Now that you have the information needed to decide what hacks to apply to the web server it’s time to execute your practise hack.
Now I’m not going to post the full script I tend to illustrate, but search around enough and I’m sure you’ll find it. What’s also worth noting is that the vulnerability has been fixed on the last few versions of both IIS and apache.
The vulnerability is known to affect Apache 2.0.36 on an NT OS. (It came from server logs, so, I’ll actually illustrate the hack).
The loaded part of the script took advantage of a Unicode based directory traversing exploit in the servers.
In order to explain this you’ll first need to know a few things.
1, Unicode is a set of replacement symbols for regular text, the first that comes to mind I space (%20) try writing a URL with a space and see it transformed to a Unicode equivalent.
(this will help you understand)
2, directory traversing is what you do when you type something like ../ into the browser, (the exploit is actually based around ..\) as everyone should know, (and if you don’t I suggest you play with DOS a little more).
Cd .. is directory up towards the root of the drive
3, On servers there are specialist folders that serve specialist content. The folders I am talking about are specifically called virtual folders. Virtual folders are not in the directory they are called from usually, they are usually placed somewhere else on the server and a re a global mapping to a folder.
/cgi-bin/ is the global mapping to a folder that can contain scripts. Program like scripts that have to execute server side are usually only allowed to execute from this folder.
Another virtual folder is the errors folder, /errors/ this folder by default serves page content to the client regardless of the actual place the errors are generated from. (it would be pretty stupid if you couldn’t get an error 4040 (page cannot be found) because the error message could not be found!
(with a little common sense and the ability to put the pieces together you should be able to guess the rest of this instalment. If you can’t guess then don’t worry your reading this in order to learn.)
I’ll look at this from the aspect of you have your test hack environment setup. Your environment consists of any NT server running apache 2.0.36, your client workstation has internet explorer and a TFTP server. You also have an install set for an FTP server that can run ‘unattended’ –meaning it won’t wait for you to press OK…
Assuming that you have a test environment then you’ll know the relative paths of the directories and their ‘distance’ from drive root.
First, take a look around the site, check to make sure there is an /error/ directory and a /cgi-bin/ directory, if there is you’re ready to go. Your first assumption will be that the CGI-BIN is located in its default location. (C:\program files\apache group\apache2\cgi-bin), your next assumption will be that /ERRORS/ is located in its default location.
(C:\program files\apache group\apache2\errors\).
You’ll have checked the server signature (using net craft or a similar tool in your test domain –though you will ‘know’ what server you are running in your test domain) and so you will know if you are attacking a server that is vulnerable to the exploits you’ll be using.
On your client machine, start internet explorer, (or any other tool capable of making HTTP requests). Now put…
[domain name]/ERRORS/[traverse backwards towards root Unicode symbols]/boot.ini
You’ll have to experiment with how many Unicode ../ you need to get to the right place, the boot.ini file will be located in the root of the C drive, and you’re exploit would have got you there. (Provided apache is in its default location).
Assuming that you have seem the contents of a boot.ini file appear in your browser windows then you now know for sure.
1 the server is vulnerable to the exploit.
2 the version of windows that is being run,
3 the server is installed on the system partition
Now it’s pretty safe to assume that the windows directory is either,
You’ll now use the same exploit, except you’ll work from the CGI bin so that you can execute some programs,
[address]/cgi-bin/[exploit to root of drive][/windows/system32/cmd.exe]/dir+C+>>C:\dir.txt
If this works you should see a page marked error 500 (server error / malformed headers returned).
You can look at the directory list dump you just made by using the exploit from the /errors/ folder as before.
Remember use the /errors folder when you want to view files, use the cgi-bin when you want to execute.
This dumps a directory listing of the root C drive to the C drive in a file called dir.txt.
You can use this exploit and command to build up a good picture of the server
Obviously browsing to different folders and dumping out a list of commands.
Just remember, after you launch the cmd.exe %20 is no longer space + is space.
Now that you’ve successfully exploited the server and learned how to run programs on the server, (Using one particular exploit) next I’ll go through installing toolkts on the server to allow easier access.