exploiting BID 529 revisited

[m a <aznxy () yahoo com>]

In-Reply-To: <20041204194913.13731.qmail () www securityfocus com>

...trying to get anything out of command /c or cmd /c has proven
problematic.
I have tried echo bla>file, ping <SOURCEIP>, telnet <SOURCEIP> 80 (tcpdump
on my side) and all results in a big nothing.

Does this essentially mean that both executables have been moved/renamed?
Or could there be another reason I am missing?

Again:
1. confirmed RDS1.5 by the msadc/readme.txt.
2. I have managed to query the db using the
http://www.securityfocus.com/data/vulnerabilities/exploits/RDSExploit.zip.
3. using msadc:
 msadc.pl -h <target> -N
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Machine name: NINT2




> Received: (qmail 31466 invoked from network); 5 Dec 2004 22:49:08 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 5 Dec 2004 22:49:08 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id E5338143702; Sun,  5 Dec 2004 13:38:04 -0700 (MST)
> Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <pen-test.list-id.securityfocus.com>
> List-Post: <mailto:pen-test () securityfocus com>
> List-Help: <mailto:pen-test-help () securityfocus com>
> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
> Delivered-To: mailing list pen-test () securityfocus com
> Delivered-To: moderator for pen-test () securityfocus com
> Received: (qmail 28765 invoked from network); 4 Dec 2004 19:52:12 -0000
> Date: 4 Dec 2004 19:49:13 -0000
> Message-ID: <20041204194913.13731.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: m a <aznxy () yahoo com>
> To: pen-test () securityfocus com
> Subject: exploiting BID 529
>
>
>
> Running a pen test on some web servers.
>
> Some were verified to have RDS version is 1.5 thus:
> http://10.1.1.1/msadc/readme.txt
>
> Here is the exploit:
> http://www.securityfocus.com/bid/529/exploit/
>
> I have tried unicode directory traversal which doesn't work.
>
> Running msadc works
> $ ./msadc.pl -h 10.1.1.1 -N
> -- RDS smack v2 - rain forest puppy / ADM / wiretrip --
> Machine name: NT2
>
> I am trying to execute some cmd /c commands, however just trying to echo >xxx a file to the default path of msadc and 
> the wwwroot does not yield anything I can open. I am largely trying to verify that the commands work.
>
> Even if this does work (and the default paths are changed) I am nost sure what else I can do with it considering the
> firewall is filtering out everything apart from 80 and 443 (some host
> probably just one) inbound. I could potentially try killing the inet process and then implant nc.exe and have it take 
> over on 80 or 443 but that would be to intrusive.
>
> Here's some more reading on this (this guy had the benefit of unicode):
> http://www.honeynet.org/scans/scan14/rfp.html
>
> Any help much appreciated.