IDS and Unicode

["Parth Galen" <Parth_Galen () ziplip com>]

Recently I was pentesting a site and was noticed by a very good admin's homegrown IDS. His IDS was some batch files 
that keyed on ".exe" in the IIS logs. I have something similiar on my sites, using Snort and scanning the IIS logs.

So, I was thinking, could someone give me the Unicoded encoded string for "cmd.exe"? Then when pentesting sites like 
this (using a browser, .pl, or nc based call to the Unicode or Filename Double Decode exploits) I can also test their 
IDS. I would then recommend that they key on "%" when not followed by "20", since a "%" sign would be suspicious when 
not used to encode a space.

Thanks for your time and effort! Any feedback would be much appreciated! 

Parth 


*  Get free, secure online email at http://www.ziplip.com/  *