video of win2k iis ftp attack opening a bindshell

The good folks at Offensive Security have posted a video (camtasia) of the Win2k IIS 5.0/6.0 FTPD exploit in action (found via Andrew Hay). The difference between this version and the kingcope expoit is this sets up a bindshell where the original set up a new Windows user account.

What isn’t mentioned is the exploit does require a valid connection to the FTP server, either through valid credentials, stolen credentials, or anonymous write access. So the old “best practices” of removing anon access, being careful who you let into your server, and enforcing strong passwords helps mitigate this risk. Though that’s really not enough assurance and I expect an MS patch for this soon, this at least should let you sleep at night if you have vulnerable servers. And don’t just think about remote attacks from China but also internally-accessible FTP servers.

Another “best practice” is to flatly not use the IIS FTP server. I think that suggestion has been around for 10 years now…