Re: HTTP PUT exploitation

From: H D Moore (hdm@secureaustin.com)
Date: 09/29/01

• Previous message: Mark Scheuber: "Testing with a WinCE device"
• In reply to: Tim Russo: "HTTP PUT exploitation"
• Next in thread: Shawn Ingram: "Re: HTTP PUT exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <20010929185014.25739.qmail@securityfocus.com>
From: H D Moore <hdm@secureaustin.com>
To: "Tim Russo" <trusso@wireguided.com>, <pen-test@securityfocus.com>
Subject: Re: HTTP PUT exploitation
Date: Sat, 29 Sep 2001 13:50:07 -0500

Just did this a couple days ago ;)

Use PUT requests to upload cmdasp.asp and/or upload.asp, then use cmdasp.asp
to execute whatever you upload. On IIS 4.0 this has the side affect of
elevating your privileges to SYSTEM. I attached a little perl script I wrote
to upload files (figures out Content-Lengths and negotiates SSL).

If the client was trying to be slick and deleted cmd.exe from the system,
just upload a copy from a local server and modify the cmd.exe /c path in
cmdasp.asp to match the new location.

On Friday 28 September 2001 03:02 pm, Tim Russo wrote:
> Quick question. I have a client who has a misconfigured IIS server (that's
> new) which allows anyone to do HTTP PUT commands and place files on the www
> server. Is exploiting this as simple as "putting" something like netcat in
> the cgi-bin directory and running it with the port listen options? What if
> you cannot place files in the cgi-bin directory? How can I use PUT to get a
> shell on this system? I know this is a basic question but this is the first
> time I found someone has actually done this.

-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

---

• application/x-perl attachment: put.pl

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: Mark Scheuber: "Testing with a WinCE device"
• In reply to: Tim Russo: "HTTP PUT exploitation"
• Next in thread: Shawn Ingram: "Re: HTTP PUT exploitation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages HTTP PUT exploitation ... Subject: HTTP PUT exploitation ... I have a client who has a misconfigured IIS server (that's ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: HTTP PUT exploitation ... Subject: HTTP PUT exploitation ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: submit button issues? ... Firstly to work with forms you must upload as an HTTP file, ... When it asks you to save, choose in my network places, if you dont see it ... How to publish a Publisher web in HTTP: ... (microsoft.public.publisher.webdesign) Re: Upload problem on entire FC5 system ... HTTP requests only seem to lag. ... > I have been having an issue with upload from Apache on FC5 ... your ISP might be bandwidth limiting your ... I don't care how many levels of reality you posit; ... (Fedora) Re: Upload file without user interaction - VBA ... available method is using an HTTP form and the POST method. ... You probably need to use FTP, not HTTP. ... Your posting first says I want to upload files which is FTP. ... (microsoft.public.excel.programming)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2001-09