Metasploit mailing list archives

Runing application remote server side

From: tplastino at sses.net (Anthony R. Plastino III)
Date: Tue, 20 Jun 2006 22:33:27 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Given the snippet of the message, it seems to me that this person has
found an open share. Upon mounting the share, the filesystem seems to
allow reading/writing of files. Unfortunately, there is no easy method
for remotely executing code in this context. This would depend on
having access to a valid account, not simply mounting the IPC$ as a
null user.

The framework operates mostly on exploited vulnerabilities (on a host)
which allow that host to be manipulated remotely at a far deeper level
than mounting a share. The mounting of a share, while certainly a
vulnerability, takes advantage of a host's misconfiguration, but
allows the host to perform a 'normal' function of being a file server;
it has not been made to do something it was not intended to do.
Injecting shell code into an overflowed buffer on the other hand
forces the host to perform outside of its 'normal' function by
allowing (for example) a remote shell to be presented to an
unauthorized entity in the context (we hope) of SYSTEM, thereby giving
up something better than console access.

I am not aware of a framework exploit that can take advantage of a
mounted share (although I admit that I am not an uber user yet :) ).
There are other applications that do (if you have a valid user) such
as Hyena, which have the ability to invoke the scheduler to run an
application.

regards,

Anthony R. Plastino III

Nicolas RUFF wrote:

i have a problem about running a ".exe" file remotely in a windows 2003
server.
i have access to server to upload, read, and write some files to server
remotely.
but i need to execute my uploaded ".exe" file remotely on server
(server-side)



What do you mean by "I cannot execute files" ? (Error message ?)

Can you execute standard system binaries, like CMD.EXE ?

What does the CACLS command says ? Who is given execute access ?

Are you sure the %TMP% and %TEMP% directories are not executable ?
(Basically every installer will drop EXE files in these directories)

We lack context here ...

Regards,
- Nicolas RUFF



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iD8DBQFEmK/1zbfRtqd9C2YRAr0gAKCTmB/Y5fOLBmCEelSGgADFpsACEACcDsr8
jBa4NXScfXnFrjk7A6CJLbI=
=qKVu
-----END PGP SIGNATURE-----

Current thread:

Runing application remote server side Omid ... (Jun 02)
- Runing application remote server side Jerome Athias (Jun 03)
  - Runing application remote server side Omid ... (Jun 03)
    - Runing application remote server side Jerome Athias (Jun 03)
- Runing application remote server side Nicolas RUFF (Jun 20)
  - Runing application remote server side Anthony R. Plastino III (Jun 20)
    - Runing application remote server side Pusscat (Jun 21)
    - Runing application remote server side Leonardo Joicaliuc (Jun 21)