Here is a great, and scary, blog post from the folks over at Offensive Security. It details how easy it is to own a fully patched Windows 2000 SP4 server that has the Microsoft IIS FTP 5.0 remote system exploit. From the blog post:

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.

The exploit can be downloaded from our exploit archive. To entertain the masses, we also made “Microsoft IIS 5.0 FTP 0 Day – The movie“

The movie can be found here: http://www.offensive-security.com/videos/microsoft-ftp-server-remote-exploit/msftp.html

Justin Foster, a fellow Canadian infosec guy, brought up an interesting point today in a tweet he sent out:

I remember the good old days when a cloud was something we drew to represent the Internet between two points. *Sigh*

He’s also responsible for the following diagram for those of you who are visual people:

“Cloud” is one of those marketing terms that I can’t stand because it is now applied to absolutely everything out on the Internet AND in data centers. In my day we called those areas DMZ and those vendors Application Service Providers (ASPs)…..consarnit!