Dailydave mailing list archives
execution by WriteToFile? (was Re: New mediaservices sploit)
From: Max Vision <vision () whitehats com>
Date: Sun, 14 Mar 2004 13:29:19 -0800 (PST)
Hi, I don't have a solution for you sorry, but a few ideas, and please forgive me for not having tested them before posting. :) Overwrite drwatson and then overwrite something else that will cause a crash, thus spawning your code? Overwrite the backup of a system file in dllcache, and then clobber the active one, and let windows file protection spring in to "restore" the file you planted in dllcache.. some system file that gets run periodically on a server? dlls? And what of the application itself? Can you clobber tree.xms? What about the libraries it's using that contain http:WriteToFile, etc? Maybe you do have something akin to cgi there... drop a tree2.xms that does something else (I don't know what abilities are available in xms, actually I don't even know what that is.. xml related? Is this a publicly available product? neocore? hp?) Is xms the only extension that has a handler in that install of apache? What happens if there is an exe, pl, com, bat, pif, scr, etc in the same dir and gets accessed? (i guess thats the same question twice) Is /plugins/framework/script/tree.xms a file sitting there, or is that some virtual reference inside a jar file or something? As for the general puzzle you are asking about, aren't there services or processes that dynamically load dll's as needed, or that only get run at certain times (preferably in reaction to you writing a file somewhere on the filesystem)? Running filemon.exe for a few minutes on a server shows all kinds of read activity by csrss.exe, svchost.exe etc.. c:\winnt\tasks looks fertile, but I guess you have already looked at both the Task Scheduler and AT apis? What was that bit about "now that signatures are embedded" I'm not familiar with it - does that mean there is an old and new job format - if so maybe there is some way to force usage of the old style? I have heard of so many cases of remote administration where the admin will copy a .job file across to many machines - there must be some way for this to work. !! Is that a win2k3 problem you are referring to? I know a little about the .job files, but don't know where the AT jobs are stored.. I created an AT job and there weren't any changes or additions to the filesystem or registry to match it. (I suppose a bit of reading would help me there) WMI stuff? Maybe dropping a .cpl file would cause it to be automatically read/processed? (looks like no) Or some other file - fonts? Drop a new font and this causes some exe to run (that could have been clobbered)? (looks like no) ok I'm stretching. Let you know if I find something. Good puzzle. :) Max
Bonus points to anyone who can find a better way to exploit the unnamed bug^H^H^Hfeature below, without being dependent on an alternate web service or third-party software. The goal is instant command execution through writing a file to the system with arbitrary (even binary) contents. Writing to autoexec, startup, etc doesn't work since it requires user interaction. Assuming Windows 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work now that signatures are embedded (thanks Brett for info). GET /plugins/framework/script/tree.xms?obj=httpd:WriteToFile ([$__installdir$]conf/portlisten.conf,Listen%208000%0A%0DAccessLog %20"|../../../../../../winnt/system32/cmd.exe%20/c%20 net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0
...
It is a stripped down Apache2 install, no mod_cgi, no mod_ssi. Assume the system is firewalled both ways and there are no third-party or system-installed web services (besides this one). The NTLM hijack is simple, but there are a dozen other ways to do it, I was wondering if anyone knew how to execute a command simply by writing a file to the OS somewhere. I beat my head against it off and on for a couple months, was wondering if anyone had some r33t tknqz to share :)
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- RE: New mediaservices sploit Brett Moore (Mar 14)
- RE: New mediaservices sploit Dave Aitel (Mar 14)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- execution by WriteToFile? (was Re: New mediaservices sploit) Max Vision (Mar 14)