Penetration Testing mailing list archives
Re: HTTP PUT exploitation
From: H D Moore <hdm () secureaustin com>
Date: Sat, 29 Sep 2001 13:50:07 -0500
Just did this a couple days ago ;) Use PUT requests to upload cmdasp.asp and/or upload.asp, then use cmdasp.asp to execute whatever you upload. On IIS 4.0 this has the side affect of elevating your privileges to SYSTEM. I attached a little perl script I wrote to upload files (figures out Content-Lengths and negotiates SSL). If the client was trying to be slick and deleted cmd.exe from the system, just upload a copy from a local server and modify the cmd.exe /c path in cmdasp.asp to match the new location. On Friday 28 September 2001 03:02 pm, Tim Russo wrote:
Quick question. I have a client who has a misconfigured IIS server (that's new) which allows anyone to do HTTP PUT commands and place files on the www server. Is exploiting this as simple as "putting" something like netcat in the cgi-bin directory and running it with the port listen options? What if you cannot place files in the cgi-bin directory? How can I use PUT to get a shell on this system? I know this is a basic question but this is the first time I found someone has actually done this.
-- H D Moore http://www.digitaldefense.net - work http://www.digitaloffense.net - play
Attachment:
put.pl
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- HTTP PUT exploitation Tim Russo (Sep 29)
- RE: HTTP PUT exploitation Olasupo Lawal (Sep 30)
- Re: HTTP PUT exploitation H D Moore (Sep 30)
- Re: HTTP PUT exploitation Shawn Ingram (Sep 30)