Re: Unicode Attack

From: Daniel Polombo <polombo(at)cartel-securite.fr>
Date: Wed Nov 13 2002 - 14:27:41 EST

Le mer 13/11/2002 à 15:51, Jeremy Junginger a écrit :

> Web log entries:

Mmh, here you have a "normal" cmd.exe request : system32/cmd.exe

> INTERESTING NOTE: The web logs indicate that the URL Requested was

And here you have system32.cmd.exe, which unsurprisingly produces a 404.

What *is* surprising is that the webserver logs don't show the actual path.  

> 3) Since there are few (if any) thorough Unicode scanners, is it

Unfortunately, you have to try and generate a list of possible combinations all by yourself :

• there are a number of possibilities to build a '/' or '\' using the unicode double decode thingie IIS is so proud of (must be, or they'd have removed it long ago). Learn more about them here :

  http://www.wiretrip.net/rfp/p/doc.asp/i7/d57.htm

• there are countless possibilities to build a path going to cmd.exe. Most of them should begin with a folder in your webroot from which the webserver is able to execute scripts (ie, /scripts, /_vti_bin, and so on).

Assuming you wish to generate such a list yourself, IIS shell (yet another unicode exploit) uses a plain text file as a list of paths to check for on the server. Find it here :

  http://www.cartel-securite.net/res/iisshell-1.3.tgz

Hope this helps,

   Daniel
>

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Nov 13 19:31:56 2002