IIS configuration file backdoor method

Author: tombkeeper PGN Source: www.loveling.net/hacker Base

This article describes how to use some features of IIS to create backdoors. Of course, this is mainly a "Know your enemy" document for the network administrator and network security staff to refer.ArticleIt is helpful for checking and clearing backdoors, and does not encourage or agree to use the skills in this article to conduct illegal activities.

First, let's briefly introduce the IIS configuration file metabase. Bin. This file is located in % SystemRoot % system32inetsrvmetabase. Bin, which contains almost all IIS configuration information and is a very important system file. To put it simply, all the settings we made in "intenet Service Manager" will eventually be saved in metabase. Bin. In daily system management, in addition to operating metabase. Bin through the "intenet Service Manager", windows also provides a script adsutil. vbs to operate metabase. Bin.

The metabase structure is similar to the registry and also a tree structure. It has the concept of keys, values, and items. In fact, in iis3 and PWS, The metabase content is stored in the registry. Metabase has two primary keys: LM and schema. The schema stores some default system configurations, which usually do not need to be modified. It is also very dangerous to change the configuration. Therefore, either "intenet Service Manager" or "adsutil. vbs does not provide a schema modification mechanism. Lm contains the configuration information of the HTTP service, FTP service, and SMTP service of IIS. Here, lm/w3svc/is the configuration information of the HTTP service we will use.

Several values mentioned below:

Lm/w3svc/inprocessisapiapps, start ISAPI in the process. This is an array containing a group of ISAPI paths. In this group, the ISAPI Runtime is directly started by inetinfo.exe, and the local region of inetinfo.exe is derived directly. In addition, if you do not specify a path but only one extension, the ISAPI with the same name in any path will be executed with the system permission when called.

Scriptmaps, script ing. After this value is set in a directory, the files with the specified extension requested from the directory are handed over to the specified ISAPI for execution. It should be emphasized that the scriptmaps directory does not necessarily exist. As long as a sub-key is created under the root key of an HTTP instance in metabase, IIS considers the HTTP request for a directory with the same name as the key to be valid and is processed by the mapped ISAPI. This is also a problem with IIS.

Createprocessasuser: Specifies the value to be changed to 0 in a directory, then the application under this directoryProgramThe local system permission of inetinfo.exe will be inherited.

Accesswrite determines whether a directory can be written, that is, the PUT Method of WebDAV.

Accessexecute: determines whether an application can be executed in a directory.

Backdoor ideas:

Create a script ing for a specific extension, point to our ISAPI, and add this ISAPI to the inprocessisapiapps list. When we request a file with the extension type to the server, the ISAPI will be executed with the local system permission on the server, and the requested file does not need to actually exist.

TIPS:

1. Since you do not need to create a directory to set scriptmaps, you can write only one key and add scriptmaps to the key. In this way, the scriptmaps cannot be seen from the "intenet Service Manager.

2. Although the "intenet Service Manager" cannot be seen, experienced administrators may be accustomed to occasionally using adsutil. vbs Enum/P to look at it:

# Adsutil. vbs Enum/P/w3svc/1/root

Microsoft (r) Windows Script Host version 5.6

Copyright (c) Microsoft Corporation 1996-2001. All rights reserved.

[/W3svc/1/root/_ vti_bin]

[/W3svc/1/root/evildir]

In this way, it is exposed. Because the key we set is not a real virtual directory, but a string in the configuration file, you can use characters such as 0x08 as the key value. 0x08 is the hexadecimal value corresponding to the backspace key. The console displays the result of deleting a character to the left, which is actually:

# Adsutil. vbs Enum/P/w3svc/1/root

Microsoft (r) Windows Script Host version 5.6

Copyright (c) Microsoft Corporation 1996-2001. All rights reserved.

[/W3svc/1/root/_ vti_bin]

[/W3svc/1/root]

In the face of such output, the average person will not pay attention to it.

Of course, you can also set a name like _ vti_script, _ vti_bin. As long as there is no keytype, it is invisible in "intenet Service Manager.

In the system, inprocessisapiapps contains a winntsystem32msw3prt. dll, which is a. Printer ing and is generally unavailable. We can delete the value of D: winntsystem32msw3prt. dll and replace it with winntsystem32inetsrvmsw3prt. dll.

What is lacking in the US is that HTTP requests will leave traces, but HTTP also has the advantage of using a proxy server as a stepping stone. In addition, you can insert 0x0d 0x0a to forge logs. (For details, see apache, IIS, and other HTTP servers that allow forgery of logs by sending carriage returns) this is the directory construction technique.

Specific implementation:

Of course, you can use adsutil. vbs for manual addition. However, you must note that adsutil. vbs can only be set and cannot be changed. Therefore, when using adsutil. vbs, you must add the original one. Otherwise, the original one will be lost. Separate entries with spaces.

Use the following command to obtain the current inprocessisapiapps list: adsutil. vbs get/w3svc/inprocessisapiapps

After obtaining the information, add your ISAPI path. Adsutil. vbs set/w3svc/inprocessisapiapps "C: winntsystem32idq. dll" C: winntsystem32inetsrvhttpext. dll "..................

The setting of scriptmaps is the same as that of inprocessisapiapps.

Of course, this is troublesome and cannot be written into a key value such as 0x08, So I simply write a vbs one-time. As for the backdoor ISAPI, the functions that can be implemented depend entirely on imagination. Here is a simple example of Screen Copy:

# NC 10.11.0.26 80

Post/% 08/anything. Tom

Microsoft Windows 2000 [version 5.00.2195]

(C) Copyright 1985-1998 Microsoft Corp.

C: winntsystem32> whoami

NT authoritysystem

C: winntsystem32> exit

HTTP/1.1 200 OK

Server: Microsoft-Microsoft IIS/5.0

Date: Wed, 08 Jan 2003 06:49:37 GMT

A more concealed method is to write a special ISAPI and register it as an ASP parser. Generally, this program transfers the received request to the system's original ASP. dll and returns the result. When receiving a special POST request, it starts its own backdoor.CodeIn this way, the log will not be displayed. It is also difficult to find out during review.

In addition to the script ing method described above, you can also grant the accesswrite and accessexecute permissions to a virtual directory. You need to use WebDAV to upload the ISAPI when running the backdoor, run it, and delete it after it is used up. (Can I delete it? Still need restart W3SVC? I did not test .) If the uploaded file is not a DLL but an EXE file, you can set createprocessasuser in the directory to 0 to obtain the local system permission. This method has been described in the article. However, changes to accesswrite and accessexecute can be seen in "intenet Service Manager", which means the concealment is poor.