Exploiting the Microsoft IIS Server Unicode hole
First of all, Greets go out to
all the other guys at
manipulation research center for providing me with enough information to start out with this
tutorial. Check their webs
ite if you’d like
Microsoft IIS is web server software. That is, a server that stores all the files of a website, and
makes them available
people on the internet. But as all other soft
Microsoft software) It has security holes. It's been a
while since the Unicode hole in
Microsoft’s IIS was discovered, but "unfortunately" lazy administrators
care to install
the patches that cover these holes. In this tutorial, we
will discuss how this bug works, and
Why it works.
When you visit a website, the address of the file you are currently viewing looks something
This is the remote address of the web server, shown in your browsers add
ress bar. It can be
accessed by anyone on the internet.
When you enter this site, the web server will give you the
index file, (index.html or index.php) of the web server root
Folder. The most common root
folder of a web server is:
is the web servers’ Local directory, where all the websites main
are stored. So if
you type the remote address
In your browser, the web server will send you its local file:
I hope t
hat wasn't too boring, as it is very important that you understand the difference
between local and remote addresses.
Now, what if we want to move a couple of directories up on the web server?
We want to move from
How would w
e do that?
You can not type
Nice try, but it won't work.
The web server would start looking in its local
For the specified directory, and because you can't have :'s in
directory, it would crash and
you would get an error M
essage in your
If you are familiar with FTP, you know what the DIRUP command is. It’s kinda the same
thing with web servers and browsers.
The command for going one directory up is
If you've done any w
eb design or html coding you probably used these a lot.
Html is a programming language for web. Try to
open any .html file in notepad, and you wil
l see the
html code of the page.
So couldn't we just put two of these commands after each other,
And start accessing the local c drive of the server?
Well, your getting there, but the creators of IIS where (surprisingly) smart enough to think
is over, and avoid the problem, by making the server deny this k
ind of request.
So then what do we do?
Have you ever tried to download a file from the web that has spaces in it?
You may have noticed that your browser converts these spaces into
Let’s do an example.
If you type this into your browser:
w.someserver.com/iis Unicode hole.txt
The browser will
replace the spaces with
so you get this
And then, let you download the file.
What is this, and why does my browser do it?
understand spaces. They simply can’t.
When you look at this document you see spaces in it, that’s
code that the
ter reads has no spaces in it. The only thing the computer does is display it different
There is no such thing as
a space on your hard drive.
The text you see (
) is the Unicode for the ASCII character we call “space”.
ASCII characters are the characters we see on our monitor when using our computer.
one Unicode for each ASCII character, and they all look
as strange as the one representing
o, when you input a space in your browser, it has to be replaced by something the
computer can understand before it starts looking for it.
Yea all right, but w
this have to do with breaking into a w
Since the browser can convert spaces into strange Unicode characters and send them to the
web server which understands them, we can also use Unicode characters to spell whatever we
want, and the web server will understand
. Not only sp
Therefore, we can
convert the so
command into Unicode, and send it to the server. We need to
convert the slashes (
Into Unicode. The Unicode for / is
Well that’s great! Then I’ll just type
And I will be able to see the host’s c:
Your getting there, but there is several reasons
this won’t work.
First of all, if you ever made it to the server
You would need something to read the
directory. The web serve
r won’t do that for you.
So we need
to open the
. In your browser! But we will come back to this later.
hen the server decodes
Which is restric
ted, and then denies the request. So wha
t we need to do, is encode
the already encoded Unicode again. You probably don’t follow me now, but I will try to
explain once more. We need to encode every character of the Unicode string we already have.
Take a look at this little table and you will und
So when we encode
the ASCII characters
Unicode, we get
And when the server decodes this string, it gets back to
Which is not a regular DIRUP comman
therefore it is allowed.
But there is one more thing we need to know. As I mentioned earlier, when you get connected
to a web server, the default root directory is wwwroot. This directory contains (as you already
know) the main pages of the site. But the
are other directories
for other site elements like
These directories contain files that does pretty much more advanced things on the web
server itself. So when we are going to manipulate the server, we need to do it from a directory
has the privileges to do it. This is not hard to
I just want you to understand why
we will add
to the final
At last, when we execute the server’s local dos prompt, we need to do a command in this one
too. We want to display
we just need to do a couple of different
things than you usually do in your dos prompt. I’ll make it quick.
Start cmd.exe in this way:
Everything after is command line arguments.
Run command, then close cmd.exe (so
that it don’t keep on running forever)
Instead of space
So at last, the entire command assembled is as follows:
And you will get the servers local c:
printed inside your browser. Cool eh?
There is lots of other Unicode “commands” that does the same job, if this one doesn’t work (the server
If you wish to publish this document at your site,
may do so, but please do not change it in