Bugtraq mailing list archives
Re: shell on IIS server with Unicode using *only* HTTP
From: Marc Maiffret <marc () EEYE COM>
Date: Thu, 25 Jan 2001 12:47:43 -0800
| -----Original Message----- | From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Roelof | Temmingh | Sent: Wednesday, January 24, 2001 4:30 PM | To: BUGTRAQ () SECURITYFOCUS COM | Subject: shell on IIS server with Unicode using *only* HTTP | <snip> | Above procedure will drop you into a shell on the box | without crashing the server (*winks at Eeye*). Actually the reason the server crashed with our exploit (IISHack 1.5, if that's the one your talking of) was because we were not simply just copying a file in attempts to remotely get a cmd.exe prompt as IUSR_MACHINE because that's easy. Our exploit actually took the unicode attack a step further by exploiting a local buffer overflow within the .asp handler which then lead to us binding a cmd.exe prompt to a remote server as SYSTEM. URL to IISHack1.5 http://www.eeye.com/html/Advisories/IISHack1.5.html | This procedure is nice for servers that are very tightly | firewalled; servers that are not allowed to FTP, RCP or TFTP | to the Internet. | | 2. Unicodexecute version3 (unicodexecute3.pl) | same as before plus | -includes searches for alternative executable dirs | -more robust, stable than before | -checks for access denied etc. added | | | Regards, | Roelof. | | ------------------------------------------------------ | Roelof W Temmingh SensePost IT security | roelof () sensepost com +27 83 448 6996 | http://www.sensepost.com Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com
Current thread:
- shell on IIS server with Unicode using *only* HTTP Roelof Temmingh (Jan 24)
- Re: shell on IIS server with Unicode using *only* HTTP Marc Maiffret (Jan 26)