reliable remote code execution for IIS on Server 2008?

Viewing 14 reply threads
  • Author
    Posts
    • #7621
      camelCase
      Participant

      Hello,

      I am having trouble finding any reliable exploits for Server 2008. So I figured I would ask you guys. Do you know of any? Thanks!

    • #47585
      rattis
      Participant

      I would look through the Exploit DB, maintained by Offensive Security. Might also try some of the ones known to work for Wk2, see if they still work.

    • #47586
      impelse
      Participant

      Try to look for different way to log in, some exploits require a lot of work before make it work

    • #47587
      cd1zz
      Participant

      There are no publicly disclosed rce exploits for iis 7. However, if your just looking for a 2008 exploit, there are options.

      You’re better off going after the app on that webserver.

    • #47588
      impelse
      Participant

      Yep, the web app will give you a good access doesn’t matter if the machine is well updated.

    • #47589
      camelCase
      Participant

      cd1zz, this is what I thought. Oh well. FYI these are in a highly specialized deployment and have no web applications and very limited HTTP methods.

    • #47590
      mohaab
      Participant
    • #47591
      jimbob
      Participant

      Don’t forget to think out a deeper solution. If you can get file upload on the server you can upload arbitrary binaries and ASP content to achieve this. Don’t think of pen testing as, “I have one exposed service, is there a remote exploit?” Can you find SQLi and execute code that way?

      Regards,
      Jimbob

    • #47592
      camelCase
      Participant

      Again, they do not run any web applications. This is why I asked about IIS specifically. The PHRACK issue I would say does not indeed point to any reliable exploit. Thank you for your time but I pwnd this shit on my own.

    • #47593
      tturner
      Participant

      @camelCase wrote:

      Thank you for your time but I pwnd this shit on my own.

      Perhaps you’d care to share and help us increase the community knowledge?

    • #47594
      hayabusa
      Participant

      @tturner wrote:

      @camelCase wrote:

      Thank you for your time but I pwnd this shit on my own.

      Perhaps you’d care to share and help us increase the community knowledge?

      Yeah, that line didn’t exactly sit well with me.  I’m certain it didn’t carry the attitude that I interpreted, when I read it.  (At least, I’d hope not.  ;))  And yes, I’m with tturner.  If you pwned it, please share, if for no other reason than to increase everyone’s knowledge and abilities.

      Oh, and assuming you did pwn it… Congrats!

    • #47595
      camelCase
      Participant

      It had to do it by sending syn packets with scapy and backing off TTL until the firewall responded with an error packet containing its IP, finding out that the firewall was misconfigured and had its config interface in front of me, guessing the correct password, dumping its config, ssh tunneling through the firewall and proxy scanning the server, enumerating some users, discovering a user with pass as user, looking in the sysvol, finding a bat script with domain admin permissions and rdp. So still not just IIS or web app but just pure luck. I think that is vague enough to not give up any confidential data but informative enough to “share”. 🙂 

    • #47596
      hayabusa
      Participant

      Yep.  Gives enough for those of us who understand, and not so much as to get you into trouble.  😉

      Thanks.

    • #47597
      camelCase
      Participant

      Np homie, sorry if I come off as quippy or arrogant I just do not have a lot of time for long posts. Nothing personal.

    • #47598
      hayabusa
      Participant

      It’s all good.

Viewing 14 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?