Vulnerability Development mailing list archives
Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?)
From: "Robert A. Seace" <ras () SLARTIBARTFAST MAGRATHEA COM>
Date: Fri, 27 Oct 2000 06:40:38 -0400
In the profound words of Ryan Yagatich:
Summary of IIS 4.0/5.0 Unicode thread (end of thread?)
[very good summary snipped...]
also, you can setup a tftp server on your box, and tftp the file/trojan in which you are attempting to run. (netcat anyone?) all you have to do is setup the command string, the same way.
Another way to transfer files would be "rcp", if you find it easier to setup "in.rshd" on your server... (At least, the NT machine I saw had an "rcp.exe" client installed in "\winnt\system32\"... Not sure how standard that is...)
Protection: There are multiple ways of getting around this. first of all, your webroot is the key. (so far) it has been shown that this code will only execute if the /winnt directory is located in the same as the webroot directory...
Is that true? I thought the point behind the "msadc" variation was that it removed that limitation... Because, as far as I can see, the location of the "msadc" directory is actually "C:\Program Files\Common Files\system\msadc" (on at least this test system I'm using)... (Just do a "dir", without the "+c:\", and it'll show you the directory name...) So, even if the web root were elsewhere, as long as "Program Files" was on the same drive as "winnt", it should work... (I'm just speculating, here... Someone with more definitive info should definitely speak up...) -- ||========================================================================|| || Rob Seace || URL || ras () magrathea com || || AKA: Agrajag || http://www.magrathea.com/~ras/ || rob () wordstock com || ||========================================================================|| "What do you mean, you've never been to Alpha Centauri? For heaven's sake, mankind, it's only four light-years away, you know." - THGTTG
Current thread:
- Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Ryan Yagatich (Oct 27)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Robert A. Seace (Oct 28)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Ryan Yagatich (Oct 29)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Marcelo Lamoglia (Oct 28)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) syzop (Oct 28)
- <Possible follow-ups>
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Daniel Docekal (Oct 29)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) amonotod (Oct 29)
- Re: Summary of IIS 4.0/5.0 Unicode thread (end of thread?) Robert A. Seace (Oct 28)