reliable remote code execution for IIS on Server 2008?

This topic contains 14 replies, has 8 voices, and was last updated by  hayabusa 7 years, 2 months ago.

  • Author
    Posts
  • #7621
     camelCase 
    Participant

    Hello,

    I am having trouble finding any reliable exploits for Server 2008. So I figured I would ask you guys. Do you know of any? Thanks!

  • #47585
     rattis 
    Participant

    I would look through the Exploit DB, maintained by Offensive Security. Might also try some of the ones known to work for Wk2, see if they still work.

  • #47586
     impelse 
    Participant

    Try to look for different way to log in, some exploits require a lot of work before make it work

  • #47587
     cd1zz 
    Participant

    There are no publicly disclosed rce exploits for iis 7. However, if your just looking for a 2008 exploit, there are options.

    You’re better off going after the app on that webserver.

  • #47588
     impelse 
    Participant

    Yep, the web app will give you a good access doesn’t matter if the machine is well updated.

  • #47589
     camelCase 
    Participant

    cd1zz, this is what I thought. Oh well. FYI these are in a highly specialized deployment and have no web applications and very limited HTTP methods.

  • #47590
     mohaab 
    Participant
  • #47591
     jimbob 
    Participant

    Don’t forget to think out a deeper solution. If you can get file upload on the server you can upload arbitrary binaries and ASP content to achieve this. Don’t think of pen testing as, “I have one exposed service, is there a remote exploit?” Can you find SQLi and execute code that way?

    Regards,
    Jimbob

  • #47592
     camelCase 
    Participant

    Again, they do not run any web applications. This is why I asked about IIS specifically. The PHRACK issue I would say does not indeed point to any reliable exploit. Thank you for your time but I pwnd this shit on my own.

  • #47593
     tturner 
    Participant

    @camelcase wrote:

    Thank you for your time but I pwnd this shit on my own.

    Perhaps you’d care to share and help us increase the community knowledge?

  • #47594
     hayabusa 
    Participant

    @tturner wrote:

    @camelcase wrote:

    Thank you for your time but I pwnd this shit on my own.

    Perhaps you’d care to share and help us increase the community knowledge?

    Yeah, that line didn’t exactly sit well with me.  I’m certain it didn’t carry the attitude that I interpreted, when I read it.  (At least, I’d hope not.  ;))  And yes, I’m with tturner.  If you pwned it, please share, if for no other reason than to increase everyone’s knowledge and abilities.

    Oh, and assuming you did pwn it… Congrats!

  • #47595
     camelCase 
    Participant

    It had to do it by sending syn packets with scapy and backing off TTL until the firewall responded with an error packet containing its IP, finding out that the firewall was misconfigured and had its config interface in front of me, guessing the correct password, dumping its config, ssh tunneling through the firewall and proxy scanning the server, enumerating some users, discovering a user with pass as user, looking in the sysvol, finding a bat script with domain admin permissions and rdp. So still not just IIS or web app but just pure luck. I think that is vague enough to not give up any confidential data but informative enough to “share”. 🙂 

  • #47596
     hayabusa 
    Participant

    Yep.  Gives enough for those of us who understand, and not so much as to get you into trouble.  😉

    Thanks.

  • #47597
     camelCase 
    Participant

    Np homie, sorry if I come off as quippy or arrogant I just do not have a lot of time for long posts. Nothing personal.

  • #47598
     hayabusa 
    Participant

    It’s all good.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?