metasploit-framework/modules/auxiliary/scanner/http/verb_auth_bypass.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	# Exploit mixins should be called first
	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::WmapScanDir
	include Msf::Auxiliary::WmapScanFile
	# Scanner mixin should be near last
	include Msf::Auxiliary::Scanner
	include Msf::Auxiliary::Report

	def initialize(info = {})
		super(update_info(info,
			'Name'          => 'HTTP Verb Authentication Bypass Scanner',
			'Description'   => %q{
				This module test for authentication bypass using different HTTP verbs.

			},
			'Author'        => [ 'et [at] metasploit.com' ],
			'License'       => BSD_LICENSE))

		register_options(
			[
				OptString.new('PATH', [ true,  "The path to test", '/'])
			], self.class)
	end

	def run_host(ip)
		begin
			test_verbs(ip)
		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
		rescue ::Timeout::Error, ::Errno::EPIPE
		end
	end

	def test_verbs(ip)
		verbs = [ 'HEAD', 'TRACE', 'TRACK', 'Wmap', 'get', 'trace' ]

		res = send_request_raw({
			'uri'          => normalize_uri(datastore['PATH']),
			'method'       => 'GET'
		}, 10)

		return if not res

		if not res.headers['WWW-Authenticate']
			print_status("[#{ip}] Authentication not required. #{datastore['PATH']} #{res.code}")
			return
		end

		auth_code = res.code

		print_status("#{ip} requires authentication: #{res.headers['WWW-Authenticate']} [#{auth_code}]")

		report_note(
			:host   => ip,
			:proto  => 'tcp',
			:sname  => (ssl ? 'https' : 'http'),
			:port   => rport,
			:type   => 'WWW_AUTHENTICATE',
			:data   => "#{datastore['PATH']} Realm: #{res.headers['WWW-Authenticate']}",
			:update => :unique_data
		)

		verbs.each do |tv|
			resauth = send_request_raw({
				'uri'          => normalize_uri(datastore['PATH']),
				'method'       => tv
			}, 10)

			next if not resauth

			print_status("Testing verb #{tv}, resp code: [#{resauth.code}]")

			if resauth.code != auth_code and resauth.code <= 302
				print_status("Possible authentication bypass with verb #{tv} code #{resauth.code}")

				# Unable to use report_web_vuln as method is not in list of allowed methods.

				report_note(
					:host   => ip,
					:proto  => 'tcp',
					:sname  => (ssl ? 'https' : 'http'),
					:port   => rport,
					:type   => 'AUTH_BYPASS_VERB',
					:data   => "#{datastore['PATH']} Verb: #{tv}",
					:update => :unique_data
				)
			end
		end
	end

end
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`##`


			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::HttpClient`
First step on module cleaning. 2012-02-20 22:28:19 +00:00			`include Msf::Auxiliary::WmapScanDir`
			`include Msf::Auxiliary::WmapScanFile`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Scanner`
Include Auxiliary Report git-svn-id: file:///home/svn/framework3/trunk@7629 4d416f70-5f16-0410-b530-b9f4589650da 2009-11-26 20:39:15 +00:00			`include Msf::Auxiliary::Report`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`'Name' => 'HTTP Verb Authentication Bypass Scanner',`
			`'Description' => %q{`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`This module test for authentication bypass using different HTTP verbs.`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`},`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`'Author' => [ 'et [at] metasploit.com' ],`
			`'License' => BSD_LICENSE))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`register_options(`
			`[`
			`OptString.new('PATH', [ true, "The path to test", '/'])`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`], self.class)`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`end`

			`def run_host(ip)`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`begin`
			`test_verbs(ip)`
			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`def test_verbs(ip)`
			`verbs = [ 'HEAD', 'TRACE', 'TRACK', 'Wmap', 'get', 'trace' ]`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`res = send_request_raw({`
			`'uri' => normalize_uri(datastore['PATH']),`
			`'method' => 'GET'`
			`}, 10)`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`return if not res`

			`if not res.headers['WWW-Authenticate']`
			`print_status("[#{ip}] Authentication not required. #{datastore['PATH']} #{res.code}")`
			`return`
			`end`

			`auth_code = res.code`

			`print_status("#{ip} requires authentication: #{res.headers['WWW-Authenticate']} [#{auth_code}]")`

			`report_note(`
			`:host => ip,`
			`:proto => 'tcp',`
			`:sname => (ssl ? 'https' : 'http'),`
			`:port => rport,`
			`:type => 'WWW_AUTHENTICATE',`
			`:data => "#{datastore['PATH']} Realm: #{res.headers['WWW-Authenticate']}",`
			`:update => :unique_data`
			`)`

			`verbs.each do \|tv\|`
			`resauth = send_request_raw({`
Add normalize_uri to modules that may have been missed by PULL 1045. Please ensure PULL 1045 is in place prior to looking at this (as it implements normalize_uri) ref --> https://github.com/rapid7/metasploit-framework/pull/1045 2012-11-08 16:42:48 +00:00			`'uri' => normalize_uri(datastore['PATH']),`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`'method' => tv`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`}, 10)`

Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00			`next if not resauth`

			`print_status("Testing verb #{tv}, resp code: [#{resauth.code}]")`

			`if resauth.code != auth_code and resauth.code <= 302`
			`print_status("Possible authentication bypass with verb #{tv} code #{resauth.code}")`

			`# Unable to use report_web_vuln as method is not in list of allowed methods.`

			`report_note(`
			`:host => ip,`
			`:proto => 'tcp',`
			`:sname => (ssl ? 'https' : 'http'),`
			`:port => rport,`
			`:type => 'AUTH_BYPASS_VERB',`
			`:data => "#{datastore['PATH']} Verb: #{tv}",`
			`:update => :unique_data`
			`)`
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`end`
			`end`
			`end`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00
Added module authentication verb bypass git-svn-id: file:///home/svn/framework3/trunk@5976 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-22 04:34:59 +00:00			`end`
Reduce unnecessary indent level 2013-01-15 20:36:41 +00:00