Results 1 to 4 of 4

Thread: And tutorials on Unicode?

  1. #1
    Senior Member br_fusion's Avatar
    Join Date
    Apr 2002
    Posts
    167

    And tutorials on Unicode?

    I'm not sure exactly what I'm looking for. I know unicode is basically any character besides the alphabet. I checked the two sites in the FAQ and it seemed to make things more confusing. To be more exact, this is what I want to learn.

    What do these do????!???

    /..%c0%af../

    cmd.exe?/c+dir+c:\

    /..%c1%c1../

    /..%255c..%/

    (and I'm sure there are many more)

    Now I'm not trying to deface webpages with the infamous IIS exploit. I just want to know two things. What do these commands do? Where can I read about them? (because I have had no luck on google.

    thanks fellas

    sorry for such a newb question, I feel bad for asking it.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    From Google:
    http://www.google.com/search?hl=&cat...=unicode+basic

    Unicode Glossary
    ... (See Definition D3 in Section 3.3, Characters and Coded Representations
    .) (3) The basic unit of encoding for the Unicode character encoding. ...
    Description: Glossary of unicode terminology with additional links to an FAQ and the Unicode Standard Version 3.0.
    Category: Reference > Dictionaries > ... > Computers > Application Specific
    www.unicode.org/glossary/ - 86k - Cached - Similar pages
    [ More results from www.unicode.org ]
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Those things are just ways to crack vulnerable IIS installations.

    It's nothing much to do with Unicode per se, it's just that it's IIS's unicode decoding routine which was vulnerable to this bug.

    You will find plenty of docs on Unicode on the net, but it will not tell you how to exploit IIS, but how to use Unicode in your applications to enable them to be translated into non-western languages.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    I'll try to explain (to my understanding) what is happening when you see that stuff in your logs, or what not.

    Those characters are unicode representations of normal characters. IIS filtered out the normal (non unicode) characters, but didn't filter out the unicode equivilents. The unicode text you had was trying to get out of the root html directory and get IIS to execute cmd.exe, which is the command prompt. The dir part was getting IIS to run the "dir" command inside of the command prompt, which you probably know will list the folders on your computer. From there, an attacker could explore your system and compromise it.

    Luckily, you can patch that vulnerability. I also remember a tutorial a while back where catch used a tool called URLScan that would allow you to control what IIS saw/got. With it, you can prevent all sorts of malicious requests from even reaching IIS to harm it. If you run IIS, and you setup URLScan nicely, I think that you would be much safer than without it. His tut is here: http://www.antionline.com/showthread...hreadid=244658 BTW, I don't mess with IIS too much so I'm not exactly familiar with what goes on with it, etc.

    -Tim_axe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •