This log clearly shows an HTTP GET request attempting to exploit a web server using a directory traversal attack with Unicode encoding:
The URL contains:/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
%c0%af is a known Unicode-encoded sequence used to bypass input validation filters.It translates to the forward slash character “/” when interpreted by vulnerable versions of Microsoft IIS (specifically IIS 4.0 and 5.0).
This type of attack attempts to:
Traverse out of the web root directory (via encoded ../ sequences)
Access cmd.exe in the Windows system32 directory
Execute operating system commands such as dir c: (list contents of drive C)
From CEH v13 Official Courseware:
Module 14: Hacking Web Servers
Topic: Unicode Directory Traversal Vulnerability (IIS-specific)
CEH v13 Study Guide states:
“A Unicode Directory Traversal Attack takes advantage of improper input sanitization by encoding traversal characters (../) as Unicode (e.g., %c0%af). This bypasses input filters and accesses restricted directories such as system32.”
Incorrect Options:
A. Hexcode Attack: Not a formal classification; here Unicode encoding is used.
B. Cross-Site Scripting: Involves injecting scripts into a web page, unrelated to filesystem traversal.
C. Multiple Domain Traversal: Not a valid or recognized attack type.
[Reference:CEH v13 Study Guide – Module 14: Web Server Attacks → Unicode Directory TraversalMicrosoft Security Bulletin MS00-078 – IIS Malformed Request Vulnerability, , , , , ]
Submit