Re: [PEN-TEST] CmdAsp.asp

[Daniel Dočekal <ddoc () MIA CZ>]

That's hardly exploit - before you can use it, you have to upload cmdasp.asp
file to server you want to play with. It can be dangerous only in some
IIS/ASP hosting services with totally dumb operators allowing users use
WSCRIPT and even place batch files to root of C: drive :)

-----Original Message-----
From: Andrew Oman [mailto:Andrew.Oman () PREDICTIVE COM]
Sent: Wednesday, January 31, 2001 5:04 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] CmdAsp.asp



Does anyone have any insights on the CmdAsp.asp exploit ? (details at
http://www.dogmile.com/files/#CmdAsp)
This exploit was posted on bugtraq and I can't get it to do anything. I am
running it on a vanilla IIS install (IIS 4.0 sp 6 ) and as far as I
understand it, I should at least have IUSR privilege for command execution.
Any advice would be appreciated. This would be a nice little tool in
conjunction with the unicode exploit ( to get it up there).
Thanks,
Andrew