('binary' encoding is not supported, stored as-is) In-Reply-To: <9956F8424795D411B03B0008C786E60D048D0A7Bat_private> ::responses to multiple people bleow:: >Eric Brown Wrote >Could you not create a batch file that housed the commands you wanted to run >(with args) and just run the batch file? >I apologise if someone has already addressed this. how would you make this batch file? the only way I know would be to use "echo blah >> file.bat" and if you do it that way you are still using parameters...so we are right back to where we started. Ryan Sweat mentioned using GG's script injection ideas outlined in: http://www.guninski.com/parsedat-desc.html the only problem with this is that these techniques do not work on IE6, they were in IE5.x...I just tested on win2k/winXP. So no go there... > Felipe Franciosi wrote > But I couldn't get to work something like: > var prog... > 'c:/command.com /c echo bin > c:/list.txt', > 'c:/command.com /c echo GET something >> c:/list.txt' > > this won't create 'list.txt'... Any ideas why? Or how some could > get around it? read my last post Felipe for info on why this doesn't work: http://online.securityfocus.com/archive/82/261926 >Kevin Wall wrote >On Win9x systems, rather than targeting FTP or a >command shell, what about starting up something >that simply causes a exploitable process to listen on >some port # (will vary, depending on application) >and then separately trying to exploit that. PWS is not installed by default on win9x....and I don't belive you can start IIS with one program on XPPro box (assuming they have installed that component and are just not using it) >If the User-Agent corresponds to MSIE, then at >some time late(perhaps wait t minutes later), gently >port scan the remote IP address to see if the >application was launched. If the port scan >succeeds, then go into full exploit mode. (This >assumes an exploitable application that is normally >not running and no pesky personal firewalls, etc. to >be sure. But certainly some combinations would be >vulnerable given the cluelessness of the typical >Windoze users and their disdain for ever updating >their system with security patches.) I don't have access to a 9x system to test this....but this all relys on 1) I am using win9x with IE6(don't forget that is the version we are discussing here) 2)that they have installed PWS before and it is currently disabled Then I assume one might be able to do what you are describing. The bottom line is, if you know the path to an exe on the system, then you can open it up...the only ways this could be an attack vector is if the exe was a trojan, or some kind of buggy daemon. lata, -Slow2Show- University of Florida
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 14:34:43 PST