infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixes

GSoC/Meterpreter_Web_Console
root 2018-09-21 17:16:04 +00:00
parent 552ff027cd
commit 17c7d828c1
2 changed files with 38 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md
View File

@ -1,8 +1,7 @@
## Microsoft IIS shortname vulnerability scanner
The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). This is a new technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon) character. Soroush Dalili discovered the original bug, while the new ~ technique was discovered by Soroush Dalili and Ali Abbasnejad.
The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
## Vulnerable Application
@ -60,6 +59,5 @@ Create registry key NtfsDisable8dot3NameCreation at HKLM\SYSTEM\CurrentControlSe
## References
CVE-2009-4444
https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

37
modules/auxiliary/scanner/http/iis_shortname_scanner.rb
View File

@ -15,17 +15,17 @@ class MetasploitModule < Msf::Auxiliary
info,
'Name' => 'Microsoft IIS shortname vulnerability scanner',
'Description' => %q{
'The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which
could allow remote attackers to diclose 8.3 filenames (short names). This is a new
technique for an existing bug (CVE-2009-4444), which relied on the use of the ;(semicolon)
character. Soroush Dalili discovered the original bug, while the new ~ technique was
discovered by Soroush Dalili and Ali Abbasnejad. Older IIS installations are vulnerable
with GET, newer installations with OPTIONS'
The vulnerability is caused by a tilde character "~" in a GET or OPTIONS request, which
could allow remote attackers to diclose 8.3 filenames (short names). In 2010, Soroush Dalili
and Ali Abbasnejad discovered the original bug (GET request). This was publicly disclosed in
2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
},
'Author' =>
[
'MinatoTW <shaks19jais[at]gmail.com>',
'egre55 <ianaustin[at]protonmail.com>'
'Soroush Dalili', # Vulnerability discovery
'Ali Abbasnejad', # Vulnerability discovery
'MinatoTW <shaks19jais[at]gmail.com>', # Metasploit module
'egre55 <ianaustin[at]protonmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
@ -155,7 +155,6 @@ class MetasploitModule < Msf::Auxiliary
for c in @found2
@queue_ext << (f + c )
end
else
end
end
end
@ -251,30 +250,28 @@ class MetasploitModule < Msf::Auxiliary
@threads << Thread.new { scan }
}
sleep(1) until @queue_ext.empty?
Rex.sleep(1) until @queue_ext.empty?
@threads.each(&:join)
proto = datastore['SSL'] ? 'https' : 'http'
if @dirs.empty?
print_status("No directories were found")
else
print_good("Directories found")
print_good("Found #{@dirs.size} directories")
@dirs.each do |x|
print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
end
end
if @files.empty?
print_status("No files were found")
else
print_good("Files found")
print_good("Found #{@files.size} files")
@files.each do |x|
print_line("http://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
print_line("#{proto}://#{datastore['RHOST']}#{datastore['PATH']}#{x}")
end
end
end
end