Home page logo

bugtraq logo Bugtraq mailing list archives

About the new IIS %252c bug.
From: neme-dhc () hushmail com
Date: Tue, 15 May 2001 18:16:11 -0500 (EDT)


I spotted the same behaviour on my win2k + IIS 5.0 installation. When I 
installed the unicode patch this problem disappeared. Hence why I did not 
publish this. Maybe other people can reproduce this as well?
another one that works is %252f.
%255c and %252f (slash and backslash) worked before I applied the patch 
and ceased working afterwards.
%255c and %252f are NOT unicode codes but hex codes. I find it strange that 
the unicode patch fixed this.
IIS4.0 installations without the unicode patch were not vulnerable when 
I tried.


* execiis.c - (c)copyright Filip Maertens
* BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
* DISCLAIMER:    This  is  proof of concept code.  This means, this
* may only be used on approved systems in order to test the
* and integrity of machines  during a legal penetration test.  In no
* is the  author of  this exploit  responsible for the use and result
* this code.

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>

/* Modify this value to whichever sequence you want.
* %255c = %%35c = %%35%63 = %25%35%63 = /
Free, encrypted, secure Web-based email at www.hushmail.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]