Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dos commands via iis 4 (TFTP)-NETBIOS

From: Paul Cardon <paul () MOQUIJO COM>
Date: Sat, 18 Nov 2000 14:21:47 -0500
booboo wrote:


Final one on this I think. Since we have the Extended Unicode
Vulnerability already why not just modify iishack1.5 to create nc.exe
instead of eeyerulez.asp and then launch nc.exe directly there without
having to perform a buffer overlfow and crash the server.

On Wed, 15 Nov 2000, MadHat wrote:


booboo wrote:


Since you already have more or less root level access on the web server


You have nothing like root level access, you have what would be equiv.
to nobody access...  very limited overall.  You have access as
IUSER_<MACHINE> which is a member of the GUEST group, but with certain
exploits, you can get that user added to the local Administrators
group.  Then you have more or less root level access.


You seem to have completely missed the point even though MadHat
explained it clearly.  Your suggestion would result in nc.exe connected
to a command shell as IUSER_<MACHINE> which has very little privilege.
eeyerulez.asp performs a buffer overflow that results in SYSTEM level
access to the server.  The question you must ask is do you want to be a
luser on the system or do you want to 0wn it?

-paul
Previous By Date Next
Previous By Thread Next

Current thread: