Penetration Testing mailing list archives

Re: [PEN-TEST] IIS %c1%1c remote command execution

From: David Wong <dw280 () COLUMBIA EDU>
Date: Fri, 20 Oct 2000 22:42:13 -0700

Tom,

It's UTF-8 encoding of unicode. Try %e0%80%af

Dave
----- Original Message -----
From: "Tom Vandepoel" <Tom.Vandepoel () UBIZEN COM>
To: <PEN-TEST () SECURITYFOCUS COM>
Sent: Thursday, October 19, 2000 2:40 PM
Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution

Michael Katz wrote:


On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:

 However,
I haven't been able to find a use for this if the web site is on
a separate
drive.  Ok, sure if there is a sample page that allows you to
cruise around
folders and look for interesting executables, or maybe perl.exe in the
cgi-bin, you could use this exploit. But what else?  Any thoughts?


You can get directory listings of any directory on any drive, including
mapped drives, as well as read the contents of numerous files that you
find - again, on any drive.  I have confirmed this by successfully

testing

this exploit on vulnerable servers.


Haven't done any successfull testing on this yet, but in the examples,
it's always mentioned with a executable virtual dir, like /scripts. Is
that a requirement for this vulnerability, so does it also allow you to
view files directly, through regular document directories, without
executing cmd.exe?

Also, what I've gleaned from RFP's writeup is that there seem to be
different variations. I've just seen a signature posted on the
snort-sigs list, that lists it as:

%c0%hh/%c1%hh IIS exploit

which seems to suggest there are even more valid values, probably
depending on the language version of NT that is installed...anyone made
a list of those unicodes yet? I started out whacking together a quick
perl script to do as RFP has done, which is to scan through all 2-byte
combinations, but I haven't had the time to explore that fully. Any more
experience with that here?

Tom.


--
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________

Current thread:

[PEN-TEST] IIS %c1%1c remote command execution Critical Watch Bugtraqqer (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Michael Katz (Oct 19)
  - Re: [PEN-TEST] IIS %c1%1c remote command execution Tom Vandepoel (Oct 19)
    - Re: [PEN-TEST] IIS %c1%1c remote command execution David Wong (Oct 21)
- <Possible follow-ups>
- Re: [PEN-TEST] IIS %c1%1c remote command execution Frank Knobbe (Oct 19)
- Re: [PEN-TEST] IIS %c1%1c remote command execution Bobby, Paul (Oct 28)