed and configured manually, printers have been shared manually.   If this server breaks down, you would have to redo all of this work, unless you have a good backup of these printers.

In order to …

A couple of days ago, I have released a small perl script to back up Cisco IOS based switches via telnet.

I know there are a couple of similar scripts available on the internet, but most of them either use the “expect” functionality (which does not work all the time), or use SendKeys (which only works when the application has the ‘focus’, and thus cannot be safely scripted.), or are commercial tools.

So I decided to write a quick and dirty (free) script myself, which is purely based on a basic tcp socket connection.

I know, this script only works with telnet (clear text), but at least you can backup your switches (and if you have a dedicated management network, it may be ok to use telnet after all). Furthermore, you can safely schedule the script to run in the background, lean back, …

Just wanted to drop a quick note about the release of another free script. This time I’ve written a simple FTP fuzzer (with a little help from HDMoore) in Metasploit. You can read more about it (and download the script) at http://www.corelan.be:8800/index.php/my-free-tools/security/metasploit/simple-ftp-fuzzer-metasploit-module/

This is why I like Metasploit so much… :-)

Update : after running some fuzzing instances against a couple of FTP servers (Win32), I have noticed that some odd folders were created in my ftp root folder, and that these folders cannot be renamed or removed anymore

(Error message : “Cannot read from the source file or disk”)

Solution : the rmdir command allow you to remove these folders using a \\?\ reference

Let’s say the ftp root is located at ftp, and the folder that cannot be removed looks like a bunch of A’s, with spaces in between, then …

Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines.  This should include local users, users that are logged in via RDP, user accounts that are used to run services and scheduled tasks (only when the task is running at that time).  I have not fully tested all scenario’s yet, but the first results look quite ok. You can download the utility from http://www.corelan.be:8800/index.php/my-free-tools/ad-cs/pve-find-ad-user/. You need .Net framework 2.0 on the machine that you are running the tool off, and you also need to have admin access on the computers you are running the utility against. The tool is compiled on a 32bit …

Today, I’m going to share some ‘notes from the field’ about fixing oab issues in Exchange 2007 In order to fully understand the oab generation and distribution process, I will assume that you are running the Mailbox server role and HUB/CAS server roles on different servers. Of course, this is not a requirement to run a successfull Exchange installation at all, but it will help understanding the various processes. Furthermore, I will sometimes refer to clustered mailbox servers (CCR) and how this setup may influence the oalgen process. Symptoms When you have discovered that the Offline Address Book is not updating anymore, you may see the following event log entries in the log on your mailbox server : Event 9334, MSExchange SA OALGen encountered error ffffffff while initializing the offline …

A short while ago, I came across 2 really nice tools that will help – visualizing screenos configs into html pages – auditing firewall configs   Converting screenos to html The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/ It is written in perl and both the .pl and the compiled version are part of the download package. After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg) Verify the “PUBLISH” and “BROWSER” path and save the file Next, launch the ns2html.exe file (under bin) …