Re: Question Regarding new IIS escaped char exp.

[Ralph Moonen <ralph () tink org>]

At 05:11 21-5-01 -0500, H D Moore wrote:
> On Thursday 17 May 2001 01:03 pm, w1re p4ir wrote:
> > Ello all,
> > If an IIS machine is patched against the Unicode Attack that was released
> > many months ago... Does this exploit work? I haven't really been able to
> > test it on a machine that ISN'T nt4.0 sp6/a. Anyone have any ideas? -wire
>
> Yes it would work.  The new one also affects IIS 3.0, which was previously
> unexploitable (?)

Actually, this is not true. Some foreign language versions of 3.0 are
definately vulnerable. I have tested against 3.0 German and Japanese (or was it
chinese i can't remeber) and they were vuln.

> after the sample files had been removed.  I updated the
> unicoder.pl tool to use the new decode sequences and added an interactive
> mode per request (command shell).  A few new directories were added, which
> should make exploiting IIS 5.0 and OWA machines easier. You can grab the
> latest copy from:
>
> http://www.digitaloffense.net/csw/unicoder.pl

Nice exploit. But it will not find non-english servers vulnerable. The 
German version of IIS
returns 'Verzeignis von'  in stead of ' Directory of'. Other languages also 
break your script.
So if you want it to find all versions, you
should actually check for   "<DIR>"  or execute ver.exe and grep for 'Windows'

Cheers!

--Ralph