[20668] in bugtraq
About the new IIS %252c bug.
daemon@ATHENA.MIT.EDU (neme-dhc@hushmail.com)
Wed May 16 12:04:39 2001
From: neme-dhc@hushmail.com
Message-Id: <200105152218.PAA15671@user7.hushmail.com>
Content-type: multipart/mixed; boundary="Hushpart_boundary_poeWgBIbwPvkzEDpCvuciknuKKwKCaWF"
Mime-version: 1.0
To: bugtraq@securityfocus.com
Date: Tue, 15 May 2001 18:16:11 -0500 (EDT)
--Hushpart_boundary_poeWgBIbwPvkzEDpCvuciknuKKwKCaWF
Content-type: text/plain
Hi,
I spotted the same behaviour on my win2k + IIS 5.0 installation. When I
installed the unicode patch this problem disappeared. Hence why I did not
publish this. Maybe other people can reproduce this as well?
another one that works is %252f.
%255c and %252f (slash and backslash) worked before I applied the patch
and ceased working afterwards.
%255c and %252f are NOT unicode codes but hex codes. I find it strange that
the unicode patch fixed this.
IIS4.0 installations without the unicode patch were not vulnerable when
I tried.
greetz,
nemesystm
>
>/*
> *
> * execiis.c - (c)copyright Filip Maertens
> * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
> *
> * DISCLAIMER: This is proof of concept code. This means, this
>code
> * may only be used on approved systems in order to test the
>availability
> * and integrity of machines during a legal penetration test. In no
>way
> * is the author of this exploit responsible for the use and result
>of
> * this code.
> *
> */
>
>#include <stdio.h>
>#include <stdlib.h>
>#include <sys/socket.h>
>#include <sys/types.h>
>#include <netinet/in.h>
>#include <unistd.h>
>#include <string.h>
>
>
>/* Modify this value to whichever sequence you want.
> *
> * %255c = %%35c = %%35%63 = %25%35%63 = /
> *
> */
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_poeWgBIbwPvkzEDpCvuciknuKKwKCaWF--
