Re: Pwdump2 with UNICODE?

[Tony Lambiris <methodic () libpcap net>]

Ahh.. so you can basically echo a bunch of ftp commands to a file, run
the ftp client -s:filename.txt to have the box download cmdasp.asp, and
then you can just have that page execute commands?

Nice.

On 08.09.01, "Sapiro, Benjamin R" <bsapiro () kpmg ca> wrote:
> Tony
>
> Under IIS4, CMDASP.asp executes in system level context so you are able to
> do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just
> use unicode attacks to get script up onto the box). You are right though, a
> unicode executed command by itself runs under IUSR context
>
> Ben Sapiro
> Information Risk Management
> (416) 777-8025
> www.kpmg.ca/irm
>
>
> -----Original Message-----
> From: Tony Lambiris [mailto:methodic () libpcap net]
> Sent: Wednesday, August 08, 2001 1:46 PM
> To: Penetration Testers
> Subject: Re: Pwdump2 with UNICODE?
>
>
> I thought under UNICODE, you arent able to run such commands as rdisk
> and pwdump, because IIS runs as IUSR?
>
> On 08.07.01, Kevin Lam <kevinlam () packet-works com> wrote:
> > Hi Allen,
> >
> > If you have UNICODE working, you could upload cmdasp.asp which will let
> > you execute commands on that server.
> >
> > If this is NT then what you can do is run "rdisk /s-" to silently update
> > the repair sam._ file (this is a little trick that I used to use when I
> > did pen-testing for Deloitte).  Then go to c:\winnt\repair and copy
> > sam._ to say a public internet folder like c:\inetpub\wwwroot and then
> > go to your browser and just download the file.
>
>
> ******************************************************************************
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>  
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement contract.
> ******************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/