Exploiting the Microsoft IIS Server Unicode hole

aboardarmServers

Dec 4, 2013 (3 years and 7 months ago)

106 views

Exploiting the Microsoft IIS Server Unicode hole
.


First of all, Greets go out to
my friends
M4Z3R and

all the other guys at

the Digital
manipulation research center for providing me with enough information to start out with this
tutorial. Check their webs
ite if you’d like
http://dmrc
-
team.cjb.net
.


Microsoft IIS is web server software. That is, a server that stores all the files of a website, and
makes them available
to

people on the internet. But as all other soft
ware, (especially

Microsoft software) It has security holes. It's been a
while since the Unicode hole in
Microsoft’s IIS was discovered, but "unfortunately" lazy administrators

don’t

care to install
the patches that cover these holes. In this tutorial, we
will discuss how this bug works, and

Why it works.


When you visit a website, the address of the file you are currently viewing looks something
like this:

http://www.someserver.com/

This is the remote address of the web server, shown in your browsers add
ress bar. It can be
accessed by anyone on the internet.

When you enter this site, the web server will give you the
index file, (index.html or index.php) of the web server root

Folder. The most common root
folder of a web server is:

C:
\
inetpub
\
wwwroot

This

is the web servers’ Local directory, where all the websites main
pages

are stored. So if
you type the remote address

http://www.someserver.com/index.html

In your browser, the web server will send you its local file:

c:
\
inetpub
\
wwwroot
\
index.html


I hope t
hat wasn't too boring, as it is very important that you understand the difference
between local and remote addresses.


Now, what if we want to move a couple of directories up on the web server?

We want to move from

c:
\
inetpub
\
wwwroot

To

c:
\


How would w
e do that?


You can not type

http://www.someserver.com/c:
\










Nice try, but it won't work.

Comment

The web server would start looking in its local

c:
\
inetpub
\
wwwroot

For the specified directory, and because you can't have :'s in
a
directory, it would crash and
you would get an error M
essage in your
browser.


If you are familiar with FTP, you know what the DIRUP command is. It’s kinda the same
thing with web servers and browsers.

The command for going one directory up is

/../

If you've done any w
eb design or html coding you probably used these a lot.

Comment

Html is a programming language for web. Try to
open any .html file in notepad, and you wil
l see the
html code of the page.





So couldn't we just put two of these commands after each other,
like this

http://www.someserver.com/../../

And start accessing the local c drive of the server?


Well, your getting there, but the creators of IIS where (surprisingly) smart enough to think
th
is over, and avoid the problem, by making the server deny this k
ind of request.


So then what do we do?


Have you ever tried to download a file from the web that has spaces in it?

You may have noticed that your browser converts these spaces into
%20

?


Let’s do an example.

If you type this into your browser:

http://ww
w.someserver.com/iis Unicode hole.txt

The browser will

first

replace the spaces with
%20

so you get this

http://www.someserver.com/iis%20unicode%20hole.txt

And then, let you download the file.


What is this, and why does my browser do it?


Computers can’t
understand spaces. They simply can’t.

When you look at this document you see spaces in it, that’s
true

but the
binary

code that the
compu
ter reads has no spaces in it. The only thing the computer does is display it different
ly
.

There is no such thing as
a space on your hard drive.


The text you see (
%20
) is the Unicode for the ASCII character we call “space”.

ASCII characters are the characters we see on our monitor when using our computer.
There is
one Unicode for each ASCII character, and they all look
as strange as the one representing
s
pace. S
o, when you input a space in your browser, it has to be replaced by something the
computer can understand before it starts looking for it.


Yea all right, but w
hat does

all

this have to do with breaking into a w
eb server?


Since the browser can convert spaces into strange Unicode characters and send them to the
web server which understands them, we can also use Unicode characters to spell whatever we
want, and the web server will understand
these too
. Not only sp
aces.
Therefore, we can
convert the so
-
called
DIRUP

command into Unicode, and send it to the server. We need to
convert the slashes (
/
)

in
/../../

Into Unicode. The Unicode for / is
%5C

.




Well that’s great! Then I’ll just type

http://www.someserver.com
/..%5C.. %5C
/

And I will be able to see the host’s c:
\

right?


Your getting there, but there is several reasons

why

this won’t work.


First of all, if you ever made it to the server
’s

local
c:
\

You would need something to read the
directory. The web serve
r won’t do that for you.
So we need

to open the
server’s

cmd.exe
(DOS

prompt)
. In your browser! But we will come back to this later.


Secondly, w
hen the server decodes

/..%5C.. %5C/


It gets
/../../

Which is restric
ted, and then denies the request. So wha
t we need to do, is encode
the already encoded Unicode again. You probably don’t follow me now, but I will try to
explain once more. We need to encode every character of the Unicode string we already have.

Take a look at this little table and you will und
erstand.


ASCII


UNICODE

%


%25

5


%35

C


%43


So when we encode
the ASCII characters

/..%5C.. %5C/

Into

Unicode, we get

..%25%35%43..%25%35%43

And when the server decodes this string, it gets back to

/..%5C.. %5C/

Which is not a regular DIRUP comman
d, and

therefore it is allowed.


But there is one more thing we need to know. As I mentioned earlier, when you get connected
to a web server, the default root directory is wwwroot. This directory contains (as you already
know) the main pages of the site. But the
re
are other directories

for other site elements like
scripts.
These directories contain files that does pretty much more advanced things on the web
server itself. So when we are going to manipulate the server, we need to do it from a directory
that kinda
has the privileges to do it. This is not hard to
do;

I just want you to understand why
we will add
/scripts/

to the final
URL
.


At last, when we execute the server’s local dos prompt, we need to do a command in this one
too. We want to display
c:
\

right?
I
t’s

pretty
easy;

we just need to do a couple of different
things than you usually do in your dos prompt. I’ll make it quick.



Start cmd.exe in this way:

cmd.exe?/c+

?

=

Everything after is command line arguments.

/c

=

Run command, then close cmd.exe (so

that it don’t keep on running forever)

+

=

Instead of space


So at last, the entire command assembled is as follows:


http://www.myserver.com/scripts
/..%25%35%43..%25%35%43/winnt/system32/cmd.ex
e?/c+dir+c:
\


And you will get the servers local c:
\

printed inside your browser. Cool eh?


Comment

There is lots of other Unicode “commands” that does the same job, if this one doesn’t work (the server

浡y⁢e

灡牴ry

灡瑣te搠潲d獯浥瑨s湧⤠i楫攠瑨ise⁦ 爠楮獴慮reW

/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+C:
\

/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../
winnt/system32/cmd.exe?/c+dir+C:
\





Written for
http://cyberspirit.isuber1337.com/

Copyright 2003

If you wish to publish this document at your site,

you

may do so, but please do not change it in
anyway.