Re: Pwdump2 with UNICODE?
From: Tony Lambiris (methodic@libpcap.net)Date: 08/09/01
- Previous message: Tina Bird: "Loganalysis mailing list"
- Maybe in reply to: Lists: "Pwdump2 with UNICODE?"
- Next in thread: steven.m.gill@us.pwcglobal.com: "Re: Pwdump2 with UNICODE?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Aug 2001 13:35:27 -0400 From: Tony Lambiris <methodic@libpcap.net> To: "Sapiro, Benjamin R" <bsapiro@kpmg.ca> Subject: Re: Pwdump2 with UNICODE? Message-ID: <20010809133527.A15920@clotch.libpcap.net>
Ahh.. so you can basically echo a bunch of ftp commands to a file, run
the ftp client -s:filename.txt to have the box download cmdasp.asp, and
then you can just have that page execute commands?
Nice.
On 08.09.01, "Sapiro, Benjamin R" <bsapiro@kpmg.ca> wrote:
> Tony
>
> Under IIS4, CMDASP.asp executes in system level context so you are able to
> do that (CMDASP.asp has nothing to do with the unicode vuln. itself, we just
> use unicode attacks to get script up onto the box). You are right though, a
> unicode executed command by itself runs under IUSR context
>
> Ben Sapiro
> Information Risk Management
> (416) 777-8025
> www.kpmg.ca/irm
>
>
> -----Original Message-----
> From: Tony Lambiris [mailto:methodic@libpcap.net]
> Sent: Wednesday, August 08, 2001 1:46 PM
> To: Penetration Testers
> Subject: Re: Pwdump2 with UNICODE?
>
>
> I thought under UNICODE, you arent able to run such commands as rdisk
> and pwdump, because IIS runs as IUSR?
>
> On 08.07.01, Kevin Lam <kevinlam@packet-works.com> wrote:
> > Hi Allen,
> >
> > If you have UNICODE working, you could upload cmdasp.asp which will let
> > you execute commands on that server.
> >
> > If this is NT then what you can do is run "rdisk /s-" to silently update
> > the repair sam._ file (this is a little trick that I used to use when I
> > did pen-testing for Deloitte). Then go to c:\winnt\repair and copy
> > sam._ to say a public internet folder like c:\inetpub\wwwroot and then
> > go to your browser and just download the file.
>
>
> ******************************************************************************
> The information in this email is confidential and may be legally privileged.
> It is intended solely for the addressee. Access to this email by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying, distribution
> or any action taken or omitted to be taken in reliance on it, is prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed in
> the governing KPMG client engagement contract.
> ******************************************************************************
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Tina Bird: "Loganalysis mailing list"
- Maybe in reply to: Lists: "Pwdump2 with UNICODE?"
- Next in thread: steven.m.gill@us.pwcglobal.com: "Re: Pwdump2 with UNICODE?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
