From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Wed Mar 12 2003 - 13:15:25 EST
A. Caruso wrote:
> Hi all:
>
> I have been muking around with different file system traversal exploits for IIS and playing with some of the tools. Most of the tools depend on the default install of IIS with webroot on c:. I've moved webroot to d: on my toybox and haven't been able to jump back to c: to get a shell (cmd). Does anyone know of a mechanism to "jump" file systems. I haven't been able to find anything after RFP said (in his unicode paper) the syntax doesn't exist to do this. (I think that's where I saw it).
> eg
> GET /scripts/../../../%systemroot%/cmd.exe (insert appropriate unicode)
/scripts/ moves around when you move the webroot. However, some others
do not do so necessarily. Have you tried /msadc/ or /iisadmpwd/? IIRC
(it's been a time since I need to do that) Msadc was stored in the OS
partition (i.e. not the webroot).
>
> Short of jumping file systems, what about uploading a shell to webroot through the .ida vuln? (I left those patches off for play).
>
I find it useful, and entertaining, to create a shell using _only_ the
UNICODE vulnerability, cmd.exe and some 'echo' mumbo jumbo. It can be
easily automated if you know where to look (hint: this list).
Regards
Javi
----------------------------------------------------------------------------
Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT