metasploit-framework/modules/auxiliary/scanner/http/dell_idrac.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient
	include Msf::Auxiliary::AuthBrute
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name' => 'Dell iDRAC default Login',
			'Description' => %q{
				This module attempts to login to a iDRAC webserver instance using
				default username and password.  Tested against Dell Remote Access
				Controller 6 - Express version 1.50 and 1.85
			},
			'Author' =>
				[
					'Cristiano Maruti <cmaruti[at]gmail.com>'
				],
			'References' =>
				[
					['CVE', '1999-0502'] # Weak password
				],
			'License' => MSF_LICENSE
		)

		register_options([
			OptString.new('TARGETURI', [true, 'Path to the iDRAC Administration page', '/data/login']),
			OptPath.new('USER_FILE',  [ false, "File containing users, one per line",
				File.join(Msf::Config.install_root, "data", "wordlists", "idrac_default_user.txt") ]),
			OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
				File.join(Msf::Config.install_root, "data", "wordlists", "idrac_default_pass.txt") ]),
			OptInt.new('RPORT', [true, "Default remote port", 443])
		], self.class)

		register_advanced_options([
			OptBool.new('SSL', [true, "Negotiate SSL connection", true])
		], self.class)
	end

	def target_url
		proto = "http"
		if rport == 443 or ssl
			proto = "https"
		end
		"#{proto}://#{vhost}:#{rport}#{datastore['URI']}"
	end

	def do_login(user=nil, pass=nil)

		auth = send_request_cgi({
			'method' => 'POST',
			'uri' => target_uri.path,
			'SSL' => true,
			'vars_post' => {
				'user' => user,
				'password' => pass
			}
		})

		if(auth and auth.body.to_s.match(/<authResult>[0|5]<\/authResult>/) != nil )
			print_good("#{target_url} - SUCCESSFUL login for user '#{user}' with password '#{pass}'")
			report_auth_info(
				:host => rhost,
				:port => rport,
				:proto => 'tcp',
				:sname => (ssl ? 'https' : 'http'),
				:user => user,
				:pass => pass,
				:active => true,
				:source_type => "user_supplied",
				:duplicate_ok => true
			)
		else
			print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'")
		end
	end

	def run_host(ip)
		print_status("Verifying that login page exists at #{ip}")
		begin
			res = send_request_raw({
				'method' => 'GET',
				'uri' => target_uri.path
				})

			if (res and res.code == 200 and res.body.to_s.match(/<authResult>1/) != nil)
				print_status("Attempting authentication")

				each_user_pass { |user, pass|
					do_login(user, pass)
				}

			elsif (res and res.code == 301)
				print_error("#{target_url} - Page redirect to #{res.headers['Location']}")
				return :abort
			else
				print_error("The iDRAC login page does not exist at #{ip}")
				return :abort
			end

		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
		rescue ::Timeout::Error, ::Errno::EPIPE
		rescue ::OpenSSL::SSL::SSLError => e
			return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted
		end
	end

end
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::AuthBrute`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize`
			`super(`
			`'Name' => 'Dell iDRAC default Login',`
Make msftidy happy 2012-09-27 06:13:07 +00:00			`'Description' => %q{`
			`This module attempts to login to a iDRAC webserver instance using`
			`default username and password. Tested against Dell Remote Access`
			`Controller 6 - Express version 1.50 and 1.85`
			`},`
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`'Author' =>`
			`[`
			`'Cristiano Maruti <cmaruti[at]gmail.com>'`
			`],`
			`'References' =>`
			`[`
			`['CVE', '1999-0502'] # Weak password`
			`],`
			`'License' => MSF_LICENSE`
			`)`

			`register_options([`
			`OptString.new('TARGETURI', [true, 'Path to the iDRAC Administration page', '/data/login']),`
Updated with wordlist path registered options 2012-09-26 08:08:53 +00:00			`OptPath.new('USER_FILE', [ false, "File containing users, one per line",`
The USER_FILE path is wrong. 2012-09-27 06:30:48 +00:00			`File.join(Msf::Config.install_root, "data", "wordlists", "idrac_default_user.txt") ]),`
Updated with wordlist path registered options 2012-09-26 08:08:53 +00:00			`OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",`
			`File.join(Msf::Config.install_root, "data", "wordlists", "idrac_default_pass.txt") ]),`
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`OptInt.new('RPORT', [true, "Default remote port", 443])`
			`], self.class)`

			`register_advanced_options([`
			`OptBool.new('SSL', [true, "Negotiate SSL connection", true])`
			`], self.class)`
			`end`

			`def target_url`
			`proto = "http"`
			`if rport == 443 or ssl`
			`proto = "https"`
			`end`
			`"#{proto}://#{vhost}:#{rport}#{datastore['URI']}"`
			`end`
Make msftidy happy 2012-09-27 06:13:07 +00:00
Updated with wordlist path registered options 2012-09-26 08:08:53 +00:00			`def do_login(user=nil, pass=nil)`
Make msftidy happy 2012-09-27 06:13:07 +00:00
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`auth = send_request_cgi({`
			`'method' => 'POST',`
			`'uri' => target_uri.path,`
			`'SSL' => true,`
			`'vars_post' => {`
			`'user' => user,`
			`'password' => pass`
			`}`
Make msftidy happy 2012-09-27 06:13:07 +00:00			`})`

Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`if(auth and auth.body.to_s.match(/<authResult>[0\|5]<\/authResult>/) != nil )`
			`print_good("#{target_url} - SUCCESSFUL login for user '#{user}' with password '#{pass}'")`
			`report_auth_info(`
			`:host => rhost,`
			`:port => rport,`
			`:proto => 'tcp',`
			`:sname => (ssl ? 'https' : 'http'),`
			`:user => user,`
			`:pass => pass,`
			`:active => true,`
			`:source_type => "user_supplied",`
			`:duplicate_ok => true`
			`)`
			`else`
			`print_error("#{target_url} - Dell iDRAC - Failed to login as '#{user}' with password '#{pass}'")`
			`end`
			`end`

Make msftidy happy 2012-09-27 06:13:07 +00:00			`def run_host(ip)`
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`print_status("Verifying that login page exists at #{ip}")`
			`begin`
			`res = send_request_raw({`
			`'method' => 'GET',`
			`'uri' => target_uri.path`
Make msftidy happy 2012-09-27 06:13:07 +00:00			`})`

Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`if (res and res.code == 200 and res.body.to_s.match(/<authResult>1/) != nil)`
			`print_status("Attempting authentication")`
Make msftidy happy 2012-09-27 06:13:07 +00:00
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`each_user_pass { \|user, pass\|`
			`do_login(user, pass)`
			`}`
Make msftidy happy 2012-09-27 06:13:07 +00:00
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00			`elsif (res and res.code == 301)`
			`print_error("#{target_url} - Page redirect to #{res.headers['Location']}")`
			`return :abort`
			`else`
			`print_error("The iDRAC login page does not exist at #{ip}")`
			`return :abort`
Make msftidy happy 2012-09-27 06:13:07 +00:00			`end`
Dell iDrac login aux scanner 2012-09-26 08:02:38 +00:00
			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`rescue ::OpenSSL::SSL::SSLError => e`
			`return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted`
			`end`
			`end`

			`end`