Re: Pen on IIS with webroot not on C

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

A. Caruso wrote:
> Hi all:
>
> I have been muking around with different file system traversal exploits for IIS and playing with some of the tools.  Most of the tools depend on the 
> default install of IIS with webroot on c:.  I've moved webroot to d: on my toybox and haven't been able to jump back to c: to get a shell (cmd). 
>  Does anyone know of a mechanism to "jump" file systems.  I haven't been able to find anything after RFP said (in his unicode paper) the 
> syntax doesn't exist to do this.  (I think that's where I saw it).
> eg
> GET /scripts/../../../%systemroot%/cmd.exe (insert appropriate unicode)

/scripts/ moves around when you move the webroot. However, some others 
do not do so necessarily. Have you tried /msadc/ or /iisadmpwd/? IIRC 
(it's been a time since I need to do that) Msadc was stored in the OS 
partition (i.e. not the webroot).


> Short of jumping file systems, what about uploading a shell to webroot through the .ida vuln?  (I left those patches 
> off for play).


I find it useful, and entertaining, to create a shell using _only_ the 
UNICODE vulnerability, cmd.exe and some 'echo' mumbo jumbo. It can be 
easily automated if you know where to look (hint: this list).

Regards

Javi


----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html