Saturday, October 6, 2007

Metasploit HTTP Options Aux Module


I basically bastardized hdm's version aux module to create an options module. I wanted something that would look for web servers that allowed the PUT Method.

the code:

##
# options.rb
# bastardized from version module
##
# This file is part of the Metasploit Framework and may be
# subject to
redistribution and commercial restrictions.
# Please see the Metasploit
Framework web site for more
# information on licensing and terms of use.

# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Auxiliary::Scanner::Http::Options < Msf::Auxiliary
# Exploit mixins should be called first
include Exploit::Remote::HttpClient

# Scanner mixin should be near last
include Auxiliary::Scanner

def initialize
super(
'Name' => 'HTTP Options Detection',
'Version' => '$Revision: 4886 $',
'Description' => 'Display available http options about each system',
'Author' => 'CG',
' License' => MSF_LICENSE
)

end

# Fingerprint a single host
def run_host(ip)

self.target_port = datastore['RPORT']

begin
res = send_request_raw({
'version' => '1.0',
'uri' => '*',
'method' => 'OPTIONS'
}, 10)

if (res and res.headers['Allow'])
print_status("#{ip} allows #{res.headers['Allow']} methods")
end



rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end


end
end

the module in action:

msf auxiliary(options) > run
[*] a.b.c.30 allows OPTIONS, GET, HEAD, POST methods
[*] a.b.c.67 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.104 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.130 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.135 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.141 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.142 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.147 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.149 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] a.b.c.211 allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] a.b.c.212 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] a.b.c.246 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

of course, allowing PUT doesn't necessarily all "you" to PUT anything. Most of the time you'll find that it doesnt. That's because the web server on IIS5+ doesn't allow write or modify by default.

cg@segfault:~$ cadaver
dav:!> open http://a.b.c.246
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 3981 bytes failed:
403 Forbidden
dav:/> exit

CG

2 comments:

Anonymous said...

Awesome - glad to see you are releasing this code. One question (keep in mind I'm not a ruby programmer), when using the code msf dies on me at this line:

class Auxiliary::Scanner::Http::Options <>

It doesn't seem to like the <>. Any thoughts?

CG said...

yeah it didnt paste right, its fixed now

should have been

< Msf::Auxiliary