metasploit-framework/modules/auxiliary/scanner/http/iis_internal_ip.rb

59 lines
1.7 KiB
Ruby

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Microsoft IIS HTTP Internal IP Disclosure',
'Description' => %q{
Collect any leaked internal IPs by requesting commonly redirected locs from IIS.
},
'Author' => ['Heather Pilkington'],
'License' => MSF_LICENSE
))
end
def run_host(target_host)
uris = ["/","/images","/default.htm"]
uris.each do |uri|
#Must use send_recv() in order to send a HTTP request without the 'Host' header
c = connect
res = c.send_recv("GET #{uri} HTTP/1.0\r\n\r\n", 25)
if res.nil?
print_error("no response for #{target_host}")
elsif (res.code > 300 and res.code < 310)
intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i
print_good("Location Header: #{res.headers["Location"]}")
result = res.headers["Location"].scan(intipregex).uniq.flatten
if result.length > 0
print_good("Result for #{target_host} found Internal IP: #{result.first}")
end
report_note({
:host => target_host,
:port => rport,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:type => 'iis.ip',
:data => result.first
})
end
end
end
end