metasploit-framework/modules/auxiliary/scanner/http/soap_xml.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::WmapScanDir
  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HTTP SOAP Verb/Noun Brute Force Scanner',
      'Description' => %q{
        This module attempts to brute force SOAP/XML requests to uncover
        hidden methods.
      },
      'Author'      => [ 'patrick' ],
      'License'     => MSF_LICENSE))

    register_options(
      [
        OptString.new('PATH', [ true,  "The path to test", '/']),
        OptString.new('XMLNAMESPACE', [ true,  "XML Web Service Namespace", 'http://tempuri.org/']),
        OptString.new('XMLINSTANCE', [ true,  "XML Schema Instance", 'http://www.w3.org/2001/XMLSchema-instance']),
        OptString.new('XMLSCHEMA', [ true,  "XML Schema", 'http://www.w3.org/2001/XMLSchema']),
        OptString.new('XMLSOAP', [ true,  "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),
        OptString.new('CONTENTTYPE', [ true,  "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),
        OptInt.new('SLEEP', [true, "Sleep this many seconds between requests", 0 ]),
        OptBool.new('DISPLAYHTML', [ true,  "Display HTML response", false ]),
        OptBool.new('SSL', [ true,  "Use SSL", false ]),
        OptBool.new('VERB_DELETE', [ false,  "Enable 'delete' verb", 'false'])
      ], self.class)
  end

  # Fingerprint a single host
  def run_host(ip)

    verbs = [
        'get',
        'active',
        'activate',
        'create',
        'change',
        'set',
        'put',
        'do',
        'go',
        'resolve',
        'start',
        'recover',
        'initiate',
        'negotiate',
        'define',
        'stop',
        'begin',
        'end',
        'manage',
        'administer',
        'modify',
        'register',
        'log',
        'add',
        'list',
        'query',
      ]

    if (datastore['VERB_DELETE'])
      verbs << 'delete'
    end

    nouns = [
        'password',
        'task',
        'tasks',
        'pass',
        'administration',
        'account',
        'accounts',
        'admin',
        'login',
        'logins',
        'token',
        'tokens',
        'credential',
        'credentials',
        'key',
        'keys',
        'guid',
        'message',
        'messages',
        'user',
        'users',
        'username',
        'usernames',
        'load',
        'list',
        'name',
        'names',
        'file',
        'files',
        'path',
        'paths',
        'directory',
        'directories',
        'configuration',
        'configurations',
        'config',
        'configs',
        'setting',
        'settings',
        'registry',
        'on',
        'off',
      ]

    target_port = datastore['RPORT']
    vhost = datastore['VHOST'] || wmap_target_host || ip

    # regular expressions for common rejection messages
    reject_regexen = []
    reject_regexen << Regexp.new("method \\S+ is not valid", true)
    reject_regexen << Regexp.new("Method \\S+ not implemented", true)
    reject_regexen << Regexp.new("unable to resolve WSDL method name", true)

    begin
      verbs.each do |v|
        nouns.each do |n|
          data_parts = []
          data_parts << "<?xml version=\"1.0\" encoding=\"utf-8\"?>"
          data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"
          data_parts << "<soap:Body>"
          data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"
          data_parts << "</#{v}#{n}>"
          data_parts << "</soap:Body>"
          data_parts << "</soap:Envelope>"
          data_parts << nil
          data_parts << nil
          data = data_parts.join("\r\n")

          uri = normalize_uri(datastore['PATH'])
          vprint_status("Sending request #{uri}/#{v}#{n} to #{wmap_target_host}:#{datastore['RPORT']}")

          res = send_request_raw({
            'uri'     => uri + '/' + v + n,
            'method'  => 'POST',
            'vhost'   => vhost,
            'data'	  => data,
            'headers' =>
              {
                'Content-Length' => data.length,
                'SOAPAction'	 => '"' + datastore['XMLNAMESPACE'] + v + n + '"',
                'Expect'	 => '100-continue',
                'Content-Type'	 => datastore['CONTENTTYPE'],
              }
          }, 15)

          if (res && !(res.body.empty?))
            if ((not reject_regexen.select { |r| res.body =~ r }.empty?))
              print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
            elsif (res.message =~ /Cannot process the message because the content type/)
              print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
              res.message =~ /was not the expected type\s\'([^']+)'/
              print_status("Set CONTENTTYPE to \"#{$1}\"")
              return false
            elsif (res.code == 404)
              print_status("Server #{wmap_target_host}:#{datastore['RPORT']} returned HTTP 404 for #{datastore['PATH']}.  Use a different one.")
              return false
            else
              print_status("Server #{wmap_target_host}:#{datastore['RPORT']} responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
              ## Add Report
              report_note(
                :host  => ip,
                :proto => 'tcp',
                :sname => (ssl ? 'https' : 'http'),
                :port  => rport,
                :type  => "SOAPAction: #{v}#{n}",
                :data  => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
              )
              if datastore['DISPLAYHTML']
                print_status("The HTML content follows:")
                print_status(res.body + "\r\n")
              end
            end
          end
          select(nil, nil, nil, datastore['SLEEP']) if (datastore['SLEEP'] > 0)
        end
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
      vprint_error(e.message)
    end
  end
end
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
Cleanup wmap, add the missing database tables back, rename to have a wmap_prefix git-svn-id: file:///home/svn/framework3/trunk@7837 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-13 05:24:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::HttpClient`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::WmapScanDir`
			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Scanner`
Cleanup wmap, add the missing database tables back, rename to have a wmap_prefix git-svn-id: file:///home/svn/framework3/trunk@7837 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-13 05:24:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'HTTP SOAP Verb/Noun Brute Force Scanner',`
			`'Description' => %q{`
			`This module attempts to brute force SOAP/XML requests to uncover`
			`hidden methods.`
			`},`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE))`
Cleanup wmap, add the missing database tables back, rename to have a wmap_prefix git-svn-id: file:///home/svn/framework3/trunk@7837 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-13 05:24:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('PATH', [ true, "The path to test", '/']),`
			`OptString.new('XMLNAMESPACE', [ true, "XML Web Service Namespace", 'http://tempuri.org/']),`
			`OptString.new('XMLINSTANCE', [ true, "XML Schema Instance", 'http://www.w3.org/2001/XMLSchema-instance']),`
			`OptString.new('XMLSCHEMA', [ true, "XML Schema", 'http://www.w3.org/2001/XMLSchema']),`
			`OptString.new('XMLSOAP', [ true, "XML SOAP", 'http://schemas.xmlsoap.org/soap/envelope/']),`
			`OptString.new('CONTENTTYPE', [ true, "The HTTP Content-Type Header", 'application/x-www-form-urlencoded']),`
			`OptInt.new('SLEEP', [true, "Sleep this many seconds between requests", 0 ]),`
			`OptBool.new('DISPLAYHTML', [ true, "Display HTML response", false ]),`
			`OptBool.new('SSL', [ true, "Use SSL", false ]),`
			`OptBool.new('VERB_DELETE', [ false, "Enable 'delete' verb", 'false'])`
			`], self.class)`
			`end`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Fingerprint a single host`
			`def run_host(ip)`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`verbs = [`
			`'get',`
			`'active',`
			`'activate',`
			`'create',`
			`'change',`
			`'set',`
			`'put',`
			`'do',`
			`'go',`
			`'resolve',`
			`'start',`
			`'recover',`
			`'initiate',`
			`'negotiate',`
			`'define',`
			`'stop',`
			`'begin',`
			`'end',`
			`'manage',`
			`'administer',`
			`'modify',`
			`'register',`
			`'log',`
			`'add',`
			`'list',`
			`'query',`
			`]`
Cleanup wmap, add the missing database tables back, rename to have a wmap_prefix git-svn-id: file:///home/svn/framework3/trunk@7837 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-13 05:24:48 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (datastore['VERB_DELETE'])`
			`verbs << 'delete'`
			`end`
Apply patch for #6495 2012-03-06 17:43:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`nouns = [`
			`'password',`
			`'task',`
			`'tasks',`
			`'pass',`
			`'administration',`
			`'account',`
			`'accounts',`
			`'admin',`
			`'login',`
			`'logins',`
			`'token',`
			`'tokens',`
			`'credential',`
			`'credentials',`
			`'key',`
			`'keys',`
			`'guid',`
			`'message',`
			`'messages',`
			`'user',`
			`'users',`
			`'username',`
			`'usernames',`
			`'load',`
			`'list',`
			`'name',`
			`'names',`
			`'file',`
			`'files',`
			`'path',`
			`'paths',`
			`'directory',`
			`'directories',`
			`'configuration',`
			`'configurations',`
			`'config',`
			`'configs',`
			`'setting',`
			`'settings',`
			`'registry',`
			`'on',`
			`'off',`
			`]`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`target_port = datastore['RPORT']`
			`vhost = datastore['VHOST'] \|\| wmap_target_host \|\| ip`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# regular expressions for common rejection messages`
			`reject_regexen = []`
			`reject_regexen << Regexp.new("method \\S+ is not valid", true)`
			`reject_regexen << Regexp.new("Method \\S+ not implemented", true)`
			`reject_regexen << Regexp.new("unable to resolve WSDL method name", true)`
Improvements to auxiiliary/scanner/http/soap_xml to: * Detect additional SOAP faults to reduce false positives * More obviously support SSL * Report http/https * Make it obvious when a SOAP endpoint falls over mid-scan * Add a few more nouns/verbs * Add an optional SLEEP to play nice with old/slow SOAP endpoints https://dev.metasploit.com/redmine/issues/6249 2012-01-16 18:44:17 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`begin`
			`verbs.each do \|v\|`
			`nouns.each do \|n\|`
			`data_parts = []`
			`data_parts << "<?xml version=\"1.0\" encoding=\"utf-8\"?>"`
			`data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"`
			`data_parts << "<soap:Body>"`
			`data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"`
			`data_parts << "</#{v}#{n}>"`
			`data_parts << "</soap:Body>"`
			`data_parts << "</soap:Envelope>"`
			`data_parts << nil`
			`data_parts << nil`
			`data = data_parts.join("\r\n")`
Apply patch for #6495 2012-03-06 17:43:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`uri = normalize_uri(datastore['PATH'])`
			`vprint_status("Sending request #{uri}/#{v}#{n} to #{wmap_target_host}:#{datastore['RPORT']}")`
Apply patch for #6495 2012-03-06 17:43:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_raw({`
			`'uri' => uri + '/' + v + n,`
			`'method' => 'POST',`
			`'vhost' => vhost,`
			`'data' => data,`
			`'headers' =>`
			`{`
			`'Content-Length' => data.length,`
			`'SOAPAction' => '"' + datastore['XMLNAMESPACE'] + v + n + '"',`
			`'Expect' => '100-continue',`
			`'Content-Type' => datastore['CONTENTTYPE'],`
			`}`
			`}, 15)`
Apply patch for #6495 2012-03-06 17:43:28 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (res && !(res.body.empty?))`
			`if ((not reject_regexen.select { \|r\| res.body =~ r }.empty?))`
			`print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")`
			`elsif (res.message =~ /Cannot process the message because the content type/)`
			`print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")`
			`res.message =~ /was not the expected type\s\'([^']+)'/`
			`print_status("Set CONTENTTYPE to \"#{$1}\"")`
			`return false`
			`elsif (res.code == 404)`
			`print_status("Server #{wmap_target_host}:#{datastore['RPORT']} returned HTTP 404 for #{datastore['PATH']}. Use a different one.")`
			`return false`
			`else`
			`print_status("Server #{wmap_target_host}:#{datastore['RPORT']} responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")`
			`## Add Report`
			`report_note(`
			`:host => ip,`
			`:proto => 'tcp',`
			`:sname => (ssl ? 'https' : 'http'),`
			`:port => rport,`
			`:type => "SOAPAction: #{v}#{n}",`
			`:data => "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."`
			`)`
			`if datastore['DISPLAYHTML']`
			`print_status("The HTML content follows:")`
			`print_status(res.body + "\r\n")`
			`end`
			`end`
			`end`
			`select(nil, nil, nil, datastore['SLEEP']) if (datastore['SLEEP'] > 0)`
			`end`
			`end`
			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e`
			`vprint_error(e.message)`
			`end`
			`end`
Added SOAP brute forcer module. YMMV. git-svn-id: file:///home/svn/framework3/trunk@6495 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-23 03:16:29 +00:00			`end`