Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

exploiting BID 529
From: m a <aznxy () yahoo com>
Date: 4 Dec 2004 19:49:13 -0000


Running a pen test on some web servers.

Some were verified to have RDS version is 1.5 thus:
http://10.1.1.1/msadc/readme.txt

Here is the exploit:
http://www.securityfocus.com/bid/529/exploit/

I have tried unicode directory traversal which doesn't work.

Running msadc works
$ ./msadc.pl -h 10.1.1.1 -N
-- RDS smack v2 - rain forest puppy / ADM / wiretrip --
Machine name: NT2

I am trying to execute some cmd /c commands, however just trying to echo >xxx a file to the default path of msadc and 
the wwwroot does not yield anything I can open. I am largely trying to verify that the commands work.

Even if this does work (and the default paths are changed) I am nost sure what else I can do with it considering the
firewall is filtering out everything apart from 80 and 443 (some host
probably just one) inbound. I could potentially try killing the inet process and then implant nc.exe and have it take 
over on 80 or 443 but that would be to intrusive.

Here's some more reading on this (this guy had the benefit of unicode):
http://www.honeynet.org/scans/scan14/rfp.html

Any help much appreciated.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]