From erwin.geirnaert@pandora.be Wed Feb 14 19:12:42 2001 Date: Tue, 30 Jan 2001 22:59:25 +0100 From: Erwin Geirnaert To: project@honeynet.org Subject: Scan of the month [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] QUESTIONS: ---------- Below is a specific probe/exploit ran against our honeypot, 172.16.1.106. As you read through these signatures, the challenge is to answer the following questions: ### QUESTION 1: What is the operating system of the honeypot, how do you know? OS: WinNT if you look at the response of the webserver it says IIS, this is only available for NT. this is the easy way you can also see that it is MS based if you look at the win-value=0x2238 or 8760 bytes, the standard implementation for Windows NT ### QUESTION 2: What is the name of this attack? unicode exploit ### QUESTION 3: What is the attack attempting to accomplish? to get the directory listing of the server this command is basically used to see if a webserver is vulnerable by pasting the command in the browser, in this case it was Internet Explorer 5.0 ### QUESTION 4: How does the attack work? IIS doesn't allow directory traversal outside the wwwwroot. Because unicode can be used as a replacement for a dot, IIS doesn't check this and allows the attacker to call cmd.exe which is situated in system32 dir of winnt. If they get a dir-listing they know that the webserver is vulnerable. BONUS QUESTION: Is it possible to gain remote control of the system using this technqiue? If so, how? The attacker has to make a copy of cmd.exe to get a command shell with SYSTEM rights. Then they can use this shell to ftp a trojan from a server so that they can install a backdoor. There is a good tool for this: IISHACK 1.5 from eEye Erwin Geirnaert