Re: dos commands via iis 4 (TFTP)

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 10:52 AM 15-11-2000 -0600, MadHat wrote:
> Lincoln Yeoh wrote:
> > At 12:25 PM 13-11-2000 -0600, MadHat wrote:
> > > So after this, there is a port open (22 in this case as many admins will
> > > leave this open for SSH, but this is an NT box, which as we know rarely
> > > has SSH running on it) that I can telnet to and have a command prompt.
> >
> > How about port 80? Most firewalls would allow arbitrary stuff through to
> > that server on port 80, since it's already a webserver.
> To do that you have to kill the web server, and if something like
> BigBrother or WhatsUp is running, it has the chance to bind to the port

I seem to recall that you could hijack port 80, or even 139 on windows
machines, without bringing down the service. And you can do that with netcat.
e.g. nc -L -s interface.ip.address.here -p 80

I haven't checked to see if that feature has been fixed in the latest
service packs.

If it's not fixed, or it's fixed using some obscure hotfix, then I figure
the chances are good :). And after you're done, kill your netcat and things
are back to normal.

Cheerio,
Link.