mailing list archives
Re: [BUGTRAQ] Windows 2000 .printer remote overflow - webexplt.plproblem!
From: Paul Cardon <paul () moquijo com>
Date: Fri, 11 May 2001 14:32:15 -0400
After I patched servers, webexplt.pl was still reporting
servers vulnerable but I was unable to place eeye's txt file on the
server via iishack2000 and I was unable to get reverse cmd shell
via jill. Nether from linux or windows.
That's because webexplt.pl uses too long of a string. It reports that
the server is vulnerable if it doesn't return a response. Microsoft's
patch causes the server to not return a response for any Host: value
greater than 256 bytes in length. The behavior of webexplt.pl is the
same for servers that are patched and unpatched. To get around this
send 257 bytes and interpret the results as follows:
- If no response is returned the system has been patched.
- If a 500 error is returned the server is unpatched.
- If a 404 error is returned the .printer mapping has been removed.
We get bonus points for now having a detection method that doesn't
overflow the server. Thanks to Chris St. Clair for much of the research
on this. His post to NTBUGTRAQ apparently hasn't been passed on by Russ
I have attached a script based on webexplt.pl that works correctly. Try
it out instead. Note that some reverse proxies may affect the results.
Also if it sees any unexpected responses (i.e. 3xx) that some IIS
configs return it just prints the response.