From: juan.francisco.falcon@ar.pwcglobal.com
Date: Thu Jul 11 2002 - 13:01:40 EDT
You can try this kind of things:
1- Run a pwdump through the nc session,
2- Run a rdisk/s to copy the sam to the backup file (c:\winnt\repair\sam._
usually)
3- Schedule an AT command, this will run with Admin privileges (Do steps 1
or 2 , or change a Web File),
4- You can use a program like "leapfrog", that will go to other internal
servers (analyze the net with ipconfig /all), try to telnet the internal IP
gateway or router, try a net share on others servers (Net Share
\\<computername or IP>).
5- Try a command line sniffer that can be uploaded to the web server
6- Try a command line net scan that can be uploaded to the web server
(If someone knows a better program, please let me know!)
Leap Frog is a TCP/IP program, which will proxy telnet or for that matter
any TCP/IP connections from your host through a middle host (Leap Frog) to
the desired host. All connections to the destined host will appear to come
and be sent to the Leap Frog server. That is the destination server will
see no traffic, IP#, mac address, host info or any other info concerning
your machine, it will only know about the connecting machine which is
running Leap Frog.
Regards,
Juan Falcón
PricewaterhouseCoopers
ewvtwvi@hushmail.com on 09/07/2002 02:18:15 p.m.
To: pen-test@securityfocus.com
cc:
Subject: escalating IUSR to admin rights via unicode and iis4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I understand that this topic has been discussed in great deal, however i
searched the archives and was unable to find anything.
In doing a security assessment - I came across a web server running iis4
that is vulnerable to the unicode exploit. I was able to get it to tftp
back to my tftp server and pull down nc and a few other things...then got
nc listening with a shell and was able to connect to that shell...I didnt
go any further and reported it as it was. I was then questioned on the
possibility of it being used to escalate rights to administrator..and asked
for a demo... i repeated the above steps, but was unable to stop services
and such. I couldnt even delete a file I had uploaded using unicode with
tftp.
Could someone please point me to info that would explain what i have to do
to
accomplish this. I have been searching...but apparently not well enough.
Again, I hope this gets through..As it has prolly been discussed very much.
I apologize in advance for this question.. but im stuck :(
Thanks much!
t
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA
n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw==
=yH9p
-----END PGP SIGNATURE-----
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2
Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
_________________________________________________________________
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT