ie_unsafe_scripting.rb exploit module

[hdm at metasploit.com (H D Moore)]

On Wednesday 17 December 2008, natron wrote:
> So you have to know the server name. ?What are our options?
>
> 1) Just scan localhost for default apps running on default ports and
> ignore external servers. ?(Think workstation management apps, virus
> scan consoles, stuff like that.)

I agree that localhost should be included in every test, regardless of how 
we do this next part.

> 2) Discover through unknown external methods (like identifying their
> naming scheme through some webserver information disclosure, then
> generating a list of permutations... or a compromised DNS server) and
> have the mod import a file.

Makes sense, lets punt this to the user and let them specify a file 
containing a list of hosts to try.

> 3) Pre-populate a list of guessed naming schemes.

I think we should include a default file with common server names.

> How do you propose we do 3)? ?That doesn't sound easy or very
> successful. ?In most environments I see, the naming schemes are all
> over the map.

A few naming schemes seem really common and its something to start with at 
least. To get the ball rolling, I would suggest using a few base names and 
then permuting them based on common naming conventions:

server<suffix>
webserver<suffix>
mailserver<suffix>
client<suffix>
user<suffix>
printer<suffix>
backup<suffix>
mail<suffix>
web<suffix>
www<suffix>
intranet
hr<suffix>

With the suffix being something like:
0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc

So the question becomes, at what number of permutations does that list 
become infeasible? 

-HD