Demo of WebDAV exploit with Trojan installation

From: Brian Serra (brianserra@earthlink.net)
Date: 04/24/03

  • Next message: Indian Tiger: "RE: Proof of Concept Tool on Web Application Security" 
    From: "Brian Serra" <brianserra@earthlink.net>
To: <pen-test@securityfocus.com>
Date: Wed, 23 Apr 2003 22:04:18 -0500

    All,
    I have a demonstration seminar coming up shortly and have run into some
    problems with getting a Trojan (backdoor, rat) to run after I exploit WebDAV
    on a W2k IIS 5.0 sp3 system. The webDAV exploit works fine and I get a
    remote command prompt. I then tftp the Trojan up to the IIS system and
    execute it. It seems I may not have sufficient permission to run the Trojan
    and have it open a listening port. The Trojan will execute and show in the
    task manager, but the port will not open. If I execute the Trojan locally it
    opens the port fine. This works the same with y3k and beast Trojans.

    Any ideas? Do I need to escalate privilege first? If so, any recommendations
    on what to use.

    Thanks!!

    Brian Serra - CISSP
    Senior Technical Security Consultant
    Vulnerability Assessment and Penetration Testing
    847-763-2304 Direct
    630-926-4055 Mobile
    bserra@forsythesolutions.com

    Forsythe Solutions
    7440 North Long Avenue, Skokie, IL 60077

    Building cost-effective IT infrastructure that organizations trust.

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-pen-test
    ----------------------------------------------------------------------------

  • Next message: Indian Tiger: "RE: Proof of Concept Tool on Web Application Security"

    Relevant Pages

    • Re: Rumours about Apache 1.3.22 exploits
      ... I think the exploit called 73501867 is a trojan. ... >i trace the proc opening that port kill it and it seems to clone some how ... >last proc and then 2mins l8r opens the port again. ...
      (Vuln-Dev)
    • OT-True virus warning
      ... send this warning to whomever you know. ... security hole to download the Trojan. ... The Trojan opens a random port on the victim's machine. ... Port information to a webpage at IP address 66.139.77.145. ...
      (rec.crafts.textiles.quilting)
    • OT-True virus warning
      ... Had a virus once and it is no fun to get rid of it. ... security hole to download the Trojan. ... The Trojan opens a random port on the victim's machine. ... Port information to a webpage at IP address 66.139.77.145. ...
      (alt.sewing)
    • Re: Open All Outbound Ports?
      ... >>director of marketing takes laptop home. ... >>director gets hacked via Trojan downloaded from non corporate mail. ... >>using netcat hacker sets up opens backdoor via a allowed port... ...
      (Security-Basics)
    • Re: My Game Needs a Port Listed as Trojan Port
      ... > my games uses this port. ... The trojan has to be installed on your machine, ... > that my virus scan knows that this game is ok to use this port although it ... Antivirus shouldn't have anything to do with it: but for a firewall it will. ...
      (comp.security.firewalls)