Dailydave mailing list archives
Re: RE: funny comments from Hack IIS6 contest admin
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Tue, 17 May 2005 16:19:18 -0500
On Tuesday 17 May 2005 15:52, Roger A. Grimes wrote:
In that described category, there has been only one (and I can't even remember its name or the exploit) of a widespread attack on a previously undisclosed bug.
Stop the insanity. Please. You are probably thinking of the NTDLL.dll path name overflow that was being exploited through WebDAV in IIS 5.0. The "high-value targets" with "good sys admins" still took months to figure that one out. Some of the others are less obvious (with good reason) -- only a few people knew about the ".STM" attack vector in IIS 4.0/5.0, but that didn't stop a worm writer from abusing it. Fortunately for them, Code Red came along and took the spotlight before anyone realized that there was a real "0day worm" out there. Since I made the mistake of replying to something in this thread, I might as well post something on-topic. IIS 6.0 is a fun audit -- you start off in kernel-land, drop into native code, then into insane amounts of managed code, and finally back into native code again. The best approach I found (besides scrambling my brain on HTTP.sys assembly listings), is to review the API implementations for the core .NET classes. The crypto stuff is handed off to Microsoft CAPI, find something there [ie. CPImportKey], and you can have a grand old time with ASP.Net applications. A quick scan of the core classes turns up a ton of calls to some less-than-audited Win32 APIs, just dig until you find something you can use. The contest states that the site will be switched to ASP.Net on May 16th, which happens to be yesterday -- but the content is still static HTML. -HD _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: funny comments from Hack IIS6 contest admin, (continued)
- Re: funny comments from Hack IIS6 contest admin Anthony Zboralski (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Bas Alberts (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Steve Lord (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 15)
- Re: RE: funny comments from Hack IIS6 contest admin Holden Williamson (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 17)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- Re: funny comments from Hack IIS6 contest admin Holden Williamson (May 18)
- Re: Re: funny comments from Hack IIS6 contest admin H D Moore (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Jan Muenther (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Mark (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 18)
- Re: RE: funny comments from ack IIS6 contest sadmin Jack (May 18)
- Music to hack to Steve Lord (May 18)
- Re: Music to hack to Michael Silk (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Jan Muenther (May 18)