Penetration Testing mailing list archives
exploiting BID 529 revisited
From: m a <aznxy () yahoo com>
Date: 8 Dec 2004 22:01:39 -0000
In-Reply-To: <20041204194913.13731.qmail () www securityfocus com> ...trying to get anything out of command /c or cmd /c has proven problematic. I have tried echo bla>file, ping <SOURCEIP>, telnet <SOURCEIP> 80 (tcpdump on my side) and all results in a big nothing. Does this essentially mean that both executables have been moved/renamed? Or could there be another reason I am missing? Again: 1. confirmed RDS1.5 by the msadc/readme.txt. 2. I have managed to query the db using the http://www.securityfocus.com/data/vulnerabilities/exploits/RDSExploit.zip. 3. using msadc: msadc.pl -h <target> -N -- RDS smack v2 - rain forest puppy / ADM / wiretrip -- Machine name: NINT2
Received: (qmail 31466 invoked from network); 5 Dec 2004 22:49:08 -0000 Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 5 Dec 2004 22:49:08 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing2.securityfocus.com (Postfix) with QMQP id E5338143702; Sun, 5 Dec 2004 13:38:04 -0700 (MST) Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com Received: (qmail 28765 invoked from network); 4 Dec 2004 19:52:12 -0000 Date: 4 Dec 2004 19:49:13 -0000 Message-ID: <20041204194913.13731.qmail () www securityfocus com> Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) From: m a <aznxy () yahoo com> To: pen-test () securityfocus com Subject: exploiting BID 529 Running a pen test on some web servers. Some were verified to have RDS version is 1.5 thus: http://10.1.1.1/msadc/readme.txt Here is the exploit: http://www.securityfocus.com/bid/529/exploit/ I have tried unicode directory traversal which doesn't work. Running msadc works $ ./msadc.pl -h 10.1.1.1 -N -- RDS smack v2 - rain forest puppy / ADM / wiretrip -- Machine name: NT2 I am trying to execute some cmd /c commands, however just trying to echo >xxx a file to the default path of msadc and the wwwroot does not yield anything I can open. I am largely trying to verify that the commands work. Even if this does work (and the default paths are changed) I am nost sure what else I can do with it considering the firewall is filtering out everything apart from 80 and 443 (some host probably just one) inbound. I could potentially try killing the inet process and then implant nc.exe and have it take over on 80 or 443 but that would be to intrusive. Here's some more reading on this (this guy had the benefit of unicode): http://www.honeynet.org/scans/scan14/rfp.html Any help much appreciated.
Current thread:
- exploiting BID 529 revisited m a (Dec 09)