MS03-051

[Glinares at PCOnsite.com (Greg Linares)]

That makes sense, I didn't even think about that option. 

On a side note/request, is there any news of developing MS06-035 and
MS06-036 modules?  
I've noticed that many computers are still vulnerable to the MS06-035
exploit, particularly ones that have patched against the MS06-040 (which
seemed to gotten all the buzz).  Maybe the MS06-035 method doesn't offer
as much of a vector/payload room or has severe byte restrictions.  I
haven't looked that detailed into it.

And yes, we care dearly :)


-----Original Message-----
From: H D Moore [mailto:hdm at metasploit.com] 
Sent: Wednesday, September 06, 2006 10:58 AM
To: framework at metasploit.com
Subject: Re: [framework] MS03-051

The way around those limitations is to use Meterpreter as the payload.
The 
exploit itself shouldn't be responsible for anything that happens after 
code execution starts. When exploiting ISAPI bugs on IIS 5.1, you have
to 
use Meterpreter (and the 'revert' command) to actually get a command 
shell, since the IUSR account doesn't have access to cmd.exe, but the 
IWAM account does.

Glad to see that people care about this stuff :-)

-HD

On Wednesday 06 September 2006 12:52, Greg Linares wrote:
> Oh well, yeah that iis_fp30reg_chunked exploit has its limitations, I
> think it just runs code in the context of IUSR_BROWSER, although there
> is a plethora of pipe-hijacking\privlidge escalation code that could
be
> ran in conjuction with it.