Insecure PUT method to Meterpreter

Hello guys. Today I will describe another way to compromise a remote system. We are going to exploit vulnerable HTTP methods PUT to gain access over the web server. Before starting we need to understand following topics.

HTTP Methods:

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be safe, idempotent, or cacheable.

GET

The GET method requests a representation of the specified resource. Requests using GET should only retrieve data. The following example makes use of GET method to fetch hello.htm

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The server response against the above GET request will be as follows:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Hello, World!</h1>
</body>
</html>

HEAD

The HEAD method asks for a response identical to that of a GET request, but without the response body. The following example makes use of HEAD method to fetch header information about hello.htm:

HEAD /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

The server response against the above GET request will be as follows:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed

You can notice that here server the does not send any data after header.

POST

The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server. The following example makes use of POST method to send a form data to the server, which will be processed by a process.cgi and finally a response will be returned:

POST /cgi-bin/process.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Content-Type: text/xml; charset=utf-8
Content-Length: 88
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<?xml version="1.0" encoding="utf-8"?>
<string xmlns="http://clearforest.com/">string</string>

The server side script process.cgi processes the passed data and sends the following response:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Vary: Authorization,Accept
Accept-Ranges: bytes
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html>
<body>
<h1>Request Processed Successfully</h1>
</body>
</html>

PUT

The PUT method replaces all current representations of the target resource with the request payload. The following example requests the server to save the given entity-boy in hello.htm at the root of the server:

PUT /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Connection: Keep-Alive
Content-type: text/html
Content-Length: 182
<html>
<body>
<h1>Hello, World!</h1>
</body>
</html>

The server will store the given entity-body in hello.htm file and will send the following response back to the client:

HTTP/1.1 201 Created
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed
<html>
<body>
<h1>The file was created.</h1>
</body>
</html>

DELETE

The DELETE method deletes the specified resource. The following example requests the server to delete the given file hello.htm at the root of the server:

DELETE /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.anywebsitecanbehere.com
Accept-Language: en-us
Connection: Keep-Alive

The server will delete the mentioned file hello.htm and will send the following response back to the client:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Content-type: text/html
Content-length: 30
Connection: Closed
<html>
<body>
<h1>URL deleted.</h1>
</body>
</html>

CONNECT

The CONNECT method establishes a tunnel to the server identified by the target resource. The following example requests a connection with a web server running on the host anywebsitecanbehere.com:

CONNECT www.anywebsitecanbehere.com HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The connection is established with the server and the following response is sent back to the client:

HTTP/1.1 200 Connection established
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)

OPTIONS

The OPTIONS method is used to describe the communication options for the target resource. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. The following example requests a list of methods supported by a web server:

OPTIONS * HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server will send an information based on the current configuration of the server, for example:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Type: httpd/unix-directory

TRACE

The TRACE method performs a message loop-back test along the path to the target resource. The following example shows the usage of TRACE method:

TRACE / HTTP/1.1
Host: www.anywebsitecanbehere.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

The server will send the following message in response to the above request:

HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Connection: close
Content-Type: message/http
Content-Length: 39

TRACE / HTTP/1.1
Host: www.anywebsitecanbehere.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)

 

 

PUT method in Depth – Let’s focus on PUT methods. The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the Request-URI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI. If a new resource is created, the origin server MUST inform the user agent via the 201 (Created) response. If an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request. If the resource could not be created or modified with the Request-URI, an appropriate error response SHOULD be given that reflects the nature of the problem. The recipient of the entity MUST NOT ignore any Content-* (e.g. Content-Range) headers that it does not understand or implement and MUST return a 501 (Not Implemented) response in such cases.

Let’s exploit it.

Tools Required:

  1. Metasploit
  2. Msfvenom
  3. Burp Suite Free Edition: Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility.
  4. Nikto : Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.
  5. Metasploitable Linux:The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities.

Lab Setup:

Steps:

dav
FIG 1 – Directory Listing is here
  • Its time to test the web server with Nikto.
nikto_PUT
FIG 2 – Nikto found insecure PUT method
  • Now we need to setup Burp as a web proxy so that we can view/intercept traffic between webserver and browser. After setting up we can view/intercept web traffic.
GET
FIG 3 – Request and Response captured by Burp while accessing /dav
  • At the beginning we need to check whether PUT method can upload the file or not. That’s why we will upload a test file to the server end. For that, We have to change GET method to PUT as well as add a text file after “/dav” . We can write the content of the file at the end of the request itself. After execution the web server will reply with 201 (CREATED) as response that means the file has been written successfully at the server end.
TEST_PUT
FIG 4 – test.txt file created by PUT method
test_browser
FIG 5 – Accessing test.txt file via browser
test_content
FIG 6 – test.txt file content
  • As we see, We can upload file(s) by using PUT method so we need a web shell to upload. Now MSFVENOM comes into the picture. By using MSFVENOM we can create a webshell.
shell_file_create
FIG 7 – Web Shell Creation using msfvenom
  • php contains php codes that are written by msfvenom.
shell_file_content
FIG 8 – Web Shell Content
  • Now we are going to write this shell.php to the web server. This step is very similar to step where we uploaded the test.txt file.
shell_uploaded
FIG 9 – Web Shell uploaded via PUT
  • As our shell.php has been uploaded successfully, we need to create the multi handler listener in metasploit so that whenever shell.php will be clicked, it will pass the control to the metasploit and meterpreter session will be openned.
handler_on
FIG 10 – Setting up multi handler for listening incoming connection
  • We are all set now. We just clicked the shell.php
shell.php_clicked
FIG 11 – shell.php just clicked and the page is loading
  • In the backed, a meterpreter session has been opened.
pwned
FIG 12 – Got the Meterpreter. System Pwned!!!

 

References:

Advertisements