Blind Buffer Overflows In ISAPI Extensions

by Isaac Dawson
Sept. 25, 2017 1 comment Symantec ISAPI

In this paper we will use different ISAPI extension on a Microsoft Windows 2000, Internet Information Server (IIS) 5.0 web server. A number of different ISAPI extensions were created, each with a different type of stack-based overflow vulnerability to act as demonstrative proprietary applications as seen in the wild. The following examples are overflows using strcpy(), sprintf(), and strcat(). A second set of extensions had also been built with the Microsoft Visual Studio .NET stack protection enabled (/GS option) [ref 2]. The author will demonstrate how to bypass these protection mechanisms and execute arbitrary code completely blind. The reasons for choosing an ISAPI extension were two fold, the first being that custom web based applications which utilize ISAPI extensions and filters are becoming more and more popular, as well as old extensions still being used today are rarely reviewed for security flaws.

2flash 4 months, 3 weeks ago

Oh, the good old ISAPI Extensions.... it is a nice vanilla-flavored article