Re: clue on shell

[ArcSighter Elite <arcsighter () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robin Wood wrote:
> 2009/1/5 Ricardo Mourato <ricardomcm () gmail com>:
> > i pentesting people, i've got a shell in a customers server, using an
> > webapp bug (eval() is evil()) :)
> > the server seems to run windows 2003 server, it's known that IIS6 "had
> > many security improvments", such as disabling the cmd.exe for the IIS
> > user, that's why i have used the old fashion "command.com" and voila,
> > i've got a shell, but it is very limited, i'm trying to upload some
> > programs, in order to get a better shell and get admin rights, btw the
> > server is also  running plesk control panel , should i try this in a
> > possible way to get admin?
> >
> > i know that sqlninja can upload files in debug script, i also thinked about that
> > i could  echo "hex stuff" into  %TEMP%/nc.scr for example
> >
> > does anybondy knows how convert a binary in debug script?
>
> See if tftp is on the box and use that to grab files.
>
> If not then this php script will let you upload files, just put it in
> the webroot then browse to it. It will upload the given file to
> c:\temp\hacker_file.
>
> <?php
> if ($_SERVER['REQUEST_METHOD'] == "POST" && array_key_exists ("file",
> $_FILES)) {
>     move_uploaded_file ($_FILES['file']["tmp_name"], "c:\\temp\hacker_file");
> }
> ?>
> <form method="post" action="<?=$_SERVER['PHP_SELF']?>"
> enctype="multipart/form-data">
>     <input type="file" name="file" id="file" />
>     <input type="submit" name="submit" value="submit" />
> </form>
>
>
> Robin

You could use any sort of client-side scripting, such as VBScript,
JavaScript and the like.

Uploading exe-files, well, I remember in Advances in Windows Shellcoding
of Phrack pioneered very interesting methods of post-exploitation. You
should review this and related papers. They describe hex dumping, vb
binary translation.

I'm not a msf marketer or anything, but they've implemented a payload to
vba module converter; so you can get into meterpreter's shell easily.
The restriction of IIS shouldn't pose a very strong problem, If you have
the knowledge. In the -almost sure- case that a trick such as
RevertToSelf() doesn't work for you, they're published and unpublished
methods of privilege escalation affecting various versions of Windows,
including your targets'.

In the meantime, why you're interested anyway? You've already proved the
vulnerability exists by gaining access into your customer's server, I'm
wrong?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJY2D9H+KgkfcIQ8cRAgXsAJ9GXL+0Clox5N9NBTa39i8BH9xL1gCghpgH
hV+/NGV8gMy8XXLrupAo6ek=
=mTxG
-----END PGP SIGNATURE-----