Re: cmd.exe / root.exe question

From: Jon Zobrist (kgb@ussr.com)
Date: 08/27/01

• Previous message: Phaedrus: "Re: cmd.exe / root.exe question"
• In reply to: karl_napp3@gmx.li: "cmd.exe / root.exe question"
• Next in thread: McCammon, Keith: "RE: cmd.exe / root.exe question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-Id: <200108271548.JAA93589@48gx.avaltus.com>
From: Jon Zobrist <kgb@ussr.com>
To: karl_napp3@gmx.li
Subject: Re: cmd.exe / root.exe question
Date: Mon, 27 Aug 2001 09:42:41 -0600

You don't open a cmd shell from it, you execute it with the /c flag so it
runs arguements taken at command line then exits normally..
try these

GET /scripts/cmd.exe?/c+dir

GET /scripts/cmd.exe?/c+echo+hacked+>index.html

The first one will show you a dir for the current directory, the second will
create a new file, or overwrite an existing one named index.html in the
current directory.

Think of the possibilities... cmd.exe has built in tftp client... you can
most likely write to the c:\ drive....... and the scripts directory... you
can now upload your backdoor / trojan / virus / worm and party...

-Jon
*remember the simpler times, man they sucked*

On Saturday 25 August 2001 01:29 pm, you wrote:
> Where exactly is the risk a cmd.exe (under what name ever) is placed in a
> scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
> scripting to the file.
> Now tried to remotely execute it. I didn't succeed to get a remoteshell.
> Via IE5 I could exceute the file but got a local shell, only. Netcat with
> 'nc <ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to
> hell when interpreting all the beeps ;-)
>
> If cmd were boud to any port and listening I'd see security implications.
> But with only a file lying around?

---

• Previous message: Phaedrus: "Re: cmd.exe / root.exe question"
• In reply to: karl_napp3@gmx.li: "cmd.exe / root.exe question"
• Next in thread: McCammon, Keith: "RE: cmd.exe / root.exe question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How do you do this? ... that you prefered to say that you want to remotely execute the ... program to be sent in source format. ... You really haven't redefined colon to mean remote execute as in: ... have sent the source code, you send PROGRAM to start execution. ... (comp.lang.forth) Security settings for cmd access IIS XP Pro SP2 ... Are there any new security settings for controlling access to the cmd shell ... I have been able to execute a .EXE program from HTML using IIS. ... When using XP Pro, the program runs (it generates an debug file with the ... I've turned off the firewall and lowered IE security settings to the minimum. ... (microsoft.public.inetserver.iis) Remote Execution of a Pocket PC Executable ... I need to remotely execute a program on a Windows CE device (a pocket ... just not the CeCreateProcess. ... the WinCE executable to finish before going on. ... (microsoft.public.pocketpc.developer) RE: Remote Execution of a Pocket PC Executable ... "Ismilar" wrote: ... > I need to remotely execute a program on a Windows CE device (a pocket ... > the WinCE executable to finish before going on. ... (microsoft.public.pocketpc.developer) Remote Execution of a Windows CE Program ... I need to remotely execute a program on a Windows CE device (a pocket ... just not the CeCreateProcess. ... the WinCE executable to finish before going on. ... (microsoft.public.windowsce.embedded.vb)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-08