[18826] in bugtraq
Re: shell on IIS server with Unicode using *only* HTTP
daemon@ATHENA.MIT.EDU (Marc Maiffret)
Fri Jan 26 11:55:22 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <MMEPIMEOCNNBECDFLCADGENBCAAA.marc@eeye.com>
Date: Thu, 25 Jan 2001 12:47:43 -0800
Reply-To: Marc Maiffret <marc@EEYE.COM>
From: Marc Maiffret <marc@EEYE.COM>
X-To: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.21.0101250130460.67247-101000@wips.sensepost.com>
| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Roelof
| Temmingh
| Sent: Wednesday, January 24, 2001 4:30 PM
| To: BUGTRAQ@SECURITYFOCUS.COM
| Subject: shell on IIS server with Unicode using *only* HTTP
|
<snip>
| Above procedure will drop you into a shell on the box
| without crashing the server (*winks at Eeye*).
Actually the reason the server crashed with our exploit (IISHack 1.5, if
that's the one your talking of) was because we were not simply just copying
a file in attempts to remotely get a cmd.exe prompt as IUSR_MACHINE because
that's easy. Our exploit actually took the unicode attack a step further by
exploiting a local buffer overflow within the .asp handler which then lead
to us binding a cmd.exe prompt to a remote server as SYSTEM.
URL to IISHack1.5 http://www.eeye.com/html/Advisories/IISHack1.5.html
| This procedure is nice for servers that are very tightly
| firewalled; servers that are not allowed to FTP, RCP or TFTP
| to the Internet.
|
| 2. Unicodexecute version3 (unicodexecute3.pl)
| same as before plus
| -includes searches for alternative executable dirs
| -more robust, stable than before
| -checks for access denied etc. added
|
|
| Regards,
| Roelof.
|
| ------------------------------------------------------
| Roelof W Temmingh SensePost IT security
| roelof@sensepost.com +27 83 448 6996
| http://www.sensepost.com
Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com
