Re: RE: funny comments from Hack IIS6 contest admin

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Tuesday 17 May 2005 15:52, Roger A. Grimes wrote:
> In that described category, there has been only one (and I can't even
> remember its name or the exploit) of a widespread attack on a
> previously undisclosed bug.

Stop the insanity. Please. You are probably thinking of the NTDLL.dll path 
name overflow that was being exploited through WebDAV in IIS 5.0. The 
"high-value targets" with "good sys admins" still took months to figure 
that one out. Some of the others are less obvious (with good reason) -- 
only a few people knew about the ".STM" attack vector in IIS 4.0/5.0, but 
that didn't stop a worm writer from abusing it. Fortunately for them, 
Code Red came along and took the spotlight before anyone realized that 
there was a real "0day worm" out there. 

Since I made the mistake of replying to something in this thread, I might 
as well post something on-topic. IIS 6.0 is a fun audit -- you start off 
in kernel-land, drop into native code, then into insane amounts of 
managed code, and finally back into native code again. The best approach 
I found (besides scrambling my brain on HTTP.sys assembly listings), is 
to review the API implementations for the core .NET classes. The crypto 
stuff is handed off to Microsoft CAPI, find something there [ie. 
CPImportKey], and you can have a grand old time with ASP.Net 
applications. A quick scan of the core classes turns up a ton of calls to 
some less-than-audited Win32 APIs, just dig until you find something you 
can use. 

The contest states that the site will be switched to ASP.Net on May 16th, 
which happens to be yesterday -- but the content is still static HTML.

-HD




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave