Re: Re: Frontpage no password privileges escalation?

From: 09sparky@gmail.com
Date: Thu Oct 05 2006 - 20:45:55 EDT

('binary' encoding is not supported, stored as-is) Trying to get some clarification for myself: Ok, so I have full access to the FrontPage server application (via no password set). I am able to upload/download/delete/etc. At this point you could already deface the website. Why would you use a tool like tool25.dat? I am not familiar with this tool, but is it used to gain access to a web server, or used after you already have upload/download privileges?

Next, with uploading tools/exploits: what type of tools/exploits would you use within the FrontPage root directory to actually gain system privileges? Can you run exploits from within this type of application to gain admin privileges? How do you know what its internal vulnerabilities are? I cannot run an VA tools against it from the internal network to see its Microsoft vulnerabilities (i.e plug and play). Or run tools like metasploit.

Sorry if these are foolish questions, I am just trying to get a grasp for the procedure. I did notice that this particular server did have "nc" in the Frontpage root directory (installed by hacker), but I didn't think that it could be executed from within this folder.

Also, If anyone has a link to the "tool25.dat" or other web defacement tools and/or exploits that could be run after FrontPage compromise (upload rights), I that would be great. I would be very interested in running these in our lab for further understanding/knowledge.

Thanks,
Sparky

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT