Exploits

In almost every environment there are windows servers. These servers become our web fronts, our databases, even our firewalls. Security in these situations becomes crucial. Everywhere you look, you will find misconfigured systems and windows exploits for every type of network.

Below is a selection exploits brought to my attention that I think are quite cool :o)

Exploit 1

Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.


Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

Exploit 2

'Nbtstat -a nodename' or 'Nbtstat -A ipaddress' will display much information about a remote node. This command will display:

Active User
Services running
NT Domain name
Nodename
Ethernet Hardware address
This give a hacker doing password guessing two of the three pieces of information required to mount shares on a remote system, 'Domain name' and 'Username'.

The local and remote systems must be able to communicate via ports 137, 138, 139.

Exploit 3

Anonymous users have same access rights as Domain Users.

Installing IIS on a PDC (typical) results in IUSR_<nodename> account becoming member of 'Domain Users'. This gives anonymous guests the access rights of 'Domain Users' group instead of 'Guests' group.

Exploit 4

A URL such as 'http://www.aolispureshitebytheway.com/..\..' allows you to browse and download files outside of the webserver content root directory.

A URL such as 'http://aolispureshitebytheway/scripts..\..\scriptname' allows you to execute the target script.

By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests
 

Exploit 5
 

First of all, Frontpage is braindammaged (just have to set the stage).

Ok, Frontpage works like this when you want to publish files:

It tries to GET "http://www.yourdomain.com/_vti_inf.html". This file
contains the version of the FP extensions and the path on the server
where the extensions are located. When you use Frontpage to upload content,
it will try and fetch this file, if it can, it then tries to POST to
"http://www.yourdomain.com/_vti_bin/shtml.exe/_vti_rpc" (that's the default).

This server binary is not password protected, so it is able to post a query
to it. The first thing it does is just establish a protocol rev in which the
client and server are going to talk, and what functions the server provides.

If you have any people using Frontpage, it's likely that they FTPed the
_vti_inf.html from their home machine up to your site. Then they tried
to publish, and it tried HTTP first. If HTTP fails, it just kicks over to
FTP as the publishing protocol (and notifies the user that they can't use
WebBots and stuff).

Incidentally, I have a passion to hate the FP extensions. They are fundamentally
stupid.

Firsly, they maintain a shitload of meta files (one shadow for every file
managed) then they have all of their config info in a bunch of text files
in the _vti_pvt directory. (Oh, BTW, there exists a very HUGE privacy hole
in the FP extenstions). If you go to a site that has FP extensions, just
pick any directory in the URL, yank the filename off, and put "_vti_cnf"
there instead...you'll get a complete listing of all the files in the
real directory. With this you can snatch files that weren't meant to be
seen by the public...and it's available on ALL FP enabled sites.

Exploit 6

(Brought to my attention by a work colleague)

To the best of my knowledge, Quake2 suffers from the same bug that squake
suffers from. You can use the -gamedir option (or its quake 2 equivalent)
to make squake cough up a root shell using a standard buffer overflow
exploit. I don't believe Zoid altered this for quake 2. I don't think he
cares about security at all.

I wouldn't install anything of Zoid's setuid root without making it
group-owned by a trusted group and mode 4750.

This new exploit of yours even allows you to do evil things with Zoidware
even if it is installed with a wrapper. :\ (Unless you want to make your
wrapper check all the file permissions too)

Now onto a Quake security hole brough to my attention by yet that same work colleague

(AOHell employ smart ppl?????)

First let me note ID appear to be aware of the hole, as it appears to be
fixed in server 1.07+. 1.06 appears vulnerable.

You can do better than DoS with this one; you can compromise the account
the server is running under. In the case of NT servers, this probably
means complete compromise.

Basically, it appears that the message string given in a "tell" command is
stuffed into a buffer on the stack with no bounds checking. Tests seem to
show this buffer at 64 bytes (to the nearest power of two).

ie, log onto your favourite quake server, at the console type

tell no one sdfhkajsdhfkjasdhfkjsahdfkjfkjasdhf <- fill up the line with
some crap.

That's it for the exploits, I will add as we go along, I do have some reliable sources for new exploits just breaking online so hopefully we will have a few more very soon.

 

www.ChromeBox.com 2001 All Rights Reserved