|
In This txt I will try to give you hints for IIS server
cracking. I will try to keep my txt in clear charters so
everybody understand it!
Truti@Fujang.dk Made By Truti
IIS servers are the server Microsoft have on the market. It
shod be a good alternative for the Apache server there are
programmed for *nix and have a test version for NT. But I
seems that the Servers après to 2 deferent types of ROOT's
or Administrators. The ROOT there know a bit about security
will never install the IIS server and the newbie
Administrator will think "ahh some new smart software form
M$ with 1000 of bugs let's share our network with the BAD
Crackers! Is you make a benchmark on both servers you will
see that the IIS server don't have problems with handling
more traffic than the Apache (1.3.2) server.
But if you not give the NT (IIS) machine one reboot every
24-hour it will begin to overflow the memory and then it's
just a question on how soon the server will crash!
It's not normal for an IIS server to have an uptime on
over 30 days (very unmoral) but it's very normal for an
apache server to have over 500 days in uptime, (My Record
is 28 days but it was with crab hardware and with standard
kernel). Okay but we are talking too much about general
server systems here... And it is a Security txt. Let's start
with the fun part! You know why IIS is named IIS! Yeah I
hope else stand it for "Internet Information Server" and
are made by M$. The IIS server can be driven by all Win32'es
so all the bugs there is discovered to Win32 can also be
used to the IIS servers (Buffer Overflows and stuff like
that). Then to can begin to think of all the exploits you
know to all the win32 systems. But there are also some
central exploits for the IIS server and it's what we are
going to take a look at in this txt.
A little trick for all you out there know Zero about Telnet
try this:
telnet [Target IP/HOST] 80
If you telnet client not are set to local echo you will see
a Blank screen now type:
HEAD / HTTP/1.0
[Press >ENTER< 2 times]
Now you will se the Header info from the server. A simple
mode you can se what Web server software the server is
running.
=================================================================
The DOT exploit:
I can’t stand for post this Exploit... Find an IIS >IIS
3.00 and telnet to it and send ../.. and the server is
down! Remember it's only for > IIS 3.00 servers!
=================================================================
IIS are build with functions (some run-times) there are
running in DOS mode. They mean it will be safer and run
more stabile. And it does but there are also exploits for
stuff like that. I have made a txt about that you can find
on:
http://www.friserverplads.dk/minker112/hack_crack_iis_4_5.txt
AND Damn Dude I have translated it to Danish:
http://www.friserverplads.dk/minker112/hack_crack_iis_4_5_da.txt
(If both the links are dead then just find me at #2600dk on
irc.2600.net)
=================================================================
Microsoft IIS W3SVC Denial of Service (DOS Attack!)
This works for: IIS 4-5-5.01 (All Shall Be UnPatched).
All shall support FrontPage2002 too.
This is a simple and general mode how to give a IIS server
a nice little >DOS< kick!
FrontPage contains URL parsers for dynamic components
(shtml.exe/dll). If a user send a request for
"/_vti_bin/shtml.exe" where the URL for the dynamic
contents is re/placed with a long URL, the sub module will
filter the URL, and return a zero (0 == False) value to the
web service URL parser. An example string would be 35K of
ASCII 300. This will cause an access violation error causing
the Inetinfo.exe service to crash!
The Update:
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
<-- I'm sure that this opens for new backdoors ;-)
=================================================================
Microsoft has made the function for FrontPage users there
let you make Web Applications and execute them easy. But
under the FrontPage Server Extensions Function is a build-in
RAD (Remote Application Deployment) there allows Visual
InterDev 6.0 users to register and unregister COM objects on
an IIS 4-5 Server. There is a Bug (exploit) placed in this
sub-component. A Cracker can open a web session on with the
server and passing a malformed packet to the server
component (RAD == Remote Application Deployment). A Cracker
can use this packet to execute "bad" code on the server. The
code will be executed in the IUSR_machinename on the
server.
To The Details:
This Works for IIS servers with:
Microsoft FrontPage 2000 Server Extensions (The RAD
sub-component is in the packet by default).
Microsoft FrontPage 2000 Server Extension has a Dynamic
Link Library (.DLL) file called: "fp30reg.dll" it's in this
file the bug (exploit) is placed. When fp30reg.dll receives
a URL request that is longer than 258 bytes, a stack buffer
overflow will crash the server. When this is done a Cracker
can execute code Remotely!
