At 05:11 21-5-01 -0500, H D Moore wrote: >On Thursday 17 May 2001 01:03 pm, w1re p4ir wrote: > > Ello all, > > If an IIS machine is patched against the Unicode Attack that was released > > many months ago... Does this exploit work? I haven't really been able to > > test it on a machine that ISN'T nt4.0 sp6/a. Anyone have any ideas? -wire > >Yes it would work. The new one also affects IIS 3.0, which was previously >unexploitable (?) Actually, this is not true. Some foreign language versions of 3.0 are definately vulnerable. I have tested against 3.0 German and Japanese (or was it chinese i can't remeber) and they were vuln. >after the sample files had been removed. I updated the >unicoder.pl tool to use the new decode sequences and added an interactive >mode per request (command shell). A few new directories were added, which >should make exploiting IIS 5.0 and OWA machines easier. You can grab the >latest copy from: > >http://www.digitaloffense.net/csw/unicoder.pl Nice exploit. But it will not find non-english servers vulnerable. The German version of IIS returns 'Verzeignis von' in stead of ' Directory of'. Other languages also break your script. So if you want it to find all versions, you should actually check for "<DIR>" or execute ver.exe and grep for 'Windows' Cheers! --Ralph
This archive was generated by hypermail 2b30 : Mon May 21 2001 - 21:15:55 PDT