| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000e01c228ef$8e547670$1b59a182@grotedoos> From: SkyLined at edup.tudelft.nl (Berend-Jan Wever) Subject: IIS double UTF decoding bug (old) exploit: IIS explorer (Ok, it's an old bug but since a lot of non-geeks seem to hate updating their IIS, there still are plenty of valid targets for this exploit.) -- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED -- The attached file IISexploere.php is my "SCRIPT KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a modified version of PHPexplorer, also written by yours truly ;) -- HOW TO INSTALL -- Simply put all the icons in the RAR file and the file IISexplorer.php on your PHP enabled webserver. The icons should go into the /icons2/ directory, the IISexplorer.php file can be put anywere. -- HOW TO USE -- Browse to http://your-server/path/IISexplorer.php?host=[ip of vulnerable target] and you can browse the target system using an explorer style interface. Please remember, this is version 0.1 beta! So don't expect it to handle errors well. -- WHERE TO FIND TARGETS TO EXPLORE -- Scan your webserver's logfiles for "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of vulnerable IIS's that have been infected with a worm that propagates through this vulnerability. -- NOTES -- The left frame takes some time to load, since it requires 1 http request for each directory in the list. Make sure to have a decent connection to the internet because this migth use quite some bandwidth ;) -- FUTURE VERSIONS -- I'm probably not gonna invest more time, since it works. Maybe I'm gonna put in a upload/download facility but that would make stuff a bit too easy for them 14 year olds, wouldn't it ? -- YOURS TRULY -- Berend-Jan Wever aka SkyLined http:/spoor12.edup.tudelft.nl . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: IISexplorer.php Type: application/octet-stream Size: 15194 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/IISexplorer.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: icons2.rar Type: application/x-rar-compressed Size: 16360 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020711/dc1dbbdb/icons2.bin
Powered by blists - more mailing lists