Re: [NSE] Webservers Directory Traversal Vulnerability (under windows)

[David Fifield <david () bamsoftware com>]

On Mon, May 24, 2010 at 07:04:09PM +0200, Gutek wrote:
> Indeed, the goal is the same : revealing a Dir Traversal.
> However I may be wrong but I think the two approaches are slightly
> different (without talking about linux vs. windows targets):
> - http-passwd seems "generic" - oriented as it builds commonly seen ways
> of trying to reach /etc/passwd : escaping characters, salshing and
> anti-slashing
> - http-win-dir-traversal is precisely oriented against payloads
> published. Let's say, "products - oriented"
>
> I have two hypothesis:
> - H1, keeping those two appart, renaming http-win-dir-traversal to
> http-boot (to reflect the targeted file, as those two files are
> OS-symbolic and so self-speaking)
> - H2 trying to merge those two approaches. I can imagine it could be
> possible (but a little bit hard, I guess) to, for example, try to guess
> the plateform and then launch a unix() or a windows() sub routine

I think I prefer H2. I don't think the script needs to decide which file
to try to get, /etc/password or boot.ini, just try them both. If you
have an OS match, you could use that to eliminate one of the
possibilities. After all, trying both files is what will happen anyway
if there are two scripts.

In the combined script, let's just make sure all the "products-oriented"
requests are done by the "generic-oriented" request generator, and then
there's no distinction to worry about.

Is boot.ini available on recent versions of Windows too?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/