OUROBOROS - iisAPE


				iisAPE
	(Internet Information Server Automated Passive Exploiter)

	       		   by elaborate_ruse
			(www.elaboration.f2s.com)

 Preface

  iisAPE was born out of frustration and insuing interest in the many HTTP port 
  80 hits I experienced during the life cycle of Internet worms like Code Red 
  and the later but similar Nimda.  
  
  The release of this project was deliberately delayed as a precaution against
  misuse.  At the time of the release of the project the number of infected
  hosts on the Internet was low and mostly confined to the likes of dial-up
  users; the reasons for which will be discussed later.
  
 Introduction

  Internet Information Server Automated Passive Exploiter (iisAPE) is an
  application released as part of the OUROBOROS project.  It works under a few
  simple principles:

 		The connecting client is an IIS infected host that is
		attempting to attack and exploit you.

		The worm infected host is running the vulnerable IIS service
		and is vulnerable to the attack strings it is sending you.
		(This I found to be quite likely as the worms' main methods of
		repopulation were through these scans)
		
  These conditions of course may not always be met, but during the peak of the
  Nimda worm life cycle I found something like a 55-75% success rate from
  clients that were worm infected hosts.  This varied depending on the day, time
  and location of the test program.  Success means the ability to execute any 
  command on the attacking host in the context of the user the IIS server is
  runnning as.

 What it does 

  iisAPE binds a server to localhost:80 and listens for TCP connections.  If a
  connection is formed it checks the address against a list of already
  exploited hosts.  It does this to prevent continual scanning from the host
  post exploitation.  If it finds the address in this list it disconnects the
  client.  Otherwise the program attempts to form a connection back to the
  client's port 80.  The virtual circuit would look something like this:
  
  
			[Q U E R Y]
  client:>1024 ---> iisAPE:80 ---> iisAPE:>1024 ---> client:80

			[R E P L Y]
  client:>1024 <--- iisAPE:80 <--- iisAPE:>1024 <--- client:80
  
  
  If the return connection is successful the program begins to read in the 
  exploit string which is in the form of a bare bones HTTP GET request.  If the
  above circuit is not possible a local echo is created back through the 
  original client's socket.  This causes the client to disconnect and it's 
  address is added to the list of blocked hosts.

  iisAPE then acts as a normal data proxy between the client socket and the IIS
  server running on that client.  The program works on a query/reply model as
  does the HTTP protocol which it is transferring.  This has the effect of
  making the worm beleive it is connected to a fresh new victim when it is
  really attacking itself.  We will refer to this technique as a data proxy
  attack.

  iisAPE acts as a gobetween and listens passively for a HTTP/1.1 200 OK from
  the IIS server.  If the server does not reply with this header the program
  will continue to return all data from the server to the client  -
  disconnecting the client after one query and response.  If the HTTP/1.1 200 
  OK is detected iisAPE stops transferring data for that client, disconnects 
  the client, and adds them to the blocked list.  It then concantenates the
  commands with the discovered exploit string and crafts them into HTTP GET
  requests, much like the worm scan request, which are then sent to the server
  .  These requests cause commands to be executed on the IIS server which
  result in a small text file being created explaining what has happened and 
  where to go to rectify it.

 The pitfalls

  The code that stops clients reconnecting after being exploited and since the
  program has begun is not supposed to be and should not be thought of as an
  extensive/realiable port/service wrapper.  It was written simply to block 
  reconnects from the automated worm scans.  This it does as the worms' 
  behaviour is fairly static and only changes through different variants of the 
  worm that are released (in which case another class will be released to deal 
  with this).  Bypassing this filter would not take too much creative thinking.

  Once the number of blocked clients gets to a certain number the list is
  written to the text file blocked.txt which will be created in the same
  directory that the program is running from.  The program will then continue
  to check blocked hosts using both this file and the array of blocked
  addresses it holds in memory.  Each time iisAPE is restarted it searches it's
  current directory for the file blocked.txt and if it is found, deletes it.
  This is done becuase if you are in a DHCP or simliar configured environment 
  when you use this program it is likely that the IP addresses used by previous
  clients will have been assigned to a different machine.

  No checking is done to ensure the client is a worm infected host.  Therefore
  this program will still accept and act as a proxy if the client is running a
  server on their port 80.  Of course the commands will not be executed on the
  server when a HTTP/1.1 200 OK is detected.

 Why passive?

  iisAPE is passive becuase it waits for the vulnerable hosts to come to you.
  It does not aggressively scan your subnet for vulnerable hosts.  It uses the
  worm's scans as the workhorse of the exploit - effectively doing little more
  than deflecting the attack.  Though once it detects a successful exploit
  string it becomes somewhat more engaged.  This is only so that it can inform
  the host that it is infected and attacking other hosts.

 Isn't this just using someone elses work to crack hosts?

  Yes, thats exactly what it is.  It is also a good example of how you can use
  your own environment to your advantage and turn an annoying attack into a tool
  that could own upward of 20 hosts a night...in theory.

 General discussion and observation

  As mentioned earlier the worms' main method of repopulation is through
  scanning for other vulnerable hosts.  This is noisey and caused the
  vulnerabilities that allow these worms to spread to be quickly patched - that
  and some big wigs in the US announcing it as some big threat to the economy.
  But the fact that the majority of users on the Internet are on dialup and
  connect to the Internet for an undetermined length of time and there are new
  people connecintg their computers to the Internet for the first time daily,
  some people are predicting that we will never see a complete and final death 
  to these worms.  So, this program could work on a few hosts for a long time.

  Be warned, you could get into alot of trouble using this program, even though
  it is in no way harmful.  If you don't know what your doing, or don't want to
  take the risk, DO NOT run this program.

 Synopsis

  To find out more about the Internet worms Code Red and Nimda use any search
  engine - there is alot of buzz about them still.

  Some choice references might be:

  	the search engine at http://www.microsoft.com
	the bugtraq archives at http://www.security-focus.com

  Also see http://www.elaboration.f2s.com/soyouvegotworms.html
  	   http://www.elaboration.f2s.com/projects2.html
















 The black streak in the otherwise white hat

  The commands are loaded from a text file.