Exploit.IIS.Beavuh

Class Exploit
Platform IIS
Description

Technical Details

Beavuh is a malware exploit of the so-called MS IIS “.printer” vulnerability, which is described by Microsoft in the “Security Bulletin MS01-23”,released May 1, 2001.

The MS01-23 Security Bulletin can be viewed at the following location:

www.microsoft.com/technet/security/bulletin/ms01-023.asp

This exploit program gives remote access to a simple Windows NT command shell on the target machine. Beavuh was recently reported (on March 2nd, 2002) to have been used in a large number of hacking attempts.

The exploit program has the following parameters:

  • a destination IP address
  • a destination port number
  • an IP address/port to which the exploiting code will connect back with the command shell.

    The remote exploit code gets executed on the target machine if the IIS vulnerability was not previously patched. The code is encrypted so it will first proceed to decrypt itself, and then it will scan the system memory for the Windows NT library (“kernel32.dll”). From there it will acquire the ‘offset’ of the ‘GetProcAddress’ function and will further use it to obtain a couple of other API addresses, both from “kernel32.dll” and “wsock32.dll”.

    Next Beavuh connects to the address specified by the attacker, launches the executable “cmd.exe” and links the input and output of the command shell to the socket opened to the attacker’s control machine.

    Recommendations
    Due to the prevalence of this exploit, we recommend system administrators patch any vulnerable IIS servers as soon as possible. Also, installing the KL ISAPI AV filter provides a generic means of blocking IIS buffer overflow exploits, including this one. For more details, please check:

    www.kasperskey.com/support.html?chapter=47