On Fri, 20 Jul 2001 01:59:28 +0000, Chris St. Clair wrote: >I had to come up with a way to test a server remotely for this >vulnerability without actually killing it and running the plerthora >of exploit code that is out. This is what I have, hopefully someone >can use it. Good ideas. Marc Maiffret discusses just such a test at http://www.8wire.com/article_render/?aid=2094 (may reqire registration) McAfee is offering "CyberCop WormScan" free http://www.mcafeeasap.com/asp_subscribe/trial_cc_wormscan.asp Matt Scarborough 2001-07-20 >Known Vulnerable Testing Platform >The first round of tests was run on a Windows 2000 Server running >IIS 5.0 (if anyone has similar analysis for IIS 4.0 I'd love to >see it) with AND without SP1 (no difference) not patched for MS01-033. > >Results >Sending 1-219 bytes yields the error: >The IDQ file NULL.ida could not be found. >Nothing written to the event log. > >Sending 220-231 bytes we get: >File . >Error 0xc0000005 caught while processing query >Nothing written to the event log. > >Sending 232-??? bytes we get: >No response from web server. >System event log event ID 7031 from Service Control Manager. >IIS services are then stopped and restarted. > > >Known Invulnerable Testing Platform >Another system running Windows 2000 Server, IIS 5.0 with SP1 and >the patch for MS01-033. > >Results >Sending 1-199 bytes yields the error: >The IDQ file NULL.ida could not be found. >Nothing written to the event log. > >Sending 200-??? bytes we get: >File . >Error 0x80040e14 caught while processing query >Nothing written to the event log. > >So, in summary, to test do the following: >send 200 bytes >if response = "Error 0x80040e14 caught while processing query" the >sytem is patched. >if response = "The IDQ file NULL.ida could not be found." the system >is not patched. > >I can't take all the credit for figuring this out. Like most people, >I owe it all to the following bit of code: >#!/bin/sh >SIZE=1 >export SIZE > >while [ $SIZE -lt 201 ]; do > BUFF="`perl -e 'print \"x\" x $ENV{SIZE}'`" > echo -e "GET /NULL.ida?$BUFF=X HTTP/1.1\nHost: iluvpaul\n\n" | \ > nc host port > SIZE=`expr $SIZE + 1` >done ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 13:43:16 PDT