What I have done in the past is get a copy of hk.exe. It is a local privilege escalation exploit that runs processes as SYSTEM. Then just run netcat via hk.exe, connect to the listener, and bingo you are SYSTEM. It has been a while since I have done this so I don't recall the exact syntax but that should get you pointed in the right direction. On Tuesday, July 9, 2002, at 10:18 AM, ewvtwviat_private wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I understand that this topic has been discussed in great deal, however > i searched the archives and was unable to find anything. > > In doing a security assessment - I came across a web server running > iis4 that is vulnerable to the unicode exploit. I was able to get it to > tftp back to my tftp server and pull down nc and a few other > things...then got nc listening with a shell and was able to connect to > that shell...I didnt go any further and reported it as it was. I was > then questioned on the possibility of it being used to escalate rights > to administrator..and asked for a demo... i repeated the above steps, > but was unable to stop services and such. I couldnt even delete a file > I had uploaded using unicode with tftp. > Could someone please point me to info that would explain what i have > to do to > accomplish this. I have been searching...but apparently not well enough. > > Again, I hope this gets through..As it has prolly been discussed very > much. I apologize in advance for this question.. but im stuck :( > > Thanks much! > t > -----BEGIN PGP SIGNATURE----- > Version: Hush 2.1 > Note: This signature can be verified at https://www.hushtools.com > > wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA > n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw== > =yH9p > -----END PGP SIGNATURE----- > > > Communicate in total privacy. > Get your free encrypted email at https://www.hushmail.com/?l=2 > > Looking for a good deal on a domain name? > http://www.hush.com/partners/offers.cgi?id=domainpeople > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please > see: > https://alerts.securityfocus.com/ > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 18:21:48 PDT