Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Vulnerable Systems: The following operating systems are vulnerable through Service Pack 1 if Internet Information Services 5.0 is installed. Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server
Protocols Involved: HTTP HTTPS ISAPI HOW THE EXPLOIT WORKS: the vulnerability that is the subject of this assignment lies in the IPP ISAPI extension in Windows2000 which contain an Unchecked Buffer in the Host field .The clients make use of IPP by sending a print job via HTTP to the IIS server. This print job is handled by the msw3prt.dll,which contains a buffer that does inadequate Bounds Checking in a section of code that handles input parameters. When receives an HTTP printer request that contains approximately 420 bytes of data in the host header filed,an overrun occurs that allow execution of our malicious code.
Observations: Eip overruns at position 268 to be exact as you can see in figure given below
EIP OverRun 1
,have around 20 bytes of code to jump back to the beginning of the buffer.(and a 4 byte eip jumping into a jmp esp located in mfc42.dll addr=0x57F4774D5).
Carefull about , what you pass into it?? It has a minimal amount of parsing happening before we get it, making some chars not able to be used(or forcing you to encode your payload). As far as i can tell, the bad bytes i've come across are: 0x00 0x0a 0x0d 0x3a
EIP location
The pattern_create.rb script in metasploit is used to located the string 6a413969 at the offset 268 This means that 268 bytes of padding must be inserted into the attack string before the four bytes that overwrite the return address The bytes in 1 to 268 contain the pattern string, The next four bytes in 269 to 272 overwrite the return address on the stack Data= (1-268 bytes) ,EIP= (269-272)
Doing Attack 1
Gottcha..!! 1
How to Protect Against the IPP ISAPI Extension Buffer Overflow Ongoing Patch Policy Canary-Based Defenses Non Stack Executing Stack Defense Firewall IDS
Vishal Mishra Thapar University ME(INFORMATION SECURITY) http://vishal--mishra.blogspot.com http://eva-os.blogspot.com http://hack0xf4.blogspot.com http://youtube.com/hack0xf4
/*Code used in exploit will be uploaded on blog & youtube channel soon*/