IIS Config file Backdoor method _ Server

Author: tombkeeper PGN Source: www.loveling.net/Hacker Base

The content of this article is how to build a backdoor using some of the features of IIS itself. This, of course, is primarily a "Know Your enemy" document for network administrators and network security workers, and the authors hope this article will help to check and clear the back door, without encouraging or endorsing the use of the techniques of this article for illegal activities.

First, a brief description of the IIS configuration file Metabase.bin. This file, located in%systemroot%system32inetsrvmetabase.bin, contains almost all of the configuration information for IIS and is a very important system file. Simply put, everything we do in the Intenet Service Manager will eventually be saved in Metabase.bin. In addition to operating the Metabase.bin through the Intenet Service Manager in day-to-day system management, Windows provides a script adsutil.vbs can operate on Metabase.bin.

The structure of the metabase is similar to the registry, and it is also a tree structure with concepts like keys, values, and items. In fact, in IIS3 and PWS, the content of metabase is stored in the registry. Metabase has two primary keys: LM and schema. The schema preserves some of the system's default configurations, usually without modification, and is also very dangerous to correct, so neither the Intenet Service Manager nor the Adsutil.vbs provides a mechanism for modifying the schema. LM contains configuration information such as the HTTP service for IIS, the FTP service, the SMTP service, and so on. Among them, lm/w3svc/is the configuration information for the HTTP service we are going to use.

A few of the values that are mentioned below:

Lm/w3svc/inprocessisapiapps, the ISAPI is started within the process. This is an array that contains a set of paths that point to some ISAPI. The ISAPI in this array is run by Inetinfo.exe directly, inheriting Inetinfo.exe's Local system permissions While the ISAPI that is not in it is initiated by the Svchost.exe-derived Dllhost.exe process and runs as Iwam_name, which is, of course, the IIS default security Level "Medium", if set to low, Then all ISAPI will be directly derived by Inetinfo.exe. In addition, if the path is not specified, but only one extension is specified, then the ISAPI with the same name under any path will be executed with system privileges when invoked.

scriptmaps, script mapping. When this value is set in a directory, the file for the specific extension requested for that directory is handed to the specified ISAPI execution. It is important to emphasize that setting the ScriptMaps directory does not necessarily exist, as long as a subkey is built under the root key of an HTTP instance in metabase, HTTP request IIS for the directory with the same name as the key is considered legitimate and is referred to the mapped ISAPI. This is a problem with IIS.

CreateProcessAsUser, specify a value of 0 in a directory, the application under that directory inherits Inetinfo.exe Local system permissions.

AccessWrite determines whether a directory is allowed to write, which is the put method of WebDAV.

AccessExecute, determines whether a directory allows applications to be executed.

Back door ideas:

Create a script map with a specific extension, point to our ISAPI, and add the ISAPI to the InProcessIsapiApps list. When we request the extension type file to the server, we execute the ISAPI on the server with local System privileges, and the requested file does not need to be real.

Skills:

1, since do not need to really build a directory to set scriptmaps, then you can write a key, and add scriptmaps to this key. In this way, from the "Intenet Service Manager" can not see this directory, but also do not see this scriptmaps.

2, although "Intenet Service Manager" Inside can not see out, but experienced administrator may be accustomed to occasionally use Adsutil.vbs enum/p to see:

# adsutil.vbs enum/p/w3svc/1/root

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

[/w3svc/1/root/_vti_bin]

[/w3svc/1/root/evildir]

So it's exposed. Because the key we set is not a real virtual directory, just a string in the configuration file, so you can use characters such as 0x08 to do the key value. 0X08 is the backspace key corresponding to the 16 value, the console shows the effect is to the left to delete a character, in fact, "/" to delete:

# adsutil.vbs enum/p/w3svc/1/root

Microsoft (R) Windows Script Host Version 5.6

Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

[/w3svc/1/root/_vti_bin]

[/w3svc/1/root]

In the face of such output, the average person will not be aware of.

It can also be set to a name like _vti_script,_vti_bin, which is not visible in the Intenet Service Manager as long as the keytype is not set.

Because there is a WINNTSystem32msw3prt.dll in the system itself InProcessIsapiApps, is. Printer mapping, generally not used. We can delete the D:winntsystem32msw3prt.dll value and replace it with WINNTSystem32inetsrvmsw3prt.dll.

The drawback is that the HTTP request will leave traces, but HTTP also has the advantage, that is, you can use a proxy server to do a springboard. In addition, you can also use the insertion of 0x0d 0x0a to forge the log method, (see "apache,iis and many other HTTP servers allow to send a carriage return to forge the log" article) This is the technique of constructing the directory.

Specific implementation:

Of course you can use Adsutil.vbs hand to add. However, it is necessary to note that Adsutil.vbs can only be set, can not be changed, so use Adsutil.vbs when the original also added, otherwise the original will be lost. Separate entries are separated by spaces.

Use the following command to get the current InProcessIsapiApps list: adsutil.vbs Get/w3svc/inprocessisapiapps

Take it and add your own ISAPI path. Adsutil.vbs Set/w3svc/inprocessisapiapps "C:winntsystem32idq.dll", "C:winntsystem32inetsrvhttpext.dll" ..... ......

ScriptMaps is set with InProcessIsapiApps.

Of course this is more cumbersome, and can not write 0x08 such a key value, so I simply write a vbs a one-time fix. As for the back-door ISAPI, the functionality that can be achieved depends entirely on the imagination. Here is a simple example of a screen copy:

# NC 10.11.0.26 80

POST/%08/anything.tom

Microsoft Windows 5.00.2195 [Version]

(C) Copyright 1985-1998 Microsoft Corp.

C:winntsystem32>whoami

NT Authoritysystem

C:winntsystem32>exit

http/1.1 OK

server:microsoft-iis/5.0

Date:wed, 2003 06:49:37 GMT

A more subtle approach is to write a special ISAPI and register to parse the ASP's. Normally, the program transfers the received request to the original asp.dll of the system and returns the result, and when a special post request is received, it launches its own backdoor code so that there is no display in the log. It's hard to find out when auditing.

In addition to the methods described above that use script mapping, you can also give a virtual directory AccessWrite and AccessExecute permissions. Use WebDAV to upload the ISAPI when you need to run the back door, then run it, and then delete it when you are done. (Can you delete it?) Or do you need a restart W3SVC? I didn't experiment. If you upload an EXE file instead of a DLL, then setting the CreateProcessAsUser in that directory to 0 also gives you access to local system permissions, a method that was written earlier. But AccessWrite and accessexecute changes can be seen in the "Intenet Service Manager", the concealment is poor.