WebDAV Exploit Lab

Good Morning,

In playing with the new rs_iis.c (http://www.rs-labs.com/) proof of concept exploit in the lab. In order to better understand how the exploit works, I've set up a scenario with an attacking machine located on the same logical segment as a web server with OllyDbg installed.

I've noticed from the documentation that the RET will likely have to change for the exploit to work, and have read that if you you brute force the RET, while having a debugger attached to the inetinfo process on the server, you will see the correct RET when the IIS service crashes.

So, what I've done is used a perl script to run the RET with every possible combination for from 0x0000 to 0xffff against a web server with OllyDbg attached to the inetinfo process. In order to save some time, I have the script checking to make sure IIS has not crashed in between RET address attempts (via simple TCP SYN) so it doesn't try to brute force a dead service. I'm not sure if this step is necessary, as I've noticed Win2k will restart the service when it is terminated unexpectedly, but what the heck.

AFAIK, here's what should happen when the exploit is run. Please feel free to interject your thoughts:

1. The debugger will break when the first exception is produced by running the exploit against the server. (So it looks like brute forcing the RET until IIS crashes is what I need to do here? Does that sound right?)
2. From here, you're supposed to set a breakpoint at "non-unicoded RET value" and resume execution until you reach that point.
3. Next, you look for the shellcode in memory and make sure the RET points to a NOP before the shellcode.

I'm finding that when a couple of interesting sticking points:

1. I fire up OllyDbg, attach to inetinfo, and select RUN (because it defaults to paused).
2. I run the exploit against the machine, using the default RET of 0x4804, and I get:

"Server is vulnerable but the exploit failed! Change RET value (e.g.
0xce04) and try again (when IIS is up again) :-/"

3) An interesting note is that in OllyDbg, it says that the process was terminated with exit code 0. I also see in the event log on the server that the IISADMIN and WWW services have terminated unexpectedly, and that IIS was stopped and restarted by NT AUTHORITY\SYSTEM (to recover the web service).

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

4) So now I'm to the point where I should be able to find the
"non-unicoded RET" value and set a breakpoint there. I'm just not too
sure what to do here. I've got the debug output, a web server that is still able to serve content (which sounds okay so far), and a crashed inetinfo process, but I think I need help tracking down this RET address with OllyDbg.

If you guys have experience in debugging a web app like this and feel like helping out, or have a link to a good tutorial, I would really appreciate the info.

Thanks,  

Jeremy Received on Fri Mar 28 11:27:54 2003