frontpage_login.rb

Revision 5500, 3.5 kB (checked in by hdm, 2 weeks ago)
New FrontPage? modules from Matteo Cantoni
Property svn:keywords set to `Rev Revision Id Header`

Line
1	##
2	# This file is part of the Metasploit Framework and may be subject to
3	# redistribution and commercial restrictions. Please see the Metasploit
4	# Framework web site for more information on licensing and terms of use.
5	# http://metasploit.com/projects/Framework/
6	##
7
8
9	require 'msf/core'
10
11	module Msf
12
13	class Auxiliary::Scanner::Http::FrontPage_login < Msf::Auxiliary
14
15	include Exploit::Remote::Tcp
16	include Auxiliary::Scanner
17
18	def initialize
19	super(
20	'Name' => 'FrontPage Server Extensions Login Utility',
21	'Version' => '$Revision$',
22	'Description' => 'This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.',
23	'References' =>
24	[
25	['URL', 'http://en.wikipedia.org/wiki/Microsoft_FrontPage'],
26	['URL', 'http://msdn2.microsoft.com/en-us/library/ms454298.aspx'],
27	],
28	'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
29	'License' => MSF_LICENSE
30	)
31
32	register_options(
33	[
34	Opt::RPORT(80),
35	OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ])
36	], self.class)
37	end
38
39	def run_host(target_host)
40
41
42	info = (datastore['SSL'] ? "https" : "http") + "://#{target_host}:#{rport}/"
43
44	connect
45
46	sock.put("GET /_vti_inf.html HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + "Keep-Alive: 300\r\n" +
47	"Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" + "User-Agent: " +
48	datastore['UserAgent'] + "\r\n\r\n")
49
50	res = sock.get_once
51
52	disconnect
53
54	if (res.match(/HTTP\/1.1 200 OK/))
55	if (res.match(/Server: (.*)/))
56	server_version = $1
57	print_status("#{info} is running #{server_version}")
58	end
59	if (fpversion = res.match(/FPVersion="(.*)"/))
60	fpversion = $1
61	print_status("#{info} FrontPage Version: #{fpversion}")
62	if (fpauthor = res.match(/FPAuthorScriptUrl="([^"]*)/))
63	fpauthor = $1
64	print_status("#{info}FrontPage Author: #{info}#{fpauthor}")
65	end
66	check_account(info, fpversion)
67	end
68	else
69	print_status("#{info} may not support FrontPage Server Extensions")
70	end
71	end
72
73	def check_account(info, fpversion)
74
75	return if not fpversion
76
77	connect
78
79	# http://msdn2.microsoft.com/en-us/library/ms454298.aspx
80	method = "method=open+service:#{fpversion}&service_name=/"
81
82	req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
83	"Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{target_host}\r\n" +
84	"User-Agent: " + datastore['UserAgent'] + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" +
85	"Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"
86
87	sock.put(req)
88	res = sock.get_once
89
90
91
92	if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
93	retcode = $1
94	retmsg = $2.strip
95
96	if(retcode == "100")
97	res = sock.get_once
98	if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
99	retcode = $1
100	retmsg = $2.strip
101	end
102	end
103
104	case retcode
105	when /^200/
106	print_status("#{info} FrontPage ACCESS ALLOWED [#{retcode}]")
107	# Report a note or vulnerability or something
108	when /^401/
109	print_status("#{info} FrontPage Password Protected [#{retcode}]")
110	when /^403/
111	print_status("#{info} FrontPage Authoring Disabled [#{retcode}]")
112	when /^404/
113	print_status("#{info} FrontPage Improper Installation [#{retcode}]")
114	when /^500/
115	print_status("#{info} FrontPage Server Error [#{retcode}]")
116	else
117	print_status("#{info} FrontPage Unknown Response [#{retcode}]")
118	end
119	end
120
121	disconnect
122	end
123
124	end
125	end

Note: See TracBrowser for help on using the browser.

root/framework3/trunk/modules/auxiliary/scanner/http/frontpage_login.rb

Download in other formats: