Re: update on IIS 5.0 relative path vulnerability

[Dominic <dbeecher () blueyonder co uk>]

H D Moore wrote:

> can anyone provide a Chinese to 
> English translation for the readme?


A little rough, but this is basically what it says:


********************

IIS privilege escalation tool by isno

Includes the following:
idq.dll: ISAPI program for privilege escalation
ispc.exe: client-side program for connecting

Brief explanation:
This software makes use of the IIS 5.0 + SP0 (SP1, SP2)
privilege checking hole to obtain SYSTEM privilege; all
you have to do is upload idq.dll to an executable directory
of IIS, and you can obtain SYSTEM privilege.

How to use:
First use the UNICODE or double decoding hole to upload
idq.dll to an executable directory, for example /scripts,
and then use ispc.exe to connect:

  C:\>ispc 127.0.0.1/scripts/idq.dll

  Start to connect to the server...
  We Got It!
  Please Press Some <Return> to Enter Shell....



  Microsoft Windows 2000 [Version 5.00.2195]
  (C) All rights reserved 1985-1998 Microsoft Corp.

  C:\WINNT\system32>

The cmd.exe thus obtained has SYSTEM privileges.

N.B.:

1. After you've uploaded idq.dll to an IIS executable
directory, it must be called one of the following:

  idq.dll
  httpext.dll
  httpodbc.dll
  ssinc.dll
  msw3prt.dll
  author.dll
  admin.dll
  shtml.dll
  sspifilt.dll
  compfilt.dll
  pwsdata.dll
  md5filt.dll
  fpexedll.dll

If you use another name, then there's no way to obtain
SYSTEM privilege.

2. After you've finished entering a command, you must hit
carriage return three times, [next bit is dodgy] to get
a prompt back.

3. SP3 is not affected by this hole.

********************

Cheers

Dominic


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/