Author: tombkeeper pgn Source: www.loveling.net/ hackers base
The content of this article is how to establish a back door using some of the features of IIS itself. Of course, this is primarily a "Know your Enemy" document for network administrators and network security staff. The author hopes that this article can help check and clear the back door, and do not encourage or agree with this article. Tips for illegal activities.
First briefly introduce the IIS configuration file Metabase.bin. This file is located in% systemroot% system32inetsrvmetabase.bin, which contains almost all IIS configuration information, is a very important system file. Simply put, all the settings made in INTENET Service Manager event will eventually be saved in Metabase.bin. In addition to the "INTENET Service Manager" in everyday system management, Windows also provides a script AdsUtil.vbs to operate Metabase.bin.
The structure of Metabase is similar to the registry, also a tree structure, similar key, value, concept. In fact, in IIS3 and PWS, Metabase content is stored in the registry. Metabase has two primary keys: LM and Schema. Where SCHEMA saves some of the default configurations of the system, it usually does not need to be modified. Once the error is also very dangerous, no matter whether it is "INTENET Service Manager" or Adsutil.vbs, there is no mechanism for modifying Schema. The LM contains configuration information such as an IIS HTTP service, FTP service, SMTP service, and the like. Among them, LM / W3SVC / under the configuration information of the HTTP service we have to use.
Several values below:
LM / W3SVC / Inprocessisapiapps, ISAPI is launched within the process. This is an array that contains a set of path points to some isapi. When the ISAPI in this array is running directly by inetinfo.exe, inherits INetInfo.exe's local system rights; not in it is ISAPI, is started by the Dllhost.exe process derived by svchost.exe, running The identity is iWam_name, of course, this is the case of IIS default security level "in", if set to low, all ISAPI will be derived directly by inetinfo.exe. In addition, if the path is not specified, only one extension is specified, then the same name ISAPI under any path is being executed when called.
Scriptmaps, script mapping. After setting this value in a directory, the file of the specific extension request to the directory will be handed over to the specified ISAPI execution. It is necessary to emphasize that the directory of setting ScriptMaps does not have to exist, as long as a subkey is built under the root key of an HTTP instance in Metabase, the HTTP request IIS of the word key is considered legal. And will be handed over to the mapped ISAPI. This is also a problem with IIS.
CREATEPROCESSSUSER, specifying a change value of 0 in a directory, and the application in this directory will inherit inetinfo.exe's Local System permissions.
AccessWrite determines if a directory is allowed to write, that is, WebDAV's PUT method.
AcceptExecute, determines if a directory allows an application to be executed.
Back door ideas:
Create a specific extension script map, point to our ISAPI and add the ISAPI to the InProcessisapiapps list. Then we request the extension type file to the server, it will execute the ISAPI on the server on the server, and the requested file does not need to be true. skill:
1. Since it doesn't need to build a directory to set ScriptMaps, you can write only one button and add ScriptMaps to this button. In this way, you can't see this directory from "InTenet Service Manager", and you can't see this scriptmaps.
2, although "INTENET Service Manager" can not see, but experienced administrators may get used to see ADSUTIL.VBS Enum / P:
# Adsutil.vbs ENUM / P / W3SVC / 1 / ROOT
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. all rights reserved.
[/ w3svc / 1 / root / _vti_bin]
[/ w3svc / 1 / root / evildir]
This is exposed. Because the key we set is not a virtual directory that exists, just a string in the configuration file, so you can use the character of 0x08 to do key values. 0x08 is a 16-en-en-en-value value corresponding to the BackSpace key. The effect displayed on the console is to delete a character to the left, but it is deleted "/":
# Adsutil.vbs ENUM / P / W3SVC / 1 / ROOT
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. all rights reserved.
[/ w3svc / 1 / root / _vti_bin]
[/ w3svc / 1 / root]
In the face of this output, the average person will not pay attention.
Of course, it can also be similar to _vti_script, _vti_bin, as long as it does not set KeyType, it is invisible in "INTENET Service Manager".
Because there is a WinntSystem32Msw3PRT.DLL in the INPROCESSAPIAPPS in the system, it is .printer's mapping, generally not used. We can delete the value of d: winntsystem32msw3prt.dll, replace WinntSystem32inetsRVMsw3PRT.DLL.
Insufficient China is that HTTP request will leave traces, but HTTP is also good, that is, you can use a proxy server to make a springboard. In addition, it is also possible to use the method of inserting 0x0d 0x0a to fake the log, (see "Apache, IIS, etc., etc." Apache, IIS, etc., allows for a "one article" one by sending a carriage return ") This is the skill of constructing a directory.
Implementation:
Of course, you can use Adsutil.vbs to add. However, it is necessary to pay attention, Adsutil.vbs can only be set, can not be changed, so when using adsutil.vbs, it must be added to the original, otherwise it will be lost. Different entops are separated from spaces.
First get the current InProcessisapiapps list with the following command: adsutil.vbs Get / W3SVC / InprocessisapIAPPS
After taking it, you will also add your ISAPI path. Adsutil.vbs SET / W3SVC / INPROCESSISAPIAPPS "C: WinntSystem32idq.dll" "C: WinntSystem32inetsrvhttpext.dll" ................
ScriptMaps set with Inprocessisapiapps. Of course, this is more troublesome, and it is impossible to write a key value such as 0x08, so I simply write a VBS for one-time. As for the ISAPI that is the back door, the functionality that can be implemented is completely dependent on imagination. Here is a simple example of screen copy:
# nc 10.11.0.26 80
