Re: Evil autorun CD - ideas ? downloadable exploits anywhere ?

From: Michael (blackavar@citizensofgravity.com)
Date: Thu May 03 2007 - 09:26:13 EDT


A dir of "%USERPROFILE%\Recent" might give you and the client an excellent
view of what you could access just from the one workstation without any
privilege escalation--kind of bring it home for them. :-) You might also
find yourself a copy of "Our_entire_network.vsd" if one of their admins
falls for the CD trick.

If you are really keen the spec for .lnk files is here:

http://mediasrv.ns.ac.yu/extra/fileformat/windows/lnk/shortcut.pdf

and you could write a script to parse out the actual file locations.

> On 5/2/07, Shenk, Jerry A <jshenk@decommunications.com> wrote:
>> Now, rooting every box that runs the CD...that would be even more
interesting...but, if it's part of a pen-test, I'm not sure where the
problem would be...a user taking the CD home would definitely be
interesting...might be a little tough to keep that in scope. Maybe put
a warning label on it not to remove it from the building;)
>
> If you're already grabbing net info, do a basic check to see if you're
running on the authorized corporate net.
>
> if not, just autoeject the cd... or if it's a rewritable cd, try to
erase the cd.
>
> CK
>
> --
> GDB has a 'break' feature; why doesn't it have 'fix' too?
>
> ------------------------------------------------------------------------
This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
>

-- 
"Proceeds the Weedian... Nazareth!"
-Sleep
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:45 EDT