Penetration Testing mailing list archives
Re: [PEN-TEST] IIS %c1%1c remote command execution
From: David Wong <dw280 () COLUMBIA EDU>
Date: Fri, 20 Oct 2000 22:42:13 -0700
Tom, It's UTF-8 encoding of unicode. Try %e0%80%af Dave ----- Original Message ----- From: "Tom Vandepoel" <Tom.Vandepoel () UBIZEN COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, October 19, 2000 2:40 PM Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution
Michael Katz wrote:On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:However, I haven't been able to find a use for this if the web site is on a separate drive. Ok, sure if there is a sample page that allows you to cruise around folders and look for interesting executables, or maybe perl.exe in the cgi-bin, you could use this exploit. But what else? Any thoughts?You can get directory listings of any directory on any drive, including mapped drives, as well as read the contents of numerous files that you find - again, on any drive. I have confirmed this by successfully
testing
this exploit on vulnerable servers.Haven't done any successfull testing on this yet, but in the examples, it's always mentioned with a executable virtual dir, like /scripts. Is that a requirement for this vulnerability, so does it also allow you to view files directly, through regular document directories, without executing cmd.exe? Also, what I've gleaned from RFP's writeup is that there seem to be different variations. I've just seen a signature posted on the snort-sigs list, that lists it as: %c0%hh/%c1%hh IIS exploit which seems to suggest there are even more valid values, probably depending on the language version of NT that is installed...anyone made a list of those unicodes yet? I started out whacking together a quick perl script to do as RFP has done, which is to scan through all 2-byte combinations, but I haven't had the time to explore that fully. Any more experience with that here? Tom. -- _________________________________________________ Tom Vandepoel Sr. Network Security Engineer www.ubizen.com tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium _________________________________________________
Current thread:
- [PEN-TEST] IIS %c1%1c remote command execution Critical Watch Bugtraqqer (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Michael Katz (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Tom Vandepoel (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution David Wong (Oct 21)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Tom Vandepoel (Oct 19)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS %c1%1c remote command execution Frank Knobbe (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Bobby, Paul (Oct 28)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Michael Katz (Oct 19)