On Wednesday 13 June 2001 11:49 am, Nicolas Gregoire wrote: > NB : last time I checked it, the unicoder.pl tool from HD Moore couldn't > find non-english vulnerable versions of IIS (it is looking for > "Directory of" in the returned content and it's, for exemple, > "Répertoire de" in french). It does now thanks to your (?) suggestion about a week ago. I found that it does miss the double decode in a couple cases (%255c..%255c works while %255c../..%255c doesnt), but I should have that corrected within the next day. I wrote a upload facility (echo's out upload.asp ala unicodeloader) but I like the dbug method better. I will be taking the best new features from other unicode / double decode exploits and mergin them into the next version. -HD
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 22:38:10 PDT