.

pentest: IIS 4.0 directory traversal ERROR 500

<<

paddy

Newbie
Newbie

Posts: 3

Joined: Mon Aug 14, 2006 8:46 pm

Post Fri Aug 18, 2006 4:07 am

pentest: IIS 4.0 directory traversal ERROR 500

my classmates and i are simulating a directory traversal attack on an NT box we set up in our lab with IIS 4.0

Problem is, when entering the actual directory traversal strings in the browser, we get a 500 Internal Server Error.

example strings are as follows:
http://testserverIP/samples/..%c0%af../ ... 32/cmd.exe
http://testserverIP/msadc/..%c0%af../.. ... 32/cmd.exe

since we know that the path exists and that cmd.exe exists, could anyone
give me an idea as to what is possibly preventing us from successfully recreating the said exploit?

any help would be much appreciated.  thanks.  :)
<<

jimbob

Post Fri Aug 18, 2006 4:11 am

Re: pentest: IIS 4.0 directory traversal ERROR 500

Hi,
I don't really know IIS all that well so I'm going to be a little faceious. Have you read the logs? There ought to be an error message explaining the HTTP 500 status codes. Are you sure your version of IIS is vulnerable to that particular attack? Are you sure the attack has not succeeded?

Regards,
Jim
<<

dean

Post Fri Aug 18, 2006 8:35 am

Re: pentest: IIS 4.0 directory traversal ERROR 500

Hi Paddy,

Have a look at the following. It covers the IIS Extended Unicode Directory Traversal Vulnerability.

http://www.securityfocus.com/bid/1806/exploit

Your paths & unicode encoding look correct but you have not told cmd.exe what command to run.

Append this to your URLs:

/cmd.exe?/c+ipconfig

HTH,
Dean
<<

paddy

Newbie
Newbie

Posts: 3

Joined: Mon Aug 14, 2006 8:46 pm

Post Fri Aug 18, 2006 11:04 pm

Re: pentest: IIS 4.0 directory traversal ERROR 500

thanks guys.

hmmm... it seems that our testbox was vulnerable to only certain extended unicode combinations.  (like %c1%1c and %c1%9c, for example)

anyone have any ideas why?
I will also look further into this.

BTW, i used the ever popular "cmd.exe?/c+dir" thing... just neglected to include it in the previous post. (sorry 'bout that, Dean)  :)
in the meantime, we're still tinkering with the testbox. 
thanks again, guys!  ;D
<<

LSOChris

Post Sat Aug 19, 2006 1:32 pm

Re: pentest: IIS 4.0 directory traversal ERROR 500

probably because its windows NT, a 2k box should be vulnerable to more combinations of the unicode attack.
Last edited by LSOChris on Sat Aug 19, 2006 1:45 pm, edited 1 time in total.
<<

dean

Post Sat Aug 19, 2006 1:42 pm

Re: pentest: IIS 4.0 directory traversal ERROR 500

Hi Paddy,

%c1%1c is the Chinese representation of '\' in Unicode.

%c1%9c is the English representation of '\'

So your IIS server (English, I assume)  :) should only be vulnerable to the english version.

%c0%af should also work on your server.

Tested the following on a Win2k server test box I have:
Successful:
http://ipaddr/scripts/..%c0%af../winnt/ ... e?/c+dir+c:\
http://ipaddr/scripts/..%c1%9c../winnt/ ... e?/c+dir+c:\

Failed:
http://ipaddr/scripts/..%c1%1c../winnt/ ... e?/c+dir+c:\

Also, make sure that the directory (eg: /scripts/) is marked as executeable otherwise the attack will fail.

Cheers,
Dean
<<

paddy

Newbie
Newbie

Posts: 3

Joined: Mon Aug 14, 2006 8:46 pm

Post Mon Aug 21, 2006 10:27 pm

Re: pentest: IIS 4.0 directory traversal ERROR 500

roger that. ;)

thanks again, guys!

BTW, we're having fun tinkering with the box.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software