[17345] in bugtraq
Re: IIS Unicode
daemon@ATHENA.MIT.EDU (Ryan Yagatich)
Wed Oct 25 14:00:28 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NEBBKDPOGLLPEMKLLGKLGEJJCGAA.ryagatich@csn1.com>
Date: Wed, 25 Oct 2000 11:08:08 -0400
Reply-To: Ryan Yagatich <ryagatich@CSN1.COM>
From: Ryan Yagatich <ryagatich@CSN1.COM>
X-To: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.21.0010250230530.1398-100000@wips.sensepost.com>
i have too attempted to do re-direct data.. here is what i've tried:
cmd.exe....echo+hello+world+>>c:\\temp.txt
**error**
cmd.exe....echo+hello+world+%3e%3e+c:\\temp.txt
**error**
cmd.exe....echo+hello+world+\%3e+\%3e+c:\\temp.txt
**error**
cmd.exe....echo+hello+world+\/%3e+\/%3e+c:\\temp.txt
**error**
so, it seems that it's not accepting the values for >> symbol, or its hex
equivelant... although i have not done too much study on iis to make a valid
responce, these tests have been acurate on Windows 2000 US/IIS5.0
so, we've found out that redirection doesn't work... but how about writing
your code, or trojan on your PC, setup a tftp server and download this to
allow "shell access".
read Zoa_Chien's publication: exploiting IIS unicode bug using tftp and
samba for a better explanation of how it works.
hope this sheds a little light.
ryan
Roelof Temmingh wrote:
<<I was having problems executing a command that contains a redirect (>)
using
any of the IIS Unicode exploits (including my own exploits on security focus
;) ).>>
