Overlook an exploit in metasploit.

Last Sunday, UiTM held a Open Source Expo and National Hacking Competition. I was one of the participant 🙂
Me and Wahida

One of the challenge is to view the source code of a ASP file. I run nikto, and below is the result:

————————————————————————
root@budihost-box:~# perl /usr/bin/nikto.pl -h 192.168.0.3
---------------------------------------------------------------------------
- Nikto 1.32/1.23 - www.cirt.net
+ Target IP: 192.168.0.3
+ Target Hostname: 192.168.0.3
+ Target Port: 80
+ Start Time: Fri Aug 26 13:52:56 2005
---------------------------------------------------------------------------
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Microsoft-IIS/5.0
+ IIS may reveal its internal IP in the Content-Location header. The value is "http://192.168.0.3/Default.htm". CAN-2000
-0649.
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may be used to get directory listings if indexing is
allowed but a default page exists.
+ HTTP method 'SEARCH' may be used to get directory listings if Index Server is running.
+ HTTP method 'TRACE' is typically only used for debugging. It should be disabled.
+ Microsoft-IIS/5.0 is outdated if server is Win2000 (4.0 is current for NT 4)
+ / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_s
creen.pdf for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mir
ror/WhitePaper_screen.pdf for details (TRACK)
+ /scripts - Redirects to http://192.168.0.3/scripts/ , Remote scripts directory is browsable.
+ /blahb.idq - Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists
' for the ISAPI mappings. MS01-033. (GET)
+ /xxxxx.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. Ensure Q252463i, Q252463a or Q251170
is installed. MS00-006. (GET)
+ /NULL.printer - Internet Printing (IPP) is enabled. Some versions have a buffer overflow/DoS in Windows 2000 which al
lows remote attackers to gain admin privileges via a long print request that is passed to the extension through IIS 5.0.
Disabling the .printer mapping is recommended. EEYE-AD20010501, CVE-2001-0241, MS01-023, CA-2001-10, BID 2674 (GET)
+ /scripts/samples/search/qfullhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (
GET)
+ /scripts/samples/search/qsumrhit.htw - Server may be vulnerable to a Webhits.dll arbitrary file retrieval. MS00-006. (
GET)

+ /_vti_bin/fpcount.exe - Frontpage counter CGI has been found. FP Server version 97 allows remote users to execute arbi
trary system commands, though a vulnerability in this version could not be confirmed. CAN-1999-1376. BID-2252. (GET)
+ /_vti_bin/shtml.dll/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-041
3, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/shtml.exe - Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a
DoS was not attempted. CAN-2000-0413, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc - FrontPage may be installed. (GET)
+ /_vti_bin/shtml.exe/_vti_rpc?method=server+version%3a4%2e0%2e2%2e2611 - Gives info about server settings. CAN-2000-041
3, CAN-2000-0709, CAN-2000-0710, BID-1608, BID-1174. (POST)
+ /_vti_bin/_vti_aut/author.dll?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplore
rDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false
&listBorders=false - Needs Auth: (realm NTLM)
+ /_vti_bin/_vti_aut/author.exe?method=list+documents%3a3%2e0%2e2%2e1706&service%5fname=&listHiddenDocs=true&listExplore
rDocs=true&listRecurse=false&listFiles=true&listFolders=true&listLinkInfo=true&listIncludeParent=true&listDerivedT=false
&listBorders=false - Needs Auth: (realm NTLM)
+ /_vti_inf.html - FrontPage may be installed. (GET)
+ /login/ - This might be interesting... (GET)
+ /localstart.asp - Needs Auth: (realm "192.168.0.3")
+ /localstart.asp - This may be interesting... (GET)
+ 2645 items checked - 15 item(s) found on remote host(s)
+ End Time: Fri Aug 26 13:53:16 2005 (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

————————————————————————-
The server runs IIS 5, with source code dislosure vulnerability.

I didn’t notice that Metasploit Framework already have the exploit. The task should be more easy with Metasploit.

Quite a few advertising agencies are making use of cheap web hosting and free web design templates by saving there and spending on seo like email marketing.