Re: generic privellage escalation

[Valdis.Kletnieks () vt edu]

On Wed, 31 Dec 2003 18:00:06 EST, Ben Greenberg <benfallout2 () hotmail com>  said:

> -ability to execute commands one at a time statelessly through the url, and 
> with a response to the browser ESCALATE TO a netcat created port for 
> connecting to a shell
>
> -also is there any document with generically applicable php, asp, server 
> side include command execution/privellage escalation?

Fortunately for us, there's no *generic* way to do it.  Think about the
implications if it were so.  Usually, what's required is:

1) an initial break that allows commands.  This probably *wont* have sufficient
leverage by itself, unless the command you can run is 'sh | netcat' ;)

2) You then need to chain on OTHER issues and take tiny baby steps towards
the goal.  Not all tricks will work in all environments, so this really is a test-and-see
problem.

For one of the best "how it *really* works" in practice, see Liu Die Yu's
"Six Step IE Remote Compromise Cache Attack".  No one bug is enough,
there's a lot of jumping through hoops.

Attachment: _bin
Description: