May 26th, 2002, 09:16 PM
proof of concept
OK! Being it seems discussion on hacking seem to be alright for the moment, here’s a little ‘proof of Concept’ app for the IIS 4/5 unicode directory transversal.
I know this is a very old subject but this is still very much a threat from code red, code red 2, sadmind and nimda, although 99.9% of major systems are patched against it there’s still a lot of people buying unpatched boxes or installing win2k and not patching it. besides i got bored
I didn’t include all the tricks there are, just the one that seems to work the most on the servers ive tested /..%c1%9c../. With this app you can check for cmd.exe in scripts and dir c:\ and that’s all.
I figure if someone knows how to do it they don’t need this app and if they don’t, well, im not gonna be the one. So if you want to go downloading nc from your tftp server your on your own.
Ive used the rich text box to display returns to limit the chances of getting infected from the remote server.
This is supplied to test your own server blah, blah, blah
Requires VB6 runtime files
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”