Penetration Testing mailing list archives
Re: escalating IUSR to admin rights via unicode and iis4
From: Bill Pennington <billp () boarder org>
Date: Thu, 11 Jul 2002 10:18:31 -0700
What I have done in the past is get a copy of hk.exe. It is a local privilege escalation exploit that runs processes as SYSTEM.
Then just run netcat via hk.exe, connect to the listener, and bingo you are SYSTEM.
It has been a while since I have done this so I don't recall the exact syntax but that should get you pointed in the right direction.
On Tuesday, July 9, 2002, at 10:18 AM, ewvtwvi () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,I understand that this topic has been discussed in great deal, however i searched the archives and was unable to find anything.In doing a security assessment - I came across a web server running iis4 that is vulnerable to the unicode exploit. I was able to get it to tftp back to my tftp server and pull down nc and a few other things...then got nc listening with a shell and was able to connect to that shell...I didnt go any further and reported it as it was. I was then questioned on the possibility of it being used to escalate rights to administrator..and asked for a demo... i repeated the above steps, but was unable to stop services and such. I couldnt even delete a file I had uploaded using unicode with tftp. Could someone please point me to info that would explain what i have to do toaccomplish this. I have been searching...but apparently not well enough.Again, I hope this gets through..As it has prolly been discussed very much. I apologize in advance for this question.. but im stuck :(Thanks much! t -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw== =yH9p -----END PGP SIGNATURE----- Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople----------------------------------------------------------------------------This list is provided by the SecurityFocus Security Intelligence Alert (SIA)Service. For more information on SecurityFocus' SIA service whichautomatically alerts you to the latest security vulnerabilities please see:https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- escalating IUSR to admin rights via unicode and iis4 ewvtwvi (Jul 11)
- Re: escalating IUSR to admin rights via unicode and iis4 Bill Pennington (Jul 11)
- Re: escalating IUSR to admin rights via unicode and iis4 Daniel Polombo (Jul 30)
- <Possible follow-ups>
- Re: escalating IUSR to admin rights via unicode and iis4 Jeanette LaRosa (Jul 11)
- Re: escalating IUSR to admin rights via unicode and iis4 juan . francisco . falcon (Jul 11)
- RE: escalating IUSR to admin rights via unicode and iis4 French, Dave (Jul 12)
- Re: escalating IUSR to admin rights via unicode and iis4 Bill Pennington (Jul 11)