You know why IIS is named IIS! Yeah I hope else stand it for "Internet
Information Server" and are made by M$. The IIS server can be driven
by all Win32'es so all the bugs there is discovered to Win32 can also
be used to the IIS servers (Buffer Overflows and stuff like that).
Then to can begin to think of all the exploits you know to all the
win32 systems. But there are also some central exploits for the IIS
server and it's what we are going to take a look at in this txt.

A little trick for all you out there know Zero about Telnet try this:

telnet [Target IP/HOST] 80

If you telnet client not are set to local echo you will see a Blank
screen now type:

HEAD / HTTP/1.0

[Press >ENTER< 2 times]

Now you will se the Header info from the server. A simple mode you
can se what Web server software the server is running.
=======================================================================

The DOT exploit:

I can’t stand for post this Exploit... Find an IIS >IIS 3.00 and
telnet to it and send ../.. and the server is down! Remember it's only
for > IIS 3.00 servers!

=======================================================================

IIS are build with functions (some run-times) there are running in DOS
mode. They mean it will be safer and run more stabile. And it does but
there are also exploits for stuff like that. I have made a txt about
that you can find on:

http://www.friserverplads.dk/minker112/hack_crack_iis_4_5.txt
AND Damn Dude I have translated it to Danish:
http://www.friserverplads.dk/minker112/hack_crack_iis_4_5_da.txt

(If both the links are dead then just find me at #2600dk on irc.2600.net)

========================================================================

Microsoft IIS W3SVC Denial of Service (DOS Attack!)

This works for: IIS 4-5-5.01 (All Shall Be UnPatched).
All shall support FrontPage2002 too.

This is a simple and general mode how to give a IIS server a nice little
>DOS< kick!

FrontPage contains URL parsers for dynamic components (shtml.exe/dll).
If a user send a request for "/_vti_bin/shtml.exe" where the URL for
the dynamic contents is re/placed with a long URL, the sub module will
filter the URL, and return a zero (0 == False) value to the web service
URL parser. An example string would be 35K of ASCII 300. This will cause
an access violation error causing the Inetinfo.exe service to crash!

The Update: http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
<-- I'm sure that this opens for new backdoors ;-)

=========================================================================

Microsoft has made the function for FrontPage users there let you make
Web Applications and execute them easy. But under the FrontPage Server
Extensions Function is a build-in RAD (Remote Application Deployment) there
allows Visual InterDev 6.0 users to register and unregister COM objects on
an IIS 4-5 Server. There is a Bug (exploit) placed in this sub-component.
A Cracker can open a web session on with the server and passing a malformed
packet to the server component (RAD == Remote Application Deployment). A
Cracker can use this packet to execute "bad" code on the server. The code
will be executed in the IUSR_machinename on the server.

To The Details:

This Works for IIS servers with:
Microsoft FrontPage 2000 Server Extensions
(The RAD sub-component is in the packet by default).

Microsoft FrontPage 2000 Server Extension has a Dynamic Link Library
(.DLL) file called: "fp30reg.dll" it's in this file the bug (exploit) is
placed. When fp30reg.dll receives a URL request that is longer than 258
bytes, a stack buffer overflow will crash the server. When this is done a
Cracker can execute code Remotely!

When the: "fp30reg.dll" receives an invalid parameter/request, it will
return an error message like this:

"The server is unable to perform the method [parameter provided by the
user] at this time"

This error message will be saved in a fixed length stack buffer.

fp30reg.dll calls USER32.wsprintfA() to form return message. Because
there is no check for the length of data supplied by the user, the
destination buffer can be overwritten. A cracker can rewrite some
important memory address like exception structure or saved EIP to change
program flow.

Format string used by USER32.wsprintfA() is:

"<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method<b>%s</b> at this time.</BODY>"

It is also saved in stack and its address isb (target buffer address +
256 bytes), so the format string will be rewritten (overwritten) when the
overflow occurs. The cracker should manage to finish copying.

If a cracker overwrites the buffer with random data, the IIS service will
fail and crash. IIS 5.0 can be auto restarted, but IIS 4.0 needs to be restarted manually by the admin.

If the cracker do this right he can get privilege over IWAM_machinename
account in IIS 5.0 or Local SYSTEM account in IIS 4.0 by default.

Note:
There is a copy of fp30reg.dll in another directory:
"\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\
bin\fp4areg.dll"
If the cracker then use the Unicode Bug (exploit he can get this file too).

The Exploit:
The exploit will not work if the parameter only is 258 bytes like this:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'`

<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method <b>AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA A</b> at this time.</BODY>

If the parameter is longer than 258 (ex. 259) the buffer will overflow
like this:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`

<html><head><title>Error</title></head><body>The remote procedure call
failed. </body></html>

Proof Of Concept Code:
www.nsfocus.com have made a proof of concept code for this exploit:
http://www.nsfocus.com/proof/fpse2000ex.c

========================================================================================

.htr Heap Overflow in IIS 4.0 and 5.0:

If the admin over the IIS server (You) install the IIS server in default mode
then ".htr" is enabled. ".htr" files is only used by some web passwords. In
this function is a heap exploit avaible. It's a Buffer Overflow exploit. This
heap exploit can be used to execute machine code on the IIS server. With the
default installation the cracker will get remote execution in the IUSR_machine
security context.

This works on NT4, Win 2000 with or with out Service Pack 2 (SP2)
Microsoft IIS 4.00
Microsoft IIS 5.00
Microsoft IIS 5.01

To The Details:
IIS supports many different file types ec. ".htr". If the server resive a
request after an ".htr" file it will be handled by ISAPI extension, in:
"ISM.DLL".

When the IIS server resive a request for a file I checks all the scripting
folders to see if the file is anywhere. If the IIS server find a file there is
avaible it's now the ISAPI extension there handle the action. ".htr" files do
not actually need to be present on the system for the request to be handled by ISM.DLL.

".htr" files are mapped to the ISM.DLL by default so a default IIS 4-5
installation is "open". Microsoft has made some Documents of how to secure IIS
servers on the net for this bug.

Microsoft's IIS Security Checklist:
IIS 4.0
http://www.microsoft.com/technet/security/tools/chklist/iischk.asp
IIS 5.0
http://www.microsoft.com/technet/security/tools/chklist/iis5chk.asp
The basic of these documents is that you shall disable every thing you not use
on the server! Once the request is passed on to the ISM.DLL ISAPI filter, a
specific request causes a heap overflow to occur during processing. This heap
overflows make it avaible to execute machine code on the target IIS (You just have to be sure that the ISM.DLL is driven by default).

The IUSR_computername user context does not allow administrative access. So
the machine cannot be completely compromised by this exploit alone. Remote
attackers can execute arbitrary code that does allow for the creation of a
network worm or the execution of a remote control program (a type of a
Trojan). The risk to machines that have not been patched or reconfigured is
very high. So IIS Admins switch to Apache Immediately.

Vendor Response:
The vendor has issued a bulletin on this issue:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

The vendor has issued patches for this issue:
Microsoft IIS 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37931

Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37824

========================================================================================
Remember: IIS SERVERS LOG EVERYTHING SO IF YOU NOT KNOW WHAT'S RIGHT AND
WRONG DON'T DO A SHIT!

If you want to know and discover systems you can't learn it on servers on the
net.. You have to install it on you own. Buy a 133 Mhz like me and then install
the deferent OS'es you want to check out. Else you will be back to Zero in no time cues IIS servers log everything and 1 fail and you are
going Bye Bye