Just did this a couple days ago ;) Use PUT requests to upload cmdasp.asp and/or upload.asp, then use cmdasp.asp to execute whatever you upload. On IIS 4.0 this has the side affect of elevating your privileges to SYSTEM. I attached a little perl script I wrote to upload files (figures out Content-Lengths and negotiates SSL). If the client was trying to be slick and deleted cmd.exe from the system, just upload a copy from a local server and modify the cmd.exe /c path in cmdasp.asp to match the new location. On Friday 28 September 2001 03:02 pm, Tim Russo wrote: > Quick question. I have a client who has a misconfigured IIS server (that's > new) which allows anyone to do HTTP PUT commands and place files on the www > server. Is exploiting this as simple as "putting" something like netcat in > the cgi-bin directory and running it with the port listen options? What if > you cannot place files in the cgi-bin directory? How can I use PUT to get a > shell on this system? I know this is a basic question but this is the first > time I found someone has actually done this. -- H D Moore http://www.digitaldefense.net - work http://www.digitaloffense.net - play
This archive was generated by hypermail 2b30 : Sun Sep 30 2001 - 13:02:25 PDT