|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution
From: David Wong (dw280
COLUMBIA.EDU)Date: Sat Oct 21 2000 - 00:42:13 CDT
- Next message: Alfred Huger: "Re: [PEN-TEST] HP's VirtualVault"
- Previous message: Patrick Mueller: "Re: [PEN-TEST] Lotus Notes ID Files"
- In reply to: Tom Vandepoel: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Next in thread: Frank Knobbe: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Reply: David Wong: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tom,
It's UTF-8 encoding of unicode. Try %e0%80%af
Dave
----- Original Message -----
From: "Tom Vandepoel" <Tom.VandepoelUBIZEN.COM>
To: <PEN-TESTSECURITYFOCUS.COM>
Sent: Thursday, October 19, 2000 2:40 PM
Subject: Re: [PEN-TEST] IIS %c1%1c remote command execution
> Michael Katz wrote:
> >
> > On Thursday, October 19, 2000 8:19 AM, Critical Watch Bugtraqqer wrote:
> >
> > > However,
> > > I haven't been able to find a use for this if the web site is on
> > > a separate
> > > drive. Ok, sure if there is a sample page that allows you to
> > > cruise around
> > > folders and look for interesting executables, or maybe perl.exe in the
> > > cgi-bin, you could use this exploit. But what else? Any thoughts?
> >
> > You can get directory listings of any directory on any drive, including
> > mapped drives, as well as read the contents of numerous files that you
> > find - again, on any drive. I have confirmed this by successfully
testing
> > this exploit on vulnerable servers.
> >
>
> Haven't done any successfull testing on this yet, but in the examples,
> it's always mentioned with a executable virtual dir, like /scripts. Is
> that a requirement for this vulnerability, so does it also allow you to
> view files directly, through regular document directories, without
> executing cmd.exe?
>
> Also, what I've gleaned from RFP's writeup is that there seem to be
> different variations. I've just seen a signature posted on the
> snort-sigs list, that lists it as:
>
> %c0%hh/%c1%hh IIS exploit
>
> which seems to suggest there are even more valid values, probably
> depending on the language version of NT that is installed...anyone made
> a list of those unicodes yet? I started out whacking together a quick
> perl script to do as RFP has done, which is to scan through all 2-byte
> combinations, but I haven't had the time to explore that fully. Any more
> experience with that here?
>
> Tom.
>
>
> --
> _________________________________________________
>
> Tom Vandepoel
> Sr. Network Security Engineer
>
> www.ubizen.com
> tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
> Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
> _________________________________________________
- Next message: Alfred Huger: "Re: [PEN-TEST] HP's VirtualVault"
- Previous message: Patrick Mueller: "Re: [PEN-TEST] Lotus Notes ID Files"
- In reply to: Tom Vandepoel: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Next in thread: Frank Knobbe: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Reply: David Wong: "Re: [PEN-TEST] IIS %c1%1c remote command execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]