Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

[muts]

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541, A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited [...]

More...

[pureh@te]

Mubix has also made a quick nmap script to search out this vulnerability.

More info on that here

[voodooo]

Doesnt work under w2003 server patched.

[theprez98]

Quote:

Originally Posted by voodooo

Doesnt work under w2003 server patched.

That's why is called an IIS 5.0 exploit!

[m-1-k-3]

for german windows 2k prof you can use the following JMP ESP:

Code:

$retaddr = "\x7B\x30\xE3\x77"; # JMP ESP german win2k platforms (fully patched)

More details including screenshot can be found here: http://www.s3cur1ty.de/iis-ftp-exploit-german-win2k

m-1-k-3

[Armagedeon]

Hello everyone

After a while I'm back... waiting eagerly for the final release of BT4...
I've tried to replicate this in a win2k Server SP0 box, in a VMware environment with no luck… could it be that the return address for JMP ESP is different in server version??? Or could it be related to the VMware environment? Any thoughts??

Thanks.

[m-1-k-3]

Quote:

Originally Posted by Armagedeon

Hello everyone

I've tried to replicate this in a win2k Server SP0 box, in a VMware environment with no luck… could it be that the return address for JMP ESP is different in server version??? Or could it be related to the VMware environment? Any thoughts??

The JMP ESP is different in the different Service Packs and also in the different languages.

m-1-k-3