Re: HTTP PUT exploitation

[H D Moore <hdm () secureaustin com>]

Just did this a couple days ago ;)

Use PUT requests to upload cmdasp.asp and/or upload.asp, then use cmdasp.asp 
to execute whatever you upload. On IIS 4.0 this has the side affect of 
elevating your privileges to SYSTEM.  I attached a little perl script I wrote 
to upload files (figures out Content-Lengths and negotiates SSL).

If the client was trying to be slick and deleted cmd.exe from the system, 
just upload a copy from a local server and modify the cmd.exe /c path in 
cmdasp.asp to match the new location.



On Friday 28 September 2001 03:02 pm, Tim Russo wrote:
> Quick question. I have a client who has a misconfigured IIS server (that's
> new) which allows anyone to do HTTP PUT commands and place files on the www
> server. Is exploiting this as simple as "putting" something like netcat in
> the cgi-bin directory and running it with the port listen options? What if
> you cannot place files in the cgi-bin directory? How can I use PUT to get a
> shell on this system? I know this is a basic question but this is the first
> time I found someone has actually done this.


-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

Attachment: put.pl
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/