Penetration Testing mailing list archives
Re: [PEN-TEST] IIS %c1%1c remote command execution
From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Thu, 19 Oct 2000 18:19:36 -0500
Keep in mind that these attacks will only work on poorly (or not at all) secured server. a) don't use default directories and default virtual directories, and b) with proper ACL's set on all files and dirs this exploit won't work. The exploit basically gives you access to files (i.e. cmd.exe). If these aren't there, or properly secured, the exploit won't work. I had tested it against a few of my machines, and was not able to do anything (I guess that's a good thing... :) Then again, I'm running IIS 3.0 because 4.0 and 5.0 have just way too many bugs :) Regards, Frank
-----Original Message----- From: Tom Vandepoel [mailto:Tom.Vandepoel () UBIZEN COM] Sent: Thursday, October 19, 2000 4:40 PM [...] Also, what I've gleaned from RFP's writeup is that there seem to be different variations. I've just seen a signature posted on the snort-sigs list, that lists it as: %c0%hh/%c1%hh IIS exploit which seems to suggest there are even more valid values, probably depending on the language version of NT that is installed...anyone made a list of those unicodes yet? I started out whacking together a quick perl script to do as RFP has done, which is to scan through all 2-byte combinations, but I haven't had the time to explore that fully. Any more experience with that here?
Attachment:
smime.p7s
Description:
Current thread:
- [PEN-TEST] IIS %c1%1c remote command execution Critical Watch Bugtraqqer (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Michael Katz (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Tom Vandepoel (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution David Wong (Oct 21)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Tom Vandepoel (Oct 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS %c1%1c remote command execution Frank Knobbe (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Bobby, Paul (Oct 28)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Michael Katz (Oct 19)