The vulnerability arises when a buffer of approx. 420 bytes is sent within the HTTP Host: header for a .printer ISAPI request. Remotely exploits buffer overflow, inserts shellcode to "shovel a shell" back to a listener on attacker's system.
Example:
GET /NULL.printer HTTP/1.0
Host: [buffer] (Where [buffer] is approx. 420 characters.)
When exploited, an attacker would have caused a buffer overflow within IIS and have overwritten EIP. Now normally the web server would stop responding once the attacker has "buffer overflowed" it. However, Windows 2000 will automatically restart the web server if it notices that the web server has crashed.
This exploit will run against an IIS 5 web server, create a text document on the remote server with instructions directing readers to a web page on eeye.com that has information on how to patch the system so that the web server is no longer vulnerable to this flaw.
Wanderley J. Abreu Jr. provided the memory leak 'iiswebexplt.pl' exploit.
This code requires perl and is run from the command line as "perl iiswebexpl.pl victim". Upon execution, the code outputs the results in text on the screen stating if the victim web server is vulnerable or not vulnerable.
Dark spyrit provided the 'jill.c' exploit.
The exploit code jill.c, is a 167-line program written in the C language, authored by a grey-hat hacker in New Zealand who uses the nickname Dark Spyrit. Although jill is written in UNIX C, compiling it on Windows 2000 is a snap with the Cygwin environment. Cygwin compiles UNIX code with an "abstraction layer" library—cygwin1.dll—that intercepts the native UNIX calls and translates them into Win32 equivalents. Therefore as long as the cygwin1.dll is in the working path from where the compiled executable is run, it would function on Win32 as it would under UNIX or Linux.
Using the compiled code against a default installation of IIS 5.0, an attacker merely needs to type in the name of a remote system and a port number, and gain complete control of the machine in a matter of seconds. It provides the remote attacker with a command shell with SYSTEM level access. Therefore the exploit grants full control over the system allowing the attacker to "own" the system.
iis5 remote .printer overflow.
dark spyrit / beavuh labs.
Usage:/jill
Because the initial attack occurs via the Web application channel (port 80, typically) and because the shell is shoveled outbound from the victim Web server on a port defined by the attacker, this attack is difficult to stop using router or firewall filtering.
Cyrus the Great provided the 'iis5hack.zip' exploit
This is basically the jill.c script with some changes to make it easier to compile on the Windows platform which in effect makes it a real point and click exploit code. It also includes a perl script
0 comments:
Post a Comment