[20624] in bugtraq
Re: [BUGTRAQ] Windows 2000 .printer remote overflow -
daemon@ATHENA.MIT.EDU (Paul Cardon)
Tue May 15 09:13:06 2001
Message-ID: <3AFC302F.8625D8C4@moquijo.com>
Date: Fri, 11 May 2001 14:32:15 -0400
From: Paul Cardon <paul@moquijo.com>
MIME-Version: 1.0
To: Crussaider <crussaider@globalnet.hr>
Cc: BUGTRAQ@securityfocus.com
Content-Type: multipart/mixed;
boundary="------------24157DC01B0EC08029506D86"
This is a multi-part message in MIME format.
--------------24157DC01B0EC08029506D86
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Crussaider wrote:
>
> After I patched servers, webexplt.pl was still reporting
> servers vulnerable but I was unable to place eeye's txt file on the
> server via iishack2000 and I was unable to get reverse cmd shell
> via jill. Nether from linux or windows.
That's because webexplt.pl uses too long of a string. It reports that
the server is vulnerable if it doesn't return a response. Microsoft's
patch causes the server to not return a response for any Host: value
greater than 256 bytes in length. The behavior of webexplt.pl is the
same for servers that are patched and unpatched. To get around this
send 257 bytes and interpret the results as follows:
- If no response is returned the system has been patched.
- If a 500 error is returned the server is unpatched.
- If a 404 error is returned the .printer mapping has been removed.
We get bonus points for now having a detection method that doesn't
overflow the server. Thanks to Chris St. Clair for much of the research
on this. His post to NTBUGTRAQ apparently hasn't been passed on by Russ
yet.
I have attached a script based on webexplt.pl that works correctly. Try
it out instead. Note that some reverse proxies may affect the results.
Also if it sees any unexpected responses (i.e. 3xx) that some IIS
configs return it just prints the response.
-paul
--------------24157DC01B0EC08029506D86
Content-Type: application/x-perl;
name="ipptest.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ipptest.pl"
#!/usr/bin/perl
# By paul@moquijo.com
# Based on code by storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 (+ SP1)
# Remote Buffer Overflow Test for Internet Printing Protocol
# This code was written after eEye brought this issue in BugTraq.
use Socket;
print "-- IPP - IIS 5.0 Vulnerability Test --\n\n";
if (not $ARGV[0]) {
print "\tUsage: $0 <host>\n\n";
exit;
}
$ip=$ARGV[0];
print "Sending test probe to host: " . $ip . "\n\n";
my $result=join('',sendexplt("GET /NULL.printer HTTP/1.1\n" . "Host: " . "A" x 257 . "\n\n"));
if (not $result) {
print "The server tested has been patched for the IPP vulnerability\n\n";
exit;
}
if ($result =~ ?HTTP/1.1 500?) {
print "The server tested has the IPP vulnerability!\n\n";
exit;
}
if ($result =~ ?HTTP/1.1 404?) {
print "The server has had the .printer mapping removed.\n\n";
exit;
}
print "An unexpected response has been received:\n";
print $result;
exit;
sub sendexplt {
my ($pstr)=@_;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S);
$|=1;
print $pstr;
my @in=<S>;
select(STDOUT);
close(S);
return @in;
} else {
die("Can't connect...\n");
}
}
--------------24157DC01B0EC08029506D86--
