Monday, October 29, 2007

Remote code execution via administrative shares

The Sysinternals psexec tool allows you to execute remote code on a Windows box using the Administrative Share (C$). It's part of the pstools package.



You can just run psexec -u Username \\SomeSystem cmd and you get a command prompt on that system, no need to mess with telnet. You can even use it to distribute "batch" files or run something like "gpupdate /force" on remote machines.

Fun with psexec: run the BSOD screensaver on a remote machine :-).

2 comments:

abose said...

Incredible! I use quite a few of Sysinternal's tools but did not know about this one. Thanks for the post!

Anonymous said...

Interesting to know.