Full Disclosure mailing list archives

RE: Psexec on *NIX

From: "Bill Royds" <full-disclosure () royds net>
Date: Thu, 6 May 2004 19:14:48 -0400

What he wants is a Unix version of the psexec Windows program, which uses
RPC and SMB to execute  on another Windows machine (WITHOUT INSTALLING
ANYTHING ON THAT WINDOWS MACHINE). All of the suggestions such as ssh or rsh
require one to install an executable on the target Windows machine. Psexec
does not.
It should be possible to create such a beast using the Samba object library
and there are some features of SysInternals ps* suite of programs already
available in Samba.
  Psexec is a very useful, but dangerous program. Anyone who has it and
knows an account that has privileges on your Windows system can create a
command line shell (or execute any program) on your system without
installing anything on your system as long as there is a CIFS/SMB (port 445)
or NetBIOS ( ports UDP 135 and 137,139/TCP) port connection allowed between
the systems. 
  What is does is use the default RPC$ share on Windows to download a small
executable called PSEXECSVC.EXE into your %SystemDir% directory and start
that as a service. It then uses that as a shell to run the given program as
if it were run from a CMD prompt, collecting SYSIN from remote and sending
SYSOUT and SYSERR to remote. Once the execution finishes the service
terminates itself and disappears. A very effective RAT used by
administrators all the time. 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
Valdis.Kletnieks () vt edu
Sent: May 6, 2004 3:50 PM
To: Chris Carlson
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Psexec on *NIX 

On Thu, 06 May 2004 14:54:55 EDT, Chris Carlson <chris () compucounts com>
said:

service, then removes it.  I also know that the r services are an
option, as is ssh, but these are not what I want.


Can you quantify *why* those aren't what you want?  From what you originally
said, rsh or ssh should be a good solution.  If they aren't, we need to know
why they aren't in order to propose other solutions....

If it doesn't exist, then it doesn't exist.  In that case, I'll go make
one.   I'm just trying to save myself some time here.


Re-inventing the wheel almost never saves time....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Psexec on *NIX Chris Carlson (May 06)
- Re: Psexec on *NIX Ondrej Krajicek (May 06)
- Re: Psexec on *NIX Harlan Carvey (May 06)
  - Re: Psexec on *NIX Michael Gargiullo (May 06)
    - Re: Psexec on *NIX Nico Golde (May 07)
    - Re: Psexec on *NIX Valdis . Kletnieks (May 07)
- Re: Psexec on *NIX François Harvey (May 07)
- <Possible follow-ups>
- RE: Psexec on *NIX Chris Carlson (May 06)
  - Re: Psexec on *NIX Valdis . Kletnieks (May 06)
    - RE: Psexec on *NIX Bill Royds (May 06)
  - Re: Psexec on *NIX whiplash (May 06)
    - Re: [despammed] Re: Psexec on *NIX whiplash (May 06)
  - Re: Psexec on *NIX Ondrej Krajicek (May 06)
- Re: Psexec on *NIX hybriz (May 06)
  - Re: Psexec on *NIX Ondrej Krajicek (May 07)
  - Re: Psexec on *NIX Nico Golde (May 07)
- RE: Psexec on *NIX Chris Carlson (May 06)
  - RE: Psexec on *NIX Scott Taylor (May 06)
  - Re: Psexec on *NIX Jon S. (May 06)
    - Re: Psexec on *NIX Ondrej Krajicek (May 07)

(Thread continues...)