When the: "fp30reg.dll" receives an invalid
parameter/request, it will return an error message like
this:
"The server is unable to perform the method [parameter
provided by the user] at this time"
This error message will be saved in a fixed length stack
buffer.
fp30reg.dll calls USER32.wsprintfA() to form return
message. Because there is no check for the length of data
supplied by the user, the destination buffer can be
overwritten. A cracker can rewrite some important memory
address like exception structure or saved EIP to change
program flow.
Format string used by USER32.wsprintfA() is:
"<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT
IMPLEMENTED</H1>
The server is unable to perform the method<b>%s</b> at this
time.</BODY>"
It is also saved in stack and its address isb (target
buffer address + 256 bytes), so the format string will be
rewritten (overwritten) when the overflow occurs. The
cracker should manage to finish copying.
If a cracker overwrites the buffer with random data, the
IIS service will fail and crash. IIS 5.0 can be auto
restarted, but IIS 4.0 needs to be restarted manually by
the admin.
If the cracker do this right he can get privilege over
IWAM_machinename account in IIS 5.0 or Local SYSTEM account
in IIS 4.0 by default.
Note:
There is a copy of fp30reg.dll in another directory:
"\Program Files\Common Files\Microsoft Shared\Web Server
Extensions\40\bin\fp4areg.dll"
If the cracker then use the Unicode Bug (exploit he can get
this file too).
The Exploit:
The exploit will not work if the parameter only is 258
bytes like this:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e
'print "A"x258'`
<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT
IMPLEMENTED</H1>
The server is unable to perform the method
<b>AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA A</b> at this time.</BODY>
If the parameter is longer than 258 (ex. 259) the buffer
will overflow like this:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e
'print "A"x259'`
<html><head><title>Error</title></head><body>The remote
procedure call failed. </body></html>
Proof Of Concept Code:
www.nsfocus.com have made a proof of concept code for this
exploit:
http://www.nsfocus.com/proof/fpse2000ex.c
=================================================================
.htr Heap Overflow in IIS 4.0 and 5.0:
If the admin over the IIS server (You) install the IIS
server in default mode then ".htr" is enabled. ".htr" files
is only used by some web passwords. In this function is a
heap exploit avaible. It's a Buffer Overflow exploit. This
heap exploit can be used to execute machine code on the IIS
server. With the default installation the cracker will get
remote execution in the IUSR_machine security context.
This works on NT4, Win 2000 with or with out Service Pack 2
(SP2)
Microsoft IIS 4.00
Microsoft IIS 5.00
Microsoft IIS 5.01
To The Details:
IIS supports many different file types ec. ".htr". If the
server resive a request after an ".htr" file it will be
handled by ISAPI extension, in: "ISM.DLL".
When the IIS server resive a request for a file I checks
all the scripting folders to see if the file is anywhere.
If the IIS server find a file there is avaible it's now the
ISAPI extension there handle the action. .htr" files do not
actually need to be present on the system for the request to
be handled by ISM.DLL.
".htr" files are mapped to the ISM.DLL by default so a
default IIS 4-5 installation is "open". Microsoft has made
some Documents of how to secure IIS servers on the net for
this bug.
Microsoft's IIS Security Checklist:
IIS 4.0
http://www.microsoft.com/technet/security/tools/chklist/iischk.asp
IIS 5.0
http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp
The basic of these documents is that you shall disable
every thing you not use on the server! Once the request is
passed on to the ISM.DLL ISAPI filter, a specific request
causes a heap overflow to occur during processing. This
heap overflows make it avaible to execute machine code on
the target IIS (You just have to be sure that the ISM.DLL
is driven by default).
The IUSR_computername user context does not allow
administrative access. So the machine cannot be completely
compromised by this exploit alone. Remote attackers can
execute arbitrary code that does allow for the creation of
a network worm or the execution of a remote control program
(a type of a Trojan). The risk to machines that have not
been patched or reconfigured is very high. So IIS Admins
switch to Apache Immediately.
Vendor Response:
The vendor has issued a bulletin on this issue:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
The vendor has issued patches for this issue:
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931
Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824
=================================================================
Remember: IIS SERVERS LOG EVERYTHING SO IF YOU NOT KNOW
WHAT'S RIGHT AND
WRONG DON'T DO A SHIT!
If you want to know and discover systems you can't learn it
on servers on the net.. You have to install it on you own.
Buy a 133 Mhz like me and then install the deferent OS'es
you want to check out. Else you will be back to Zero in no
time cues IIS servers log everything and 1 fail and you are
going Bye Bye
Credits
Truti@Fujang.dk Made By Truti |