From: m a (aznxy@yahoo.com)
Date: Wed Dec 08 2004 - 17:01:39 EST
...trying to get anything out of command /c or cmd /c has proven
problematic.
I have tried echo bla>file, ping <SOURCEIP>, telnet <SOURCEIP> 80 (tcpdump
on my side) and all results in a big nothing.
Does this essentially mean that both executables have been moved/renamed?
Or could there be another reason I am missing?
Again:
1. confirmed RDS1.5 by the msadc/readme.txt.
2. I have managed to query the db using the
http://www.securityfocus.com/data/vulnerabilities/exploits/RDSExploit.zip.
3. using msadc:
msadc.pl -h <target> -N
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Machine name: NINT2
>Received: (qmail 31466 invoked from network); 5 Dec 2004 22:49:08 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 5 Dec 2004 22:49:08 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id E5338143702; Sun, 5 Dec 2004 13:38:04 -0700 (MST)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 28765 invoked from network); 4 Dec 2004 19:52:12 -0000
>Date: 4 Dec 2004 19:49:13 -0000
>Message-ID: <20041204194913.13731.qmail@www.securityfocus.com>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: m a <aznxy@yahoo.com>
>To: pen-test@securityfocus.com
>Subject: exploiting BID 529
>
>
>
>Running a pen test on some web servers.
>
>Some were verified to have RDS version is 1.5 thus:
>http://10.1.1.1/msadc/readme.txt
>
>Here is the exploit:
>http://www.securityfocus.com/bid/529/exploit/
>
>I have tried unicode directory traversal which doesn't work.
>
>Running msadc works
>$ ./msadc.pl -h 10.1.1.1 -N
>-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
>Machine name: NT2
>
>I am trying to execute some cmd /c commands, however just trying to echo >xxx a file to the default path of msadc and the wwwroot does not yield anything I can open. I am largely trying to verify that the commands work.
>
>Even if this does work (and the default paths are changed) I am nost sure what else I can do with it considering the
>firewall is filtering out everything apart from 80 and 443 (some host
>probably just one) inbound. I could potentially try killing the inet process and then implant nc.exe and have it take over on 80 or 443 but that would be to intrusive.
>
>Here's some more reading on this (this guy had the benefit of unicode):
>http://www.honeynet.org/scans/scan14/rfp.html
>
>Any help much appreciated.
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:09 EDT