Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability
The following is an exploit provided by NSFocus:
1. Create a file "test.shtml" with following file content:
Number of 'A' should be over 2049.
2. Create a directory "a" under Web directory.
Copy "test.shtml" to "a" directory.
3. Request "test.shtml" through web browser:
4. IIS would return a blank page which indicates that an overflow has occurred.
Meanwhile the trailing '\0' has overwritten the last byte of saved EBP.
On the contrary, in case that the contained file has a shorter name like
'AA', IIS would return a SSI file '/a/AA' error message when receiving
Additionally, a remote shell exploit 'jim.c' has been made available by Indigo <firstname.lastname@example.org>.