Penetration Testing mailing list archives
Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution
From: Mordechai Ovits <movits () OVITS NET>
Date: Thu, 19 Oct 2000 16:04:20 -0400
It would allow you to get any file accessible to the user that IIS is running as, on the Inetpub drive. If the inetpub drive isnt the systme drive you can't run cmd, but you can nab files. Not the SAM though. Mordy On Thu, Oct 19, 2000 at 02:35:46PM -0400, Bernard, Shawn wrote:
I think the post was more along the lines of this... If your web root (inetpub) is located on a different drive letter than your OS is installed on the vulnerability does not work as posted. I ran into that when I was testing some systems. os is installed on c: --C:\WINNT IIS web root is on d:\ -- D:\INETPUB Now if I understand it correctly the problem is that in the example URL http://address.of.iis5.system/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+d ir+c:\ the ..%c1%1c.. translates into ../.. dropping you to the root of the drive that the web root resides on. So if your webroot is C:\INETPUB the URL calls C:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\ So in your normal out of the box install it finds cmd.exe and runs an dir command. If your webroot is D:\INETPUB the URL calls D:\WINNT\SYSTEM32\CMD.EXE?/C+DIR+C\ in most cases (that I have worked with) you would not have the OS located there so the vulnerability would not work.-----Original Message----- From: Michael Katz [SMTP:mike () RESPONSIBLE COM] Sent: Thursday, October 19, 2000 12:01 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:However, I haven't been able to find a use for this if the web site is on a separate drive. Ok, sure if there is a sample page that allows you to cruise around folders and look for interesting executables, or maybe perl.exe in the cgi-bin, you could use this exploit. But what else? Any thoughts?You can get directory listings of any directory on any drive, including mapped drives, as well as read the contents of numerous files that you find - again, on any drive. I have confirmed this by successfully testing this exploit on vulnerable servers. Michael Katz Responsible Solutions, Ltd. mike () responsible com
Current thread:
- [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Bernard, Shawn (Oct 19)
- Re: [PEN-TEST] FW: [PEN-TEST] IIS %c1%1c remote command execution Mordechai Ovits (Oct 19)