Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
IIS double UTF decoding bug (old) exploit: IIS explorer
SkyLined at edup
Jul 11, 2002, 8:28 AM
Post #1 of 5 (2936 views)
Permalink
(Ok, it's an old bug but since a lot of non-geeks seem to hate updating their IIS, there still are plenty of valid targets for this exploit.)

-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED --
The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a modified version of PHPexplorer, also written by yours truly ;)

-- HOW TO INSTALL --
Simply put all the icons in the RAR file and the file IISexplorer.php on your PHP enabled webserver. The icons should go into the /icons2/ directory, the IISexplorer.php file can be put anywere.

-- HOW TO USE --
Browse to http://your-server/path/IISexplorer.php?host=[ip of vulnerable target] and you can browse the target system using an explorer style interface.
Please remember, this is version 0.1 beta! So don't expect it to handle errors well.

-- WHERE TO FIND TARGETS TO EXPLORE --
Scan your webserver's logfiles for "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of vulnerable IIS's that have been infected with a worm that propagates through this vulnerability.

-- NOTES --
The left frame takes some time to load, since it requires 1 http request for each directory in the list. Make sure to have a decent connection to the internet because this migth use quite some bandwidth ;)

-- FUTURE VERSIONS --
I'm probably not gonna invest more time, since it works. Maybe I'm gonna put in a upload/download facility but that would make stuff a bit too easy for them 14 year olds, wouldn't it ?

-- YOURS TRULY --

Berend-Jan Wever aka SkyLined
http:/spoor12.edup.tudelft.nl
.

Attached Files:

Re: IIS double UTF decoding bug (old) exploit: IIS explorer [ In reply to ]
steve at videogroup
Jul 11, 2002, 9:26 AM
Post #2 of 5 (2815 views)
Permalink
On Thursday 11 July 2002 11:28 am, you wrote:
>(Ok, it's an old bug but since a lot of non-geeks seem to hate updating
> their IIS, there still are plenty of valid targets for this exploit.)
>
>-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED --
>The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit
> for the double urldecoding bug in IIS. (It's a modified version of
> PHPexplorer, also written by yours truly ;)
<snip>
>Berend-Jan Wever aka SkyLined
>http:/spoor12.edup.tudelft.nl
>.

Since it looks like we are going to have tools to test holes, the policy of
only releasing ones designing to test your own system for flaws, needs to be
in. As Berend says we don't need to make it any easier for script kiddies.

Also, this list is going to have script kiddies on it so people needs to be
kept aware of not posting specifics about their network which can then be
used to root them. Too often I see people giving out all sorts of information
about their network on lists thinking there are only white hats on it.
--

Steve Szmidt
V.P. Information Technology
Video Group Distributors, Inc.
Re: IIS double UTF decoding bug (old) exploit: IIS explorer [ In reply to ]
steve at entrenchtech
Jul 11, 2002, 10:00 AM
Post #3 of 5 (2821 views)
Permalink
So how hard is it going to be to take a tool/script that only tests
localhost and modify it to test other hosts? There is really no point in
forcing localhost as it won't stop anyone.

Regards;

Steve Manzuik
Founder & Technical Lead
Entrench Technologies
www.entrenchtech.com

Moderator - VulnWatch
www.vulnwatch.org

www.csicon.net



----- Original Message -----
From: "Steve" <steve@videogroup.com>
To: <full-disclosure@lists.netsys.com>
Sent: Thursday, July 11, 2002 10:26 AM
Subject: Re: [Full-Disclosure] IIS double UTF decoding bug (old) exploit:
IIS explorer


> On Thursday 11 July 2002 11:28 am, you wrote:
> >(Ok, it's an old bug but since a lot of non-geeks seem to hate updating
> > their IIS, there still are plenty of valid targets for this exploit.)
> >
> >-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED --
> >The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE"
exploit
> > for the double urldecoding bug in IIS. (It's a modified version of
> > PHPexplorer, also written by yours truly ;)
> <snip>
> >Berend-Jan Wever aka SkyLined
> >http:/spoor12.edup.tudelft.nl
> >.
>
> Since it looks like we are going to have tools to test holes, the policy
of
> only releasing ones designing to test your own system for flaws, needs to
be
> in. As Berend says we don't need to make it any easier for script kiddies.
>
> Also, this list is going to have script kiddies on it so people needs to
be
> kept aware of not posting specifics about their network which can then be
> used to root them. Too often I see people giving out all sorts of
information
> about their network on lists thinking there are only white hats on it.
> --
>
> Steve Szmidt
> V.P. Information Technology
> Video Group Distributors, Inc.
> _______________________________________________
> Full-Disclosure mailing list
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
Re: IIS double UTF decoding bug (old) exploit: IIS explorer [ In reply to ]
poptix at techmonkeys
Jul 11, 2002, 10:04 AM
Post #4 of 5 (2821 views)
Permalink
On Thu, Jul 11, 2002 at 12:26:56PM -0400, Steve wrote:

> Since it looks like we are going to have tools to test holes, the policy of
> only releasing ones designing to test your own system for flaws, needs to be
> in. As Berend says we don't need to make it any easier for script kiddies.
>

Unfortunately the exploits that are found on the rooted box are pretty
much never anti-script kiddie, and the problem with subtle breakage of
remote scripts is that it makes it very hard for joe-blow network admin
to prove that there /is/ a vulnerability to the people he has to okay
a maintenance window with.

[snip]
> Steve Szmidt

--
Matthew S. Hallacy FUBAR, LART, BOFH Certified
http://www.poptix.net GPG public key 0x01938203
Re: IIS double UTF decoding bug (old) exploit: IIS explorer [ In reply to ]
techs at obfuscation
Jul 11, 2002, 10:51 AM
Post #5 of 5 (2820 views)
Permalink
On Thu, Jul 11, 2002 at 11:00:47AM -0600, Steve wrote:
> So how hard is it going to be to take a tool/script that only tests
> localhost and modify it to test other hosts? There is really no point in
> forcing localhost as it won't stop anyone.

That, and it's an extra time-wasting step for a lot of admins who want to
scan their entire network to make sure they know where everything they need
to go fix is.. (Not everyone has well documented networks. I'd speculate
that most do not have well documented networks.)


That said, it might be nicer if more folks released Nessus NASL scripts for
testing purposes instead of half a dozen marginally broken tools, but that
probably won't ever happen. [1]

Admins responsible for the security of their networks need to be made
aware that there are problems, and they need to have adequate tools to
tell them exactly what they need to fix, and to prove that it's been fixed.
This in a world where many admins know less about security then the average
script kiddie.

[1] In my perfect world, every responsible advisory for a remote attack
would come with both a working NASL script to test it, and a set of well
written snort signatures to spot the attack in progress. C'mon guys,
you did all the work to discover and exploit the flaw, do a little more and
tell us how to watch for it while you're at it.

(if that doesn't start an argument of some sort, I don't know what will.)

--
Erik Fichtner; Unix Ronin
http://www.obfuscation.org/techs/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal