eEye

eEye

History
eEye’s IIS exploit, also targeted at the popular Microsoft IIS 4 is a more
traditional buffer overflow attack, exploiting an overflow in an internal
IIS dll.
Overview
Utilizing their own tool - Retina - and its AI Mining function, eEye
systematically uses an HTML GET /[overflow].htr HTTP/1.0 request,
passed due to the association of .htr with the isapi dll to check for an
overflow. Retina overflows the associated dll, and therefore the IIS
executable, inetinfo.exe, presenting the opportunity to execute arbitrary
code on the server.
Use of the Exploit
eEye have produced a utility in kit form to demonstrate the exploit they
have discovered.
The iishack.exe chains together a sequence of events to take advantage
of the general lack of content analysis between the Internet and
corporate web-servers, which will typically allow any traffic to pass
back and forth across TCP port 80.
iishack.exe first downloads a Trojan, based on netcat (nc.exe) bound to
port 80 and configured to provide a cmd.exe shell.
Once the Trojan has been downloaded and executed, a remote user may
connect to TCP/80 in accordance with firewall rules, and is presented
with an interactive cmd.exe shell at a privileged level.
Example
The eEye iishack is intended to be a complete and closed pack. To
execute the attack, there must be a webserver with the Trojan ncx80.exe
(bound to port 80) available for download, and, of course, a vulnerable
target.