Re: IIS : access to cmd.exe and multiple commands on one line

From: Alex Butcher (pentest) (pentest@cocoa.demon.co.uk)
Date: 10/23/01


Date: Tue, 23 Oct 2001 21:10:31 +0100 (BST)
From: "Alex Butcher (pentest)" <pentest@cocoa.demon.co.uk>
To: Daniel Polombo <polombo@cartel-info.fr>
Subject: Re: IIS : access to cmd.exe and multiple commands on one line
Message-ID: <Pine.LNX.4.33.0110232108170.9115-100000@cocoa.demon.co.uk>

On Tue, 23 Oct 2001, Daniel Polombo wrote:

> Hello,
>
> as you all know, it's possible to exploit a number of IIS bugs to gain
> access to \winnt\system32\cmd.exe and execute arbitrary commands on the
> server. I've been trying to convince it to execute several commands on one
> line (as one would separate commands with a ';' under any decent shell), with
> limited success : on a number of NT/2k boxes, the syntax :
>
> command1 & command2 (eg, cd .. & dir)
>
> works fine. On some other boxes, though, it only returns 'The parameter is
> incorrect'.
>
> It is unclear to me whether this problem happens only because of the way the
> request is made (http://path/to/cmd.exe?/c+command1&command2), or if there are
> really different versions of cmd.exe.

A suggestion: have you tried copying cmd.exe to some other filename (e.g.
foo.exe) and then use *that* to execute the multiple command line? Just
thinking that if redirection doesn't work without using a copy of cmd.exe,
maybe some other aspects don't either.

> Regards,
> Daniel

Best Regards,
Alex (no NT box to test on, for now :)

-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK      Is *your* company hiring UNIX/Security/Pen. testing folks?
PGP/GnuPG ID:0x271fd950                      http://www.cocoa.demon.co.uk/cv/

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • Re: NT information leakage
    ... Subject: NT information leakage ... you can always just run commands like ... There's also a CheckPoint FW-1 in front of the web server, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Problems on the DOS-Prompt
    ... >Is there a list of all availible commands that can be used on nt and 2k ... >>> This list is provided by the SecurityFocus Security Intelligence ... For more information on SecurityFocus' SIA service which ... >>> automatically alerts you to the latest security vulnerabilities ...
    (Pen-Test)
  • IIS : access to cmd.exe and multiple commands on one line
    ... Subject: IIS: access to cmd.exe and multiple commands on one line ... it's possible to exploit a number of IIS bugs to gain ... On some other boxes, though, it only returns 'The parameter is ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: IIS : access to cmd.exe and multiple commands on one line
    ... Subject: IIS: access to cmd.exe and multiple commands on one line ... Perhaps you used a bad example but you don't need to send two commands to ... that contains all the commands I want to run then I execute the file. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: ExecuteCommand
    ... ExecuteCommand procedure. ... Are you trying to run multiple commands simultaneously, ... sub read_stdout { ...
    (comp.lang.perl.tk)