Crussaider wrote: > > After I patched servers, webexplt.pl was still reporting > servers vulnerable but I was unable to place eeye's txt file on the > server via iishack2000 and I was unable to get reverse cmd shell > via jill. Nether from linux or windows. That's because webexplt.pl uses too long of a string. It reports that the server is vulnerable if it doesn't return a response. Microsoft's patch causes the server to not return a response for any Host: value greater than 256 bytes in length. The behavior of webexplt.pl is the same for servers that are patched and unpatched. To get around this send 257 bytes and interpret the results as follows: - If no response is returned the system has been patched. - If a 500 error is returned the server is unpatched. - If a 404 error is returned the .printer mapping has been removed. We get bonus points for now having a detection method that doesn't overflow the server. Thanks to Chris St. Clair for much of the research on this. His post to NTBUGTRAQ apparently hasn't been passed on by Russ yet. I have attached a script based on webexplt.pl that works correctly. Try it out instead. Note that some reverse proxies may affect the results. Also if it sees any unexpected responses (i.e. 3xx) that some IIS configs return it just prints the response. -paul
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 06:08:32 PDT