Re: Pwdump2 with UNICODE?

From: Tony Lambiris (methodicat_private)
Date: Thu Aug 09 2001 - 10:35:27 PDT

  • Next message: INA (V. Brahmanandam): "RE: besides "sa" who can run xp_cmdshell"

    Ahh.. so you can basically echo a bunch of ftp commands to a file, run
    the ftp client -s:filename.txt to have the box download cmdasp.asp, and
    then you can just have that page execute commands?
    On 08.09.01, "Sapiro, Benjamin R" <bsapiroat_private> wrote:
    > Tony
    > Under IIS4, CMDASP.asp executes in system level context so you are able to
    > do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just
    > use unicode attacks to get script up onto the box). You are right though, a
    > unicode executed command by itself runs under IUSR context
    > Ben Sapiro
    > Information Risk Management
    > (416) 777-8025
    > -----Original Message-----
    > From: Tony Lambiris [mailto:methodicat_private]
    > Sent: Wednesday, August 08, 2001 1:46 PM
    > To: Penetration Testers
    > Subject: Re: Pwdump2 with UNICODE?
    > I thought under UNICODE, you arent able to run such commands as rdisk
    > and pwdump, because IIS runs as IUSR?
    > On 08.07.01, Kevin Lam <> wrote:
    > > Hi Allen,
    > > 
    > > If you have UNICODE working, you could upload cmdasp.asp which will let
    > > you execute commands on that server.
    > > 
    > > If this is NT then what you can do is run "rdisk /s-" to silently update
    > > the repair sam._ file (this is a little trick that I used to use when I
    > > did pen-testing for Deloitte).  Then go to c:\winnt\repair and copy
    > > sam._ to say a public internet folder like c:\inetpub\wwwroot and then
    > > go to your browser and just download the file.
    > ******************************************************************************
    > The information in this email is confidential and may be legally privileged.
    > It is intended solely for the addressee. Access to this email by anyone else
    > is unauthorized.
    > If you are not the intended recipient, any disclosure, copying, distribution
    > or any action taken or omitted to be taken in reliance on it, is prohibited
    > and may be unlawful. When addressed to our clients any opinions or advice
    > contained in this email are subject to the terms and conditions expressed in
    > the governing KPMG client engagement contract.
    > ******************************************************************************
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:

    This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:42:27 PDT