| -----Original Message-----
| From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Roelof
| Temmingh
| Sent: Wednesday, January 24, 2001 4:30 PM
| To: [EMAIL PROTECTED]
| Subject: shell on IIS server with Unicode using *only* HTTP
|
<snip>
| Above procedure will drop you into a shell on the box
| without crashing the server (*winks at Eeye*).
Actually the reason the server crashed with our exploit (IISHack 1.5, if
that's the one your talking of) was because we were not simply just copying
a file in attempts to remotely get a cmd.exe prompt as IUSR_MACHINE because
that's easy. Our exploit actually took the unicode attack a step further by
exploiting a local buffer overflow within the .asp handler which then lead
to us binding a cmd.exe prompt to a remote server as SYSTEM.
URL to IISHack1.5 http://www.eeye.com/html/Advisories/IISHack1.5.html
| This procedure is nice for servers that are very tightly
| firewalled; servers that are not allowed to FTP, RCP or TFTP
| to the Internet.
|
| 2. Unicodexecute version3 (unicodexecute3.pl)
| same as before plus
| -includes searches for alternative executable dirs
| -more robust, stable than before
| -checks for access denied etc. added
|
|
| Regards,
| Roelof.
|
| ------------------------------------------------------
| Roelof W Temmingh SensePost IT security
| [EMAIL PROTECTED] +27 83 448 6996
| http://www.sensepost.com
Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com