From: French, Dave (DFrench@unitrin.com)
Date: Fri Jul 12 2002 - 09:36:19 EDT
You could also utilize the file isapir2s.dll. What you would do is upload
that file to the /scripts directory. Then, in your command line through the
URL, use isapir2s.dll to execute netcat for your listener:
/scripts/isapir2s.dll?(and wherever you put nc.exe)
example: /scripts/isapir2s.dll?d:\inetpub\scripts\nc.exe%20-l...etc...
The isapir2s.dll is basically a revert to self function, which will make the
command you are issue run as context of the web server, SYSTEM.
Then, on an IIS4 server, you will have SYSTEM priv. On an IIS 5.0, you may
only get IWAM depending on a certain setting within IIS.
Hope this may be helpful.
DCF
-----Original Message-----
From: ewvtwvi@hushmail.com [mailto:ewvtwvi@hushmail.com]
Sent: Tuesday, July 09, 2002 12:18 PM
To: pen-test@securityfocus.com
Subject: escalating IUSR to admin rights via unicode and iis4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I understand that this topic has been discussed in great deal, however i
searched the archives and was unable to find anything.
In doing a security assessment - I came across a web server running iis4
that is vulnerable to the unicode exploit. I was able to get it to tftp back
to my tftp server and pull down nc and a few other things...then got nc
listening with a shell and was able to connect to that shell...I didnt go
any further and reported it as it was. I was then questioned on the
possibility of it being used to escalate rights to administrator..and asked
for a demo... i repeated the above steps, but was unable to stop services
and such. I couldnt even delete a file I had uploaded using unicode with
tftp.
Could someone please point me to info that would explain what i have to do
to
accomplish this. I have been searching...but apparently not well enough.
Again, I hope this gets through..As it has prolly been discussed very much.
I apologize in advance for this question.. but im stuck :(
Thanks much!
t
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA
n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw==
=yH9p
-----END PGP SIGNATURE-----
Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2
Looking for a good deal on a domain name?
http://www.hush.com/partners/offers.cgi?id=domainpeople
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT