Re: shell on IIS server with Unicode using *only* HTTP

[Marc Maiffret <marc () EEYE COM>]

| -----Original Message-----
| From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Roelof
| Temmingh
| Sent: Wednesday, January 24, 2001 4:30 PM
| To: BUGTRAQ () SECURITYFOCUS COM
| Subject: shell on IIS server with Unicode using *only* HTTP
|
<snip>
|  Above procedure will drop you into a shell on the box
|  without crashing the server (*winks at Eeye*).

Actually the reason the server crashed with our exploit (IISHack 1.5, if
that's the one your talking of) was because we were not simply just copying
a file in attempts to remotely get a cmd.exe prompt as IUSR_MACHINE because
that's easy. Our exploit actually took the unicode attack a step further by
exploiting a local buffer overflow within the .asp handler which then lead
to us binding a cmd.exe prompt to a remote server as SYSTEM.

URL to IISHack1.5 http://www.eeye.com/html/Advisories/IISHack1.5.html

|  This procedure is nice for servers that are very tightly
|  firewalled; servers that are not allowed to FTP, RCP or TFTP
|  to the Internet.
|
| 2. Unicodexecute version3 (unicodexecute3.pl)
|  same as before plus
|  -includes searches for alternative executable dirs
|  -more robust, stable than before
|  -checks for access denied etc. added
|
|
| Regards,
| Roelof.
|
| ------------------------------------------------------
| Roelof W Temmingh             SensePost IT security
| roelof () sensepost com               +27 83 448 6996
|               http://www.sensepost.com


Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com