[X-Unix] Stopping the Webdav Exploit in Apache
Eugene Lee
list-themacintoshguy at fsck.net
Sat Mar 27 19:32:40 PST 2004
On Sat, Mar 27, 2004 at 06:42:04PM -0800, Scott Haneda wrote:
:
: Me.me.com 24.90.81.237 - - [27/Mar/2004:08:02:27 -0800] "SEARCH
: /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
: 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
: 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
: 1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
: 2\xb1\x02\xb1\ ... 32,820 total chars
:
: For the life of me, I can not mimic this URI request, every attempt I make
: to try to create a test case so I can see how to pattern match this with
: SetEnvIfNoCase Request_URI yields a \\x02\\etc\\etc in my logs.
Try this:
$ curl -X SEARCH http://localhost/$'\x90\x02\xb1\x02\xb1'
: Any idea whats going on here and how I can pattern match this?
This is most likely the WebDAV buffer exploit for Windoze IIS.
http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf
--
Eugene Lee
http://www.coxar.pwp.blueyonder.co.uk/
More information about the X-Unix
mailing list