Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Riley Hassell,


--Saturday, April 13, 2002, 2:15:47 AM, you wrote to vuln-dev () securityfocus com:



RH>   "POST /iisstart.asp HTTP/1.1\r\n"
RH>   "Accept: */*\r\n"
RH>   "Host: eeye.com\r\n"
RH>   "Content-Type: application/x-www-form-urlencoded\r\n"
RH>   "Transfer-Encoding: chunked\r\n"
RH>   "\r\n"
RH>   "1\r\n"
RH>   "E\r\n"
RH>   "0\r\n"
RH>   "\r\n"
RH>   "\r\n"
RH>   "\r\n"

In my case it produces no error and simply responses with page content after

   "\r\n"
   "1\r\n"
   "E\r\n"
   "0\r\n"
   "\r\n"


RH> It won't overwrite anything mission critical so the dllhost shouldn't lock
RH> up or exit. If you're vulnerable then you'll the following string in the
RH> error message "(0x80004005)<br>Unspecified". When a server is patched it
RH> will respond with a new error, I believe it's (0x80004005)<br>Request...

RH> You can also try putting NULL's in strange places in you request. The rollup
RH> fixes a problem in parsing requests with NULLs. When IIS see's something
RH> invalid in a request it will error back with "parameter incorrect", on an
RH> unpatched system the responses will vary.



-- 
~/ZARAZA
...áåç äóáèíêè íèêîãäà íå ïðèíèìàëñÿ îí çà ïðîãðàììèðîâàíèå. (Ëåì)