Contact Us
Webdav Exploits Exposed
- URL: http://www.secureworks.com/research/threats/webdav
- Date: May 13, 2003
- Author: Joe Stewart
Update: Aug 5, 2003
If you came to this page because you found webdav.exe in your startup folder, you have been hacked by someone using the recent Microsoft RPC/DCOM vulnerability. The webdav.exe in your startup folder is NOT related to the Webdav exploit described in the page below; it is an IRC DDoS bot which gives the hacker full control over your system. If your antivirus vendor does not detect it, you should send a sample to them so they can write signatures for it. Once detected, your antivirus software should be able to remove it from your system.
In order to prevent further penetrations of your system, you must install the patch provided by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. You can do this by running Windows Update and applying all critical updates for your system.
CERT Advisory CA-2003-09 describes a buffer overflow in core Microsoft Windows DLL ntdll.dll. The vulnerability was found to be exploitable through the WebDav publishing service of IIS 5.0. Since the release of the advisory, several exploits have surfaced, with varying degrees of effectiveness. While the fact that this exploit requires too much brute-forcing to make an efficient worm, it remains that a dedicated attacker will always be able to penetrate a vulnerable IIS server over a period of time. This paper is intended to catalog the various exploits available and provide Snort signatures to detect each one. If you know of any original WebDav exploits not listed here, send details to Joe Stewart
Source Code
|
rs_iis.c by Román Medina-Heigl Hernández |
||
|---|---|---|
|
Filename |
Size |
Description |
|
rs_iis.c |
20,022 bytes |
Binds a command shell to requested port |
|
wd.c by kralor |
||
|---|---|---|
|
Filename |
Size |
Description |
|
wd.c |
8,640 bytes |
Spawns a reverse command shell. Basis for several other exploit kits. |
|
Webdavx.pl by isno@xfocus.org |
||
|---|---|---|
|
Filename |
Size |
Description |
|
webdavx.pl |
5,439 bytes |
Works on Chinese Win2K SP2 & SP3 only |
|
wd.pl by mat@monkey.org |
||
|---|---|---|
|
Filename |
Size |
Description |
|
wd.pl |
21,739 bytes |
Works on Windows 2000 Advanced Server SP3 Korean Language Edition only |
Binaries/Kits
|
Davkit |
|||
|---|---|---|---|
|
Filename |
Size |
Md5sum |
Description |
|
cat.bat |
16 bytes |
bad87ba07ab9b25bee25f7ce96df16f3 |
Batch file to start netcat listener |
|
davit.bat |
269 bytes |
6f3736fc7071fe67dcbf26ac859484f4 |
Batch file used to start cat.bat and webdav.exe |
|
davkit.txt |
236 bytes |
33caf719acb535ee3f4df9a72eb4ba0a |
README file for davkit |
|
nc.exe |
59,392 bytes |
e0fb946c00b140693e3cf5de258c22a1 |
Netcat is a generic TCP client/server |
|
webdav.exe |
121,344 bytes |
9a43911eb70119d9df57c6762f52a863 |
Compiled webdav.c by kralor |
|
Summary: Davkit was compiled on April 3, 2003. It is a command-line-only beta version of Webdavin'. It uses unintelligent brute-forcing of the stack offset and will fail to exploit vulnerable hosts much of the time; crashing the IIS server process instead. |
|||
|
Webdavin 1.0.1 |
|||
|---|---|---|---|
|
Filename |
Size |
Md5sum |
Description |
|
cat.bat |
16 bytes |
bad87ba07ab9b25bee25f7ce96df16f3 |
Batch file to start netcat listener |
|
davit.bat |
269 bytes |
6f3736fc7071fe67dcbf26ac859484f4 |
Batch file used to start cat.bat and webdav.exe |
|
davkit.txt |
1682 bytes |
82433fbc53d50afefceaede351d9c158 |
README file for davkit |
|
nc.exe |
59,392 bytes |
e0fb946c00b140693e3cf5de258c22a1 |
Netcat is a generic TCP client/server |
|
tftpd32.exe |
57.344 bytes |
8c70420b29b367cc78b6b0358a6dbcb0 |
Tftp server used to transfer files to/from victim host |
|
webdav-gui.exe |
19,968 bytes |
ab754ce42d0f73af384ea24f5595e787 |
GUI version of webdav.c by kralor |
|
webdav.exe |
121,344 bytes |
9a43911eb70119d9df57c6762f52a863 |
Compiled webdav.c by kralor |
|
Summary: Webdavin 1.0.1 was compiled on April 4, 2003. It uses intelligent brute-forcing of the stack offset using a list of offsets with a statstically higher probability of success. It will probably be able to exploit vulnerable hosts most of the time.
