Vulnerability Development mailing list archives
Re: Question Regarding new IIS escaped char exp.
From: Ralph Moonen <ralph () tink org>
Date: Mon, 21 May 2001 22:41:39 +0200
At 05:11 21-5-01 -0500, H D Moore wrote:
On Thursday 17 May 2001 01:03 pm, w1re p4ir wrote: > Ello all, > If an IIS machine is patched against the Unicode Attack that was released > many months ago... Does this exploit work? I haven't really been able to > test it on a machine that ISN'T nt4.0 sp6/a. Anyone have any ideas? -wire Yes it would work. The new one also affects IIS 3.0, which was previously unexploitable (?)
Actually, this is not true. Some foreign language versions of 3.0 are definately vulnerable. I have tested against 3.0 German and Japanese (or was it chinese i can't remeber) and they were vuln.
after the sample files had been removed. I updated the unicoder.pl tool to use the new decode sequences and added an interactive mode per request (command shell). A few new directories were added, which should make exploiting IIS 5.0 and OWA machines easier. You can grab the latest copy from: http://www.digitaloffense.net/csw/unicoder.pl
Nice exploit. But it will not find non-english servers vulnerable. The German version of IIS returns 'Verzeignis von' in stead of ' Directory of'. Other languages also break your script.
So if you want it to find all versions, you should actually check for "<DIR>" or execute ver.exe and grep for 'Windows' Cheers! --Ralph
Current thread:
- Question Regarding new IIS escaped char exp. w1re p4ir (May 21)
- Re: Question Regarding new IIS escaped char exp. H D Moore (May 21)
- Re: Question Regarding new IIS escaped char exp. Ralph Moonen (May 21)
- Re: Question Regarding new IIS escaped char exp. H D Moore (May 21)