I would use this kind of exploit (https://www.exploit-db.com/exploits/19033) to attack (in local course) II Microsoft Server 7.5 ??? I do not know if by Metasploit should I use this https://www.exploit-db.com/exploits/19033 exploit ??? For I do not know exactly how to use it. So please please tell me how to use this type of exploit (https://www.exploit-db.com/exploits/19033) ??? In other words, How to use 0day exploit with Metasploit ??? Thank you in advance ???
Apocalypse, You're welcome to use the search command within metasploit to search existing exploits. Try out a, 'search iis' command and see if it returns it back. The question isn't 0-day specific, but the answer is relevant to locating anything with the framework. In order to take that particular exploit you linked to and get it working inside of Metasploit (assuming it's not already there), you're going to have to know a bit of Ruby. This type of exploit in my opinion is best accomplished by manually following instructions in your link. It's not something you would veer off and code a Metasploit Module for. You would be exhausting more effort getting a working module for something like this that you won't necessarily see as much in the wild, instead of actually using the exploit in the link for your local course exercise. Porting a standard exploit on Exploit-DB to the Metasploit Framework is going to require you know enough about the Programming Language the exploit is coded in, and enough syntax in Ruby to be able to port it over successfully. Each Metasploit Module has it's own template (try nano-ing one of the .rb files to see what I mean). Once you know enough to port something into Metasploit, you would follow the general template. Does this make sense?
I am a long time embedded software engineer and relatively new to security. I though zero day exploits were those which were unknown at this time: (From Wikipedia) A zero-day (also known as zero-hour or 0-day) vulnerability is an undisclosed computer application vulnerability that could be exploited to adversely affect the computer programs, data, additional computers or a network. It is known as a "zero-day" because once the flaw becomes known, the application author has zero days in which to plan and advise any mitigation against its exploitation (by, for example, advising workarounds or issuing patches). Given that I am not sure how Metasploit would help. Of course by definition Microsoft iis 6.0 and 7.5 - Multiple Vulnerabilities is a revealed vulnerability and hence is no a Zero-day exploit. Am I missing something?
DoctorJay, You're absolutely right here. He's using the wrong term but I didn't want to call him out about it. I tried answering in terms of what I thought he needed help with (the porting over an exploit). Truth is, if he doesn't know what a 0-Day exploit is, the likeliness of him knowing how to write one or even port it is incredibly slim. Either way, both of our responses are educational.
Hmmm, in terms of definition I view a 0-day exploit as an exploit for which no patch is available. This would mean that in principle you could have a Metasploit module for it (although in my experience you would hardly find one unless you add it yourself). Either way your answer is still valid, obviously :)
Ok great thank you for all.
Hey dude, Here, start reading this that will answer most of your questions. https://www.offensive-security.com/?s=metasploit Prijatno
Simply do NOT use 0day in Metasploit, if you have 0day contact vendor and see if there is bounty programe. Or you can sell to Netragard or simmilar buyer. Or save it for Defcon or Blackhat conference. Links provided are for unverified authentication bypass Published: 2012-06-10 Microsoft IIS 6.0 with PHP installed Microsoft IIS 7.5 "Details: By sending a special request to the IIS 6.0 Service running PHP the attacker can successfully bypass access restrictions." "example: http:///admin:$i30:$INDEX_ALLOCATION/admin.php will run the PHP script without asking for proper credentials." So no need for metasploit use browser :)
@t13ru, great thank you for your answer because it helped me a lot to understand the use of https://www.exploit-db.com/exploits/19033 Exploit but it is still fuzzy for me because my site in question which is based on IIS 7.5 is not in PHP but it is rather by .aspx. So by following the example @t13ru just given me, how do you think I can exploit the loopholes IIS 7.5 with this exploit https://www.exploit-db.com/exploits/19033 for a site based on .ASPX extention ??? Example: How exactly exploit this flaw https://www.exploit-db.com/exploits/19033 for this site https://localhost/Bweb/Default.aspx ??? How then use this Exploit (https://www.exploit-db.com/exploits/19033) for .aspx websites ??? Well thank you enlighten me through your explanations.
The request should look like: https://localhost/Bweb/Default.aspx/admin:$i30:$INDEX_ALLOCATION/admin.php "Take this Example: 1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files) 2.) There is a password protected directory configured that has administrative asp scripts inside 3.) An attacker requests the directory with :$i30:$INDEXALLOCATION appended to the directory name 4.) IIS/7.5 gracefully executes the ASP script without asking for proper credentials" As mentioned by author in https://www.exploit-db.com/exploits/19033
Ok thank you again @t13ru. But I would like an explanation please about the following quote from the author of the exploit https://www.exploit-db.com/exploits/19033 because I really do not understand: By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules, like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code. Example: Default.aspx/.php I want to know exactly what does this part above that the author mentioned ????
In this authentication bypass exploit its author wants to access password protected file /admin.php in directory /admin so he appends the request for publicly accessible /default.aspx with /admin:$i30:$INDEX_ALLOCATION/admin.php in order to execute .php script in that folder without supplying proper credentials. But again it is unverified vulnerability and it is 3+ years old so there is strong probability it is not working due to patches IIS 7.5 server.
