Several exploits have been developed for a buffer overflow vulnerability in servers running IIS 5.0 on Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter Server, which we reported (http://www.theregister.co.uk/content/4/18664.html) on Tuesday.

The vulnerability exists in the .printer ISAPI (Internet Server Application Programming Interface) filter (C:\WINNT\System32\msw3prt.dll), which enables Web-based control of networked printers, due to an unchecked buffer in msw3prt.dll.

A malicious HTTP .print request containing approximately 420 bytes in the 'Host:' field enables execution of arbitrary code, and if handled right will yield system-level access on the target machine.

Microsoft has posted a patch (http://www.microsoft.com/technet/security/bulletin/MS01-023.asp), which it 'strongly urges' admins to install; but the number of machines running IIS on Win2k is so immense (several million at least) that cracking unpatched victims will be like shooting fish in a barrel.

With that in mind, computer enthusiast dark spyrit has put together jill.c (ftp://ftp.technotronic.com/newfiles/jill.c), "an exploit code that will give you a remote command shell, reverse telnet style, on a vulnerable host. This exploit code takes advantage of a vulnerability in IIS that allows remote attacker to overflow one of IIS's internal buffers causing it to execute arbitrary code."

From Wanderley Abreu we have a memory-leak exploit called webexplt.pl (http://www.securityfocus.com/data/vulnerabilities/exploits/webexplt.pl); and from Ryan Permeh of eEye Digital Security (http://www.eeye.com), which discovered the vulnerability, we have a non-malicious exploit called iishack2000.c (http://www.securityfocus.com/data/vulnerabilities/exploits/iishack2000.c), which creates a file in the root of drive C imploring unpatched innocents to fix their systems. ®

Related Story

Microsoft IIS hole gives System-level access (http://www.theregister.co.uk/content/4/18664.html)