Re: escalating IUSR to admin rights via unicode and iis4

From: Bill Pennington (billpat_private)
Date: Thu Jul 11 2002 - 10:18:31 PDT

Next message: Coral J. Cook: "RE: Can't get a shell"

Previous message: juan.francisco.falconat_private: "Re: escalating IUSR to admin rights via unicode and iis4"
In reply to: ewvtwviat_private: "escalating IUSR to admin rights via unicode and iis4"
Next in thread: Daniel Polombo: "Re: escalating IUSR to admin rights via unicode and iis4"
Next in thread: French, Dave: "RE: escalating IUSR to admin rights via unicode and iis4"
Reply: Daniel Polombo: "Re: escalating IUSR to admin rights via unicode and iis4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What I have done in the past is get a copy of hk.exe. It is a local 
privilege escalation exploit that runs processes as SYSTEM.

Then just run netcat via hk.exe, connect to the listener, and bingo you 
are SYSTEM.

It has been a while since I have done this so I don't recall the exact 
syntax but that should get you pointed in the right direction.

On Tuesday, July 9, 2002, at 10:18 AM, ewvtwviat_private wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
>  I understand that this topic has been discussed in great deal, however 
> i searched the archives and was unable to find anything.
>
>  In doing a security assessment - I came across a web server running 
> iis4 that is vulnerable to the unicode exploit. I was able to get it to 
> tftp back to my tftp server and pull down nc and a few other 
> things...then got nc listening with a shell and was able to connect to 
> that shell...I didnt go any further and reported it as it was. I was 
> then questioned on the possibility of it being used to escalate rights 
> to administrator..and asked for a demo... i repeated the above steps, 
> but was unable to stop services and such. I couldnt even delete a file 
> I had uploaded using unicode with tftp.
>  Could someone please point me to info that would explain what i have 
> to do to
> accomplish this. I have been searching...but apparently not well enough.
>
> Again, I hope this gets through..As it has prolly been discussed very 
> much. I apologize in advance for this question.. but im stuck :(
>
> Thanks much!
> t
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA
> n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw==
> =yH9p
> -----END PGP SIGNATURE-----
>
>
> Communicate in total privacy.
> Get your free encrypted email at https://www.hushmail.com/?l=2
>
> Looking for a good deal on a domain name? 
> http://www.hush.com/partners/offers.cgi?id=domainpeople
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert 
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please 
> see:
> https://alerts.securityfocus.com/
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Coral J. Cook: "RE: Can't get a shell"
Previous message: juan.francisco.falconat_private: "Re: escalating IUSR to admin rights via unicode and iis4"
In reply to: ewvtwviat_private: "escalating IUSR to admin rights via unicode and iis4"
Next in thread: Daniel Polombo: "Re: escalating IUSR to admin rights via unicode and iis4"
Next in thread: French, Dave: "RE: escalating IUSR to admin rights via unicode and iis4"
Reply: Daniel Polombo: "Re: escalating IUSR to admin rights via unicode and iis4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 18:21:48 PDT