|
|||
|
Webdavin 1.1 |
|||
|---|---|---|---|
|
Filename |
Size |
Md5sum |
Description |
|
cat.bat |
88 bytes |
47839d1764e17c74fb40ba3cf2f9b762 |
Batch file to start netcat listener |
|
davit.bat |
339 bytes |
82b77e23464d92396176a17dd0b50e3f |
Batch file used to start cat.bat and webdav.exe |
|
davkit-x.txt |
1950 bytes |
aa9da5c2824c934c1774a78664f233fe |
README file for davkit |
|
nc.exe |
59,392 bytes |
e0fb946c00b140693e3cf5de258c22a1 |
Netcat is a generic TCP client/server |
|
tftpd32.exe |
57.344 bytes |
8c70420b29b367cc78b6b0358a6dbcb0 |
Tftp server used to transfer files to/from victim host |
|
webdav-gui.exe |
19,968 bytes |
ab754ce42d0f73af384ea24f5595e787 |
GUI version of webdav.c by kralor |
|
webdav.exe |
121,344 bytes |
9a43911eb70119d9df57c6762f52a863 |
Compiled webdav.c by kralor |
|
xwbf-woodv3.EXE |
53,248 bytes |
c6ee2ab412fe5cc9b4ffa3b54dd66dd1 |
GUI version of webdav.c by kralor, with references to kralor stripped and replaced with morning_wood and the default target "localhost" changed to "remotehost". Otherwise, it's exactly the same code as xwbf-v0.3.exe available on kralor's site, www.coromputer.net. |
|
Summary: Webdavin 1.1 was compiled on April 22, 2003. It uses intelligent brute-forcing of the stack offset using a list of offsets with a statstically higher probability of success. The GUI has been updated to allow it to attack IIS servers running on ports other than the standard port 80. It will probably be able to exploit vulnerable hosts most of the time.
|
|||
|
KaHT |
|||
|---|---|---|---|
|
Filename |
Size |
Md5sum |
Description |
|
KaHT.exe |
11,296 bytes |
2a3200455e87f6422c01287e702203da |
Mass exploiter with shell listener |
|
Summary: Anti-virus companies have reported a trojan kit called KaHT. It is also known as “rolark” (“kralor” spelled backwards) because it uses the same shellcode as the kralor exploit. Unlike the other kralor-based exploit kits, this kit is capable of mass automated exploitation of vulnerable hosts once it is set in motion. Its features include a built-in listener to receive incoming shells and run commands from a predefined list, the ability to read a list of IPs to exploit, and intelligent brute-forcing of the offset using a set of known "hot" return offsets. |
|||
Snort Signatures
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (rs_iis)"; flow: to_server; content:"|0190 9090 685e 56c3 9054 59ff d158 33c9|"; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000010; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (kralor probe)"; flow: to_server; content:"|5345 4152 4348 202f 2048 5454 502f 312e 310d 0a48 6f73 743a|"; depth:24; dsize:<89; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000011; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (kralor shellcode)"; flow: to_server; content:"|558b ec33 c953 5657 8d7d a2b1 25b8 cccc|"; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000012; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (webdavx.pl)"; flow: to_server; content:"|4c4f 434b 202f 4141 4141 4141 4141 4141|"; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000013; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (wd.pl)"; flow: to_server; content:"|4c4f 434b 202f 5858 5858 5858 5858 5858|"; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000014; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav ntdll.dll (KaHT probe)"; flow: to_server; content:"|5573 6572 2d41 6765 6e74 3a20 4b61 4854 0d0a|"; reference:cve,CAN-2003-0109; reference:url,www.secureworks.com/research/threats/webdav; classtype:attempted-admin; sid:1000015; rev:1;)
