PDA

Ver la versión completa : ¿Como exploto el bug "DoS Bugs : IIS 5.0 Remote buffer overflow vulnerability" ?



cbr600f6
05-03-2003, 21:40
Me sale este error en muchos ordenadores. Sobretodo en el puerto 80 pero ahora tambien en el 1214 de Kazaa. Me gustaría que alguien me dijese una forma de explotar este fallo.

Tengo mas de un programa pero no me funcionan.

Thanks

TseTse
06-03-2003, 00:04
*****
Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)

Release Date:
May 01, 2001

Severity:
High (Remote SYSTEM level code execution)

Systems Affected:
Microsoft Windows 2000 Internet Information Services 5.0
Microsoft Windows 2000 Internet Information Services 5.0 + Service Pack 1

Description:
A wise man once said, "When a single exploit is released, it's a good hack. When you are the first to hack each successive version of a product run on millions of computers all over the internet, you create a dynasty."

It seems sometimes the greatest discoveries are the ones that are the hardest to share with the world. It's not about a lack of wanting to tell everyone, but a lack of not knowing exactly how to put it so that people's jaws do not drop so fast that their heads snap back as they realize just how fragile our world is becoming. We are slowly pushing society into the digital world people only dreamed about years ago -- a world in which everything is being connected and little is being done to shore up the large looming gaps that are in existence in today's networked systems.

And without further ado... eEye Digital Security presents, "Remote SYSTEM level access to any default Windows 2000 IIS 5.0 web server."

The Discovery:
This bug was first discovered while Riley Hassell, of eEye Digital Security, was updating Retina's CHAM (Common Hacking Attack Methods) technology to look for unknown vulnerabilities within some of the new features that Windows 2000 IIS 5.0 provides. One of the features that was added to be audited by CHAM was the .printer ISAPI filter extension. Once the .printer ISAPI filter was added to the list of ISAPI's to audit, as well as various aspects of the new Web DAV functionality within IIS, the latest Retina development code was let loose against a test server in our lab. Within a matter of minutes, a debugger kicked in on inetinfo.exe because of a "buffer overflow error."

The Explanation:
It turns out the latest development code of Retina was able to find a buffer overflow within the .printer ISAPI filter (C:\WINNT\System32\msw3prt.dll) which provides Windows 2000 with support for the Internet Printing Protocol (IPP) which allows for the web-based control of various aspects of networked printers.

The vulnerability arises when a buffer of aprox. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request.

Example:
GET /NULL.printer HTTP/1.0
Host: [buffer]

Where [buffer] is aprox. 420 characters.

At this point an attacker has sucessfully caused a buffer overflow within IIS and has overwritten EIP. Now normally the web server would stop responding once you have "buffer overflowed" it. However, Windows 2000 will automatically restart the web server if it notices that the web server has crashed. While the feature is nice to help create a longer period of "up time", it is actually a feature that makes it easier for remote attacks to execute code against Windows 2000 IIS 5.0 web servers.

As we stated earlier, our overflow is able to overwrite the EIP register with whatever we want. That basically means we can overwrite EIP with a location in memory that jumps to our "exploit" code, in memory, and then executes our code with SYSTEM level access.

The Exploit:
Ryan Permeh, resident shellcode ninja of eEye Digital Security, has created an example exploit to be used as a "proof-of-concept". Our proof-of-concept exploit will, when run against an IIS 5 web server, create a text document on the remote server with instructions directing readers to a web page on eeye.com that has information on how to patch the system so that the web server is no longer vulnerable to this flaw. This exploit is to only be considered a proof-of-concept exploit and anyone with Windows 2000 should install the Microsoft supplied patch ASAP.

Proof of concept exploit:
http://www.eeye.com/html/research/Advisories/iishack2000.c
This exploit will simply create a file in the root of drive c:\ with instructions on how to patch your vulnerable server. If you are running Windows 2000 then please install the Microsoft security patch and do not depend on this exploit as being a tool to test whether your vulnerable or not because if you have not installed the patch then you are most likely vulnerable.

We would like to note that eEye Digital Security did provide Microsoft with a working exploit. This exploit, when ran against a web server, will bind a cmd.exe command prompt to an IIS remote port within seconds. This allows a remote attacker to execute commands with SYSTEM level access and thereby have full control over the vulnerable machine.

The Log:
Actually there is no log because this vulnerability, like most IIS buffer overflows, does not get logged. That means some of the largest web servers on the Internet running Windows 2000 are vulnerable to this attack and when exploited, there will be no IIS log anywhere that records the attack.

The Fallout:
As with our first remote SYSTEM level exploit for IIS 4.0 two years ago, the fallout from this second IIS remote overflow is also rather large. Once again it does not matter what kind of security systems you have in place, Firewalls, IDS's, etc., because all of these systems can be bypassed and your web server CAN be broken into via this vulnerability. To quote our last advisory: "Even a server that's locked in a guarded room behind a Cisco Pix can be broken into with this hole. This is a reminder to all software vendors that testing for common security holes in your software is a must. Demand more from your software vendors." There are millions of Windows 2000 web servers on the Internet right now that are wide open to this vulnerability.

The Magic:
About two weeks ago eEye Digital Security released, SecureIIS which stops both known and unknown IIS web server vulnerabilities. Our SecureIIS code base from about 4 weeks ago actually stopped this latest IIS 5.0 buffer overflow vulnerability without actually knowing anything about it. It is this power to stop both known and unknown vulnerabilities that sets SecureIIS apart from every other security product in the market. Visit http://www.eeye.com/SecureIIS to learn more about this ground-breaking product.

Vendor Status:
We would like to thank Microsoft for working hard with us to create a patch for this vulnerability.
You can download the Microsoft supplied patch from: http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
Also eEye Digital Security recommends removing the .printer ISAPI filter from your web server if it does not provide your web server with any _needed_ functionality.

Credit:
Discovery: Riley Hassell
Exploit: Ryan Permeh

Related Links:
Retina - The Network Security Scanner.
http://www.eeye.com/Retina

SecureIIS - Web Server Protection
http://www.eeye.com/SecureIIS

Greetings:
ADM, KAM, Lamagra, Zen-parse, Barns, Angelina Jolie, Roland Postle, Attrition.

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail [email protected] for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
[email protected]
*****

Ahí lo llevas, explicación y exploit.

TseTse

cbr600f6
06-03-2003, 00:30
Podrías decirme un programa compilador de C y ademas donde puedo encontrar las librerias que me piden?

|RooT|
06-03-2003, 11:21
* Compilador de C GNU (Gratuito)
- DJGGP para Windows (Port del GCC)
- GCC para Linux
* Compilador DEV C++ (Gratuito)

* Visual C (De microsoft)

* Borland C 5 Compiler (Ahora gratuito)

jocanor
05-05-2003, 19:42
no t recomiendo el dev c++ mejor ponte otros, por k es mas malo ...yo ya lo e desinstalao tiene mas errores k el windows...

|RooT|
05-05-2003, 22:51
Juer jocanor :D Se que hace tiempo que no vienes :P Pero mirate un poco la fecha plz :P que es de Marzo eto :P

Saludos.