escalating IUSR to admin rights via unicode and iis4

[ewvtwvi () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

 I understand that this topic has been discussed in great deal, however i searched the archives and was unable to find 
anything.

 In doing a security assessment - I came across a web server running iis4 that is vulnerable to the unicode exploit. I 
was able to get it to tftp back to my tftp server and pull down nc and a few other things...then got nc listening with 
a shell and was able to connect to that shell...I didnt go any further and reported it as it was. I was then questioned 
on the possibility of it being used to escalate rights to administrator..and asked for a demo... i repeated the above 
steps, but was unable to stop services and such. I couldnt even delete a file I had uploaded using unicode with tftp.
 Could someone please point me to info that would explain what i have to do to
accomplish this. I have been searching...but apparently not well enough.

Again, I hope this gets through..As it has prolly been discussed very much. I apologize in advance for this question.. 
but im stuck :(

Thanks much!
t
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj0rGdkVHGV3dnR3dmlAaHVzaG1haWwuY29tAAoJEONDjIN5eMWV4yoA
n1TdHlIf1vT//ZWzA/D9CaPaVC7bAKCyKMk5UUB8wzny2LtRDKWQNepzFw==
=yH9p
-----END PGP SIGNATURE-----


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/