Penetration Testing mailing list archives
Re: Server initiated remote shell
From: auto241065 () hushmail com
Date: Fri, 21 Sep 2001 18:42:04 -0700
What do you mean when you say you can execute a program on an internal host but there is no way in? I'm not clear if you talking about so-called "firewall-piercing", or do you want to lure someone behind the firewall to visit a malicious web site that will provide you with a shell on their box? In the first case corkscrew (http://www.agroman.net/corkscrew/), which tunnels SSH through HTTP proxies, is one of many tools. For the second way, look at the many Microsoft IE and Outlook bugs for windows clients and you should be able to figure something out. Actually many times all you need is a little bit of javascript. If its a unix client, its a little harder. I generally find there really is "another way in". If not, netscape and gdb should give you some ideas, depending on the platform, but you may have to bust out a wee bit of asm. Also try java, see if you can symlink somethink important to a temp file, stuff like that. Also you use forms to post to URLs using ports other than 80, and craft it in such a way to send arbitrary data to these ports. ----- Original Message -----
Hi, Lets suppose that I can execute a program on an inside host on a network protected by a firewall. There is no way in. But there is a way out to www browsing on port 80. So the client could connect to any Internet address on port 80. What program should it execute to provide me with a shell? Of course I'm in Internet with a listener. What listener? The firewall is a real statefull firewall so no TCP ACK or ICMP encapsulations.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Server initiated remote shell Ilici Ramirez (Sep 21)
- RE: Server initiated remote shell Steve (Sep 21)
- Re: Server initiated remote shell Bill Pennington (Sep 21)
- Re: Server initiated remote shell Greg Ardpic (Sep 22)
- <Possible follow-ups>
- Re: Server initiated remote shell Mike Brentlinger (Sep 21)
- Re: Server initiated remote shell auto241065 (Sep 22)
- RE: Server initiated remote shell Yonatan Bokovza (Sep 23)
- RE: Server initiated remote shell Emmanuel Gadaix (Sep 24)