[framework] Runing application remote server side

Anthony R. Plastino III tplastino at sses.net
Tue Jun 20 21:33:27 CDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Given the snippet of the message, it seems to me that this person has
found an open share. Upon mounting the share, the filesystem seems to
allow reading/writing of files. Unfortunately, there is no easy method
for remotely executing code in this context. This would depend on
having access to a valid account, not simply mounting the IPC$ as a
null user.

The framework operates mostly on exploited vulnerabilities (on a host)
which allow that host to be manipulated remotely at a far deeper level
than mounting a share. The mounting of a share, while certainly a
vulnerability, takes advantage of a host's misconfiguration, but
allows the host to perform a 'normal' function of being a file server;
it has not been made to do something it was not intended to do.
Injecting shell code into an overflowed buffer on the other hand
forces the host to perform outside of its 'normal' function by
allowing (for example) a remote shell to be presented to an
unauthorized entity in the context (we hope) of SYSTEM, thereby giving
up something better than console access.

I am not aware of a framework exploit that can take advantage of a
mounted share (although I admit that I am not an uber user yet :) ).
There are other applications that do (if you have a valid user) such
as Hyena, which have the ability to invoke the scheduler to run an
application.

regards,

Anthony R. Plastino III

Nicolas RUFF wrote:

>>i have a problem about running a ".exe" file remotely in a windows 2003
>>server.
>>i have access to server to upload, read, and write some files to server
>>remotely.
>>but i need to execute my uploaded ".exe" file remotely on server
>>(server-side)
>
>
>What do you mean by "I cannot execute files" ? (Error message ?)
>
>Can you execute standard system binaries, like CMD.EXE ?
>
>What does the CACLS command says ? Who is given execute access ?
>
>Are you sure the %TMP% and %TEMP% directories are not executable ?
>(Basically every installer will drop EXE files in these directories)
>
>We lack context here ...
>
>Regards,
>- Nicolas RUFF


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iD8DBQFEmK/1zbfRtqd9C2YRAr0gAKCTmB/Y5fOLBmCEelSGgADFpsACEACcDsr8
jBa4NXScfXnFrjk7A6CJLbI=
=qKVu
-----END PGP SIGNATURE-----

More information about the framework mailing list