FrontPage Server Extensions Anonymous Login Scanner

2010-06-21T16:53:52
ID MSF:AUXILIARY/SCANNER/HTTP/FRONTPAGE_LOGIN
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::WmapScanServer
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner


  def initialize
    super(
      'Name'        => 'FrontPage Server Extensions Anonymous Login Scanner',
      'Description' => 'This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.',
      'References'  =>
        [
          ['URL', 'http://en.wikipedia.org/wiki/Microsoft_FrontPage'],
          ['URL', 'http://msdn2.microsoft.com/en-us/library/ms454298.aspx'],
        ],
      'Author'      => 'Matteo Cantoni <goony[at]nothink.org>',
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ])
      ])
  end

  def run_host(target_host)

    if datastore['RPORT'].to_i == 80 or datastore['RPORT'].to_i == 443
      port = ""
    else
      port = ":" + datastore['RPORT'].to_s
    end

    info = (datastore['SSL'] ? "https" : "http") + "://#{target_host}#{port}/"

    connect

    sock.put("GET /_vti_inf.html HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" + "Keep-Alive: 300\r\n" +
        "Connection: Keep-Alive, TE\r\n" + "Host: #{vhost}\r\n" + "User-Agent: " +
        datastore['UserAgent'] + "\r\n\r\n")

    res = sock.get_once || ''

    disconnect

    if (res.match(/HTTP\/1.1 200 OK/))
      if (res.match(/Server: (.*)/))
        server_version = $1
        print_status("#{info} is running #{server_version}")
      end
      if (fpversion = res.match(/FPVersion="(.*)"/))
        fpversion = $1
        print_status("#{info} FrontPage Version: #{fpversion}")

        if (fpauthor = res.match(/FPAuthorScriptUrl="([^"]*)/))
          fpauthor = $1
          print_status("#{info} FrontPage Author: #{info}#{fpauthor}")
          # Add Report
          opts = {
            :host  => target_host,
            :proto => 'tcp',
            :sname => (ssl ? 'https' : 'http'),
            :type  => 'FrontPage Author',
            :data  => "#{info}#{fpauthor}"
          }
          opts[:port] = datastore['RPORT'] if not port.empty?
          report_note(opts)
        end
        check_account(info, fpversion, target_host)
      end
    else
      print_status("#{info} may not support FrontPage Server Extensions")
    end
  end

  def check_account(info, fpversion, target_host)

    return if not fpversion

    connect

    # http://msdn2.microsoft.com/en-us/library/ms454298.aspx
    method = "method=open+service:#{fpversion}&service_name=/"

    req = "POST /_vti_bin/_vti_aut/author.dll HTTP/1.1\r\n" + "TE: deflate,gzip;q=0.3\r\n" +
      "Keep-Alive: 300\r\n" + "Connection: Keep-Alive, TE\r\n" + "Host: #{vhost}\r\n" +
      "User-Agent: " + datastore['UserAgent'] + "\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" +
      "X-Vermeer-Content-Type: application/x-www-form-urlencoded" + "\r\n" +
      "Content-Length: #{method.length}\r\n\r\n" + method + "\r\n\r\n"

    sock.put(req)
    res = sock.get_once

    if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
      retcode = $1
      retmsg  = $2.strip

      if(retcode == "100")
        ## Sometimes doesn't work !!!!!!!!!!!!!!!
        res = sock.get_once
        if(res and res.match(/^HTTP\/1\.[01]\s+([^\s]+)\s+(.*)/))
          retcode = $1
          retmsg  = $2.strip
        end
      end


      case retcode
        when /^200/
          print_good("#{info} FrontPage ACCESS ALLOWED [#{retcode}]")
          # Report a note or vulnerability or something
          # Not really this one, but close
          report_vuln(
            {
              :host   => target_host,
              :port	=> rport,
              :proto	=> 'tcp',
              :name	=> self.name,
              :info   => "Module #{self.fullname} confirmed access to #{info} [#{retcode}]",
              :refs   => self.references,
              :exploited_at => Time.now.utc
            }
          )
        when /^401/
          print_error("#{info} FrontPage Password Protected [#{retcode}]")
        when /^403/
          print_error("#{info} FrontPage Authoring Disabled [#{retcode}]")
        when /^404/
          print_error("#{info} FrontPage Improper Installation [#{retcode}]")
        when /^500/
          print_error("#{info} FrontPage Server Error [#{retcode}]")
        else
          print_error("#{info} FrontPage Unknown Response [#{retcode}]")
      end
    end

    disconnect
  end
end