Re: WebDAV exploit: using wide character decoder scheme

From: Roman Medina (roman@rs-labs.com)
Date: Thu Mar 27 2003 - 08:17:04 PST

Next message: Muhammad Faisal Rauf Danka: "Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"

Previous message: JW Oh: "Re: WebDAV exploit: using wide character decoder scheme"
In reply to: Dave Aitel: "Re: WebDAV exploit: using wide character decoder scheme"
Next in thread: JW Oh: "Re: WebDAV exploit: using wide character decoder scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 26 Mar 2003 11:14:43 -0500, you wrote:

>Unfortunately, on my US Windows 2K SP3 build (and I assume all others),
>those %u directives get translated into question marks. (0x003F in hex)
>:<
>> "%u32ac%u77e2",

 I tried the "%u trick" while coding rs_iis.c exploit and it happened
as Dave stated so I forgot the idea. I was using Spanish W2k Server +
SP2.

 Another problem with Mat's exploit is that it seems not to check well
when the exploit is successful or not. When the exploit has success
(which is impossible at least in Spanish/US Windows versions due to
the %u problem), IIS will not respond neither close the connection so
the exploit keeps waiting until the 15 secs timer expires. Then
$flagexit=1 and sendraw2 function returns "Timeout", so main program
will print "Failed to exploit: Server not crashed\n". This is wrong.
It should have printed something like "Success". It looks like a silly
issue but perhaps the people (with Japanese Windows version?) trying
the exploit never notices it was successful.

 Related to my exploit and after receiving some feedback (thanks
ppl!), I'd like to clarify:
1) The offset between the start of the string and the address where
RET is placed could change. What I did was to put many instances of
the RET value so chances of a right guess were higher. This cover the
cases where offset is incremented or decremented by a 2*x value.
Nevertheless, there will be one align problem if the offset changes by
(2*x+1). In that case, the least significant byte of RET becomes the
more significant one.  Fermín J. Serna <fjsernaat_private> pointed the
easy solution: use a RET value with the two bytes being identical. So
the recommended way to perform a brute force attack with rs_iis.c is
to try: 0x0101, 0x0202, 0x0303, ..., 0xffff (255 possible RET values).
2) I've attached a bash script which demonstrates this and makes
easier the testing of a vulnerable machine. You should adjust the
TIMEOUT variable (in seconds), so IIS is alive when the script tries a
new RET value.

 Regards,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

application/octet-stream attachment: rs_brute.sh

Next message: Muhammad Faisal Rauf Danka: "Fwd: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino"
Previous message: JW Oh: "Re: WebDAV exploit: using wide character decoder scheme"
In reply to: Dave Aitel: "Re: WebDAV exploit: using wide character decoder scheme"
Next in thread: JW Oh: "Re: WebDAV exploit: using wide character decoder scheme"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 09:42:15 PST