From 17c7d828c172caea6c5cdb0bf2aaaca0d6fe96f8 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 21 Sep 2018 17:16:04 +0000 Subject: [PATCH] fixes --- .../scanner/http/iis_shortname_scanner.md | 4 +- .../scanner/http/iis_shortname_scanner.rb | 77 +++++++++---------- 2 files changed, 38 insertions(+), 43 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md b/documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md index 2bc222db80..0a77a0eef1 100644 --- a/documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md +++ b/documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md @@ -1,8 +1,7 @@ ## Microsoft IIS shortname vulnerability scanner -The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). This is a new technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon) character. Soroush Dalili discovered the original bug, while the new ~ technique was discovered by Soroush Dalili and Ali Abbasnejad. - +The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS. ## Vulnerable Application @@ -60,6 +59,5 @@ Create registry key NtfsDisable8dot3NameCreation at HKLM\SYSTEM\CurrentControlSe ## References - CVE-2009-4444 https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/ https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability diff --git a/modules/auxiliary/scanner/http/iis_shortname_scanner.rb b/modules/auxiliary/scanner/http/iis_shortname_scanner.rb index 81a9fa6ca6..2cad4a913c 100644 --- a/modules/auxiliary/scanner/http/iis_shortname_scanner.rb +++ b/modules/auxiliary/scanner/http/iis_shortname_scanner.rb @@ -15,17 +15,17 @@ class MetasploitModule < Msf::Auxiliary info, 'Name' => 'Microsoft IIS shortname vulnerability scanner', 'Description' => %q{ - 'The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which - could allow remote attackers to diclose 8.3 filenames (short names). This is a new - technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon) - character. Soroush Dalili discovered the original bug, while the new ~ technique was - discovered by Soroush Dalili and Ali Abbasnejad. Older IIS installations are vulnerable - with GET, newer installations with OPTIONS' + The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which + could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili + and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in + 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS. }, 'Author' => [ - 'MinatoTW ', - 'egre55 ' + 'Soroush Dalili', # Vulnerability discovery + 'Ali Abbasnejad', # Vulnerability discovery + 'MinatoTW ', # Metasploit module + 'egre55 ' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => @@ -84,31 +84,31 @@ class MetasploitModule < Msf::Auxiliary end def is_vul - for method in ['GET', 'OPTIONS'] - res1 = send_request_cgi({ - 'uri' => normalize_uri(datastore['PATH'], '*~1*'), - 'method' => method - }) + for method in ['GET', 'OPTIONS'] + res1 = send_request_cgi({ + 'uri' => normalize_uri(datastore['PATH'], '*~1*'), + 'method' => method + }) - res2 = send_request_cgi({ - 'uri' => normalize_uri(datastore['PATH'],'QYKWO*~1*'), - 'method' => method - }) + res2 = send_request_cgi({ + 'uri' => normalize_uri(datastore['PATH'],'QYKWO*~1*'), + 'method' => method + }) - if res1.code == 404 && res2.code != 404 - vuln = 1 - @verb = method - break - end - end - if vuln == 1 - return true - else - return false + if res1.code == 404 && res2.code != 404 + vuln = 1 + @verb = method + break end + end + if vuln == 1 + return true + else + return false + end rescue Rex::ConnectionError print_bad("Failed to connect to target") - end + end def get_status(f , digit , match) res2 = send_request_cgi({ @@ -155,7 +155,6 @@ class MetasploitModule < Msf::Auxiliary for c in @found2 @queue_ext << (f + c ) end - else end end end @@ -251,30 +250,28 @@ class MetasploitModule < Msf::Auxiliary @threads << Thread.new { scan } } - sleep(1) until @queue_ext.empty? + Rex.sleep(1) until @queue_ext.empty? @threads.each(&:join) + + proto = datastore['SSL'] ? 'https' : 'http' + if @dirs.empty? print_status("No directories were found") else - print_good("Directories found") + print_good("Found #{@dirs.size} directories") @dirs.each do |x| - print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}") + print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}") end end + if @files.empty? print_status("No files were found") else - print_good("Files found") + print_good("Found #{@files.size} files") @files.each do |x| - print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}") + print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}") end end end end - - - - - -