Penetration Testing mailing list archives
Re: Pwdump2 with UNICODE?
From: Tony Lambiris <methodic () libpcap net>
Date: Thu, 9 Aug 2001 13:35:27 -0400
Ahh.. so you can basically echo a bunch of ftp commands to a file, run the ftp client -s:filename.txt to have the box download cmdasp.asp, and then you can just have that page execute commands? Nice. On 08.09.01, "Sapiro, Benjamin R" <bsapiro () kpmg ca> wrote:
Tony Under IIS4, CMDASP.asp executes in system level context so you are able to do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just use unicode attacks to get script up onto the box). You are right though, a unicode executed command by itself runs under IUSR context Ben Sapiro Information Risk Management (416) 777-8025 www.kpmg.ca/irm -----Original Message----- From: Tony Lambiris [mailto:methodic () libpcap net] Sent: Wednesday, August 08, 2001 1:46 PM To: Penetration Testers Subject: Re: Pwdump2 with UNICODE? I thought under UNICODE, you arent able to run such commands as rdisk and pwdump, because IIS runs as IUSR? On 08.07.01, Kevin Lam <kevinlam () packet-works com> wrote:Hi Allen, If you have UNICODE working, you could upload cmdasp.asp which will let you execute commands on that server. If this is NT then what you can do is run "rdisk /s-" to silently update the repair sam._ file (this is a little trick that I used to use when I did pen-testing for Deloitte). Then go to c:\winnt\repair and copy sam._ to say a public internet folder like c:\inetpub\wwwroot and then go to your browser and just download the file.****************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement contract. ******************************************************************************
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Pwdump2 with UNICODE? Lists (Aug 07)
- RE: Pwdump2 with UNICODE? krisk () kbeta com (Aug 08)
- RE: Pwdump2 with UNICODE? Kevin Lam (Aug 08)
- Re: Pwdump2 with UNICODE? Tony Lambiris (Aug 09)
- Re: Pwdump2 with UNICODE? hellNbak (Aug 08)
- Re: Pwdump2 with UNICODE? Lists (Aug 08)
- <Possible follow-ups>
- Re: Pwdump2 with UNICODE? Tony Lambiris (Aug 09)
- Re: Pwdump2 with UNICODE? steven.m.gill (Aug 09)
- Re: Pwdump2 with UNICODE? Penetration Testing (Aug 10)
- Re: Pwdump2 with UNICODE hellNbak (Aug 12)
- Re: Pwdump2 with UNICODE? Penetration Testing (Aug 10)