<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2716.2200" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>(Ok, it's an old bug but since a lot of non-geeks
seem to hate updating their IIS, there still are plenty of valid targets for
this exploit.</FONT><FONT face=Arial size=2>)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- SCRIPT KIDDIE COMPATIBLE EXPLOIT ATTACHED
--</FONT></DIV>
<DIV><FONT face=Arial size=2>The attached file IISexploere.php is my "SCRIPT
KIDDIE COMPATIBLE" exploit for the double urldecoding bug in IIS. (It's a
modified version of PHPexplorer, also written by yours truly ;)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- HOW TO INSTALL --</FONT></DIV>
<DIV><FONT face=Arial size=2>Simply put all the icons in the RAR file and the
file IISexplorer.php on your PHP enabled webserver. The icons should go into the
/icons2/ directory, the IISexplorer.php file can be put anywere.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- HOW TO USE --</FONT></DIV>
<DIV><FONT face=Arial size=2>Browse to <A
href="http://your-server/path/IISexplorer.php?host=[ip of vulnerable target]">http://your-server/path/IISexplorer.php?host=[ip
of vulnerable target]</A> and you can browse the target system using an
explorer style interface.</FONT></DIV>
<DIV><FONT face=Arial size=2>Please remember, this is version 0.1 beta! So don't
expect it to handle errors well.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>-- WHERE TO FIND TARGETS TO EXPLORE --</FONT></DIV>
<DIV><FONT face=Arial size=2>Scan your webserver's logfiles for "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" to get a list of
vulnerable IIS's that have been infected with a worm that propagates through
this vulnerability.</FONT></DIV>
<DIV> </DIV>
<DIV>-- NOTES --</DIV></FONT></DIV>
<DIV><FONT face=Arial size=2>The left frame takes some time to load, since it
requires 1 http request for each directory in the list. </FONT><FONT face=Arial
size=2>Make sure to have a decent connection to the internet because this migth
use quite some bandwidth ;)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- FUTURE VERSIONS --</FONT></DIV>
<DIV><FONT face=Arial size=2>I'm probably not gonna invest more time, since it
works. Maybe I'm gonna put in a upload/download facility but that would make
stuff a bit too easy for them 14 year olds, wouldn't it ?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>-- YOURS TRULY --</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Berend-Jan Wever aka SkyLined</FONT></DIV>
<DIV><FONT face=Arial size=2>http:/spoor12.edup.tudelft.nl</FONT></DIV>
<DIV><FONT face=Arial size=2>.</FONT></DIV></BODY></HTML>