Scribd Logo
Carica

Benvenuto in Scribd!

  • PIS Assignment 1

    Caricato da

    Vishal Mishra
    18 visualizzazioni10 pagine
    This document summarizes an exploit of a buffer overflow vulnerability in the IPP ISAPI extension in Windows 2000 IIS 5.0. It affects Windows 2000 systems and allows remote code execution. The vulnerability is due to inadequate bounds checking of user input in the host header field of HTTP print requests. Sending approximately 420 bytes of data can overwrite EIP and execute arbitrary code. The document provides technical details of how the exploit works, screenshots of analyzing it in a debugger, and gaining remote access on the vulnerable system. It also lists some mitigation techniques like patching, canaries, and non-executable stacks.

    Descrizione originale:

    Titolo originale

    801233029-PIS-Assignment-1

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document summarizes an exploit of a buffer overflow vulnerability in the IPP ISAPI extension in Windows 2000 IIS 5.0. It affects Windows 2000 systems and allows remote code execution. The vulnerability is due to inadequate bounds checking of user input in the host header field of HTTP print requests. Sending approximately 420 bytes of data can overwrite EIP and execute arbitrary code. The document provides technical details of how the exploit works, screenshots of analyzing it in a debugger, and gaining remote access on the vulnerable system. It also lists some mitigation techniques like patching, canaries, and non-executable stacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    18 visualizzazioni10 pagine

    PIS Assignment 1

    Caricato da

    Vishal Mishra
    This document summarizes an exploit of a buffer overflow vulnerability in the IPP ISAPI extension in Windows 2000 IIS 5.0. It affects Windows 2000 systems and allows remote code execution. The vulnerability is due to inadequate bounds checking of user input in the host header field of HTTP print requests. Sending approximately 420 bytes of data can overwrite EIP and execute arbitrary code. The document provides technical details of how the exploit works, screenshots of analyzing it in a debugger, and gaining remote access on the vulnerable system. It also lists some mitigation techniques like patching, canaries, and non-executable stacks.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 10

    PIS-102 Secure Coding Assignment-1 Aim:To Exploit Microsoft Windows 2000 IIS 5.

    0 IPP ISAPI Vulnerability

    Vulnerable Systems: The following operating systems are vulnerable through Service Pack 1 if Internet Information Services 5.0 is installed. Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server

    Protocols Involved: HTTP HTTPS ISAPI HOW THE EXPLOIT WORKS: the vulnerability that is the subject of this assignment lies in the IPP ISAPI extension in Windows2000 which contain an Unchecked Buffer in the Host field .The clients make use of IPP by sending a print job via HTTP to the IIS server. This print job is handled by the msw3prt.dll,which contains a buffer that does inadequate Bounds Checking in a section of code that handles input parameters. When receives an HTTP printer request that contains approximately 420 bytes of data in the host header filed,an overrun occurs that allow execution of our malicious code.

    Observations: Eip overruns at position 268 to be exact as you can see in figure given below

    EIP OverRun 1

    ReGisters Showing OverFlow 1

    Stack When Overrun Occur..Showing Return 1

    ,have around 20 bytes of code to jump back to the beginning of the buffer.(and a 4 byte eip jumping into a jmp esp located in mfc42.dll addr=0x57F4774D5).

    Carefull about , what you pass into it?? It has a minimal amount of parsing happening before we get it, making some chars not able to be used(or forcing you to encode your payload). As far as i can tell, the bad bytes i've come across are: 0x00 0x0a 0x0d 0x3a

    EIP location
    The pattern_create.rb script in metasploit is used to located the string 6a413969 at the offset 268 This means that 268 bytes of padding must be inserted into the attack string before the four bytes that overwrite the return address The bytes in 1 to 268 contain the pattern string, The next four bytes in 269 to 272 overwrite the return address on the stack Data= (1-268 bytes) ,EIP= (269-272)

    Screenshots: 1:Finding Attacking Vectors and offset of Overflow

    Finding Attack Vector Using Olydbg 1

    2:Attacking after Doing Reconnaissance

    Doing Attack 1

    3:Gaining Access On victim

    Gottcha..!! 1

    How to Protect Against the IPP ISAPI Extension Buffer Overflow Ongoing Patch Policy Canary-Based Defenses Non Stack Executing Stack Defense Firewall IDS

    Vishal Mishra Thapar University ME(INFORMATION SECURITY) http://vishal--mishra.blogspot.com http://eva-os.blogspot.com http://hack0xf4.blogspot.com http://youtube.com/hack0xf4

    /*Code used in exploit will be uploaded on blog & youtube channel soon*/

    Potrebbero piacerti anche