Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos commands via iis 4 (TFTP)

From: MadHat <madhat () UNSPECIFIC COM>
Date: Wed, 15 Nov 2000 10:52:42 -0600
Lincoln Yeoh wrote:


At 12:25 PM 13-11-2000 -0600, MadHat wrote:

So after this, there is a port open (22 in this case as many admins will
leave this open for SSH, but this is an NT box, which as we know rarely
has SSH running on it) that I can telnet to and have a command prompt.


How about port 80? Most firewalls would allow arbitrary stuff through to
that server on port 80, since it's already a webserver.


To do that you have to kill the web server, and if something like
BigBrother or WhatsUp is running, it has the chance to bind to the port
first and then the shell and all access is gone. ANd if you get to it
first, the BB or WU will alert people that the web server is down.  It
just depends on the goal.  You could use any port you see as working,
depending on how ACLs and firewalls are set up infront of the target.

BTW, someone else asked about the tftp issue of having it blocked by
ACLs, well, you can also look for directories on the web server that
have bad permissions and try using a PUT through http, or possibilly an
upload script.  I have found a site or two that had an upload script on
it and with the UNICODE and the type command I was able to find where
the file was stored, then just use the upload script to move the file
over and...  you are there again.

I am sure there are other options as well, this is just what I have
found in minimal testing.

--
MadHat at unspecific.com
                                   "The 3 great virtues of a programmer:
                                      Laziness, Impatience, and Hubris."
                                                 --Larry Wall
Previous By Date Next
Previous By Thread Next

Current thread: