Re: [PEN-TEST] IIS %c1%1c remote command execution

[Frank Knobbe <FKnobbe () KNOBBEITS COM>]

Keep in mind that these attacks will only work on poorly (or not at all)
secured server. a) don't use default directories and default virtual
directories, and b) with proper ACL's set on all files and dirs this
exploit won't work. The exploit basically gives you access to files (i.e.
cmd.exe). If these aren't there, or properly secured, the exploit won't
work. I had tested it against a few of my machines, and was not able to do
anything (I guess that's a good thing... :)

Then again, I'm running IIS 3.0 because 4.0 and 5.0 have just way too many
bugs :)

Regards,
Frank

> -----Original Message-----
> From: Tom Vandepoel [mailto:Tom.Vandepoel () UBIZEN COM]
> Sent: Thursday, October 19, 2000 4:40 PM
>
> [...]
> Also, what I've gleaned from RFP's writeup is that there seem to be
> different variations. I've just seen a signature posted on the
> snort-sigs list, that lists it as:
>
> %c0%hh/%c1%hh IIS exploit
>
> which seems to suggest there are even more valid values, probably
> depending on the language version of NT that is
> installed...anyone made
> a list of those unicodes yet? I started out whacking together a quick
> perl script to do as RFP has done, which is to scan through all 2-byte
> combinations, but I haven't had the time to explore that
> fully. Any more
> experience with that here?

Attachment: smime.p7s
Description: