Change http://www.security.nnov.ru/index.asp to /iisstart.asp in the POST along with switching HTTP/1.0 -> HTTP/1.1 and the tests should work. The HTTP version may not matter, but for the sake of making our tests environments more similar.. -R ----- Original Message ----- From: "3APA3A" <3APA3Aat_private> To: "Riley Hassell" <rhassellat_private> Cc: <vuln-devat_private> Sent: Saturday, April 13, 2002 7:17 AM Subject: Re[4]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations] > Dear Riley Hassell, > > I do use telnet sometimes ;) > > I mean in case of _patched_ IIS it doesn't > > >> RH> will respond with a new error, I believe it's > RH> (0x80004005)<br>Request... > > but simply shows you a page like it does on GET request... You can try > > >telnet www.security.nnov.ru 80 > Trying 195.122.226.28... > Connected to ntst.sci-nnov.ru. > Escape character is '^]'. > POST http://www.security.nnov.ru/index.asp HTTP/1.0 > Accept: */* > Host: www.security.nnov.ru > Content-Type: application/x-www-form-urlencoded > Transfer-Encoding: chunked > > 1 > E > 0 > > After hitting enter twice you'll HTML content. > > > > --Saturday, April 13, 2002, 5:45:04 PM, you wrote to 3APA3Aat_private: > > > RH> lets see whats up... > > RH> Do it first manually. Copy and paste the request into a telnet session with > RH> the web server. I used the telnet.exe that came along with the machine I'm > RH> testing. It's running Windows 2000 Server, build 5.00.2195 with SP2 all the > RH> latest hotfixes prior to Q319733. > > RH> Here it is: > RH> ----start > RH> POST /iisstart.asp HTTP/1.1 > RH> Accept: */* > RH> Host: hostname-changed.com > RH> Content-Type: application/x-www-form-urlencoded > RH> Transfer-Encoding: chunked > > RH> 1 > RH> E > RH> 0 > RH> ----end > > RH> If you have troubles,try hitting [enter] a few more times in your telnet > RH> session after you have pasted the session in. Be patient, IIS may need to > RH> load the ISAPI filter, this could take several seconds or longer depending > RH> on the speed of the system. > > RH> Also make sure you haven't changed your iisstart.asp file, just so we have > RH> the same test environment. > > RH> For the app you're writing what particular language are you using? > RH> If you're writing an app to check for these, try adding a healthy timeout > RH> limit for data reads. IIS may need to load the filter so it could take a > RH> while. > > RH> If IIS is still not throwing the error, then (if you'd like), send me a > RH> packet capture of your telnet session and a copy of the iisstart.asp file on > RH> the machine you're testing. Then I should be able to tell you why it's not > RH> working from that. > > RH> There's also the possibility that this vulnerability may have been > RH> introduced with a later version of the IIS related dll releases. Maybe a > RH> underlying code change, or patch caused this issue. Only speculation of > RH> course ;) > > RH> -R > > RH> Riley Hassell > RH> Security Research Associate > RH> eEye Digital Security > > RH> Get up... > RH> and light the world on fire. > > >> > >> In my case it produces no error and simply responses with page content > RH> after > >> > >> "\r\n" > >> "1\r\n" > >> "E\r\n" > >> "0\r\n" > >> "\r\n" > >> > >> > >> RH> It won't overwrite anything mission critical so the dllhost shouldn't > RH> lock > >> RH> up or exit. If you're vulnerable then you'll the following string in > RH> the > >> RH> error message "(0x80004005)<br>Unspecified". When a server is patched > RH> it > >> RH> will respond with a new error, I believe it's > RH> (0x80004005)<br>Request... > >> > >> RH> You can also try putting NULL's in strange places in you request. The > RH> rollup > >> RH> fixes a problem in parsing requests with NULLs. When IIS see's > RH> something > >> RH> invalid in a request it will error back with "parameter incorrect", on > RH> an > >> RH> unpatched system the responses will vary. > >> > >> > >> > >> -- > >> ~/ZARAZA > >> ...без дубинки никогда не принимался он за программирование. (Лем) > >> > >> > > > > -- > ~/ZARAZA > Появился новый тип элементарных частиц - шкварки. > Не очень большие, слегка подгоревшие. (Лем) > >
This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 12:17:27 PDT