2009-04-23 03:16:29 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2009-04-23 03:16:29 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2009-12-13 05:24:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Exploit mixins should be called first
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Auxiliary::WmapScanDir
|
|
|
|
# Scanner mixin should be near last
|
|
|
|
include Msf::Auxiliary::Scanner
|
2009-12-13 05:24:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'HTTP SOAP Verb/Noun Brute Force Scanner',
|
2014-07-14 22:14:10 +00:00
|
|
|
'Description' => %q(
|
2013-08-30 21:28:54 +00:00
|
|
|
This module attempts to brute force SOAP/XML requests to uncover
|
|
|
|
hidden methods.
|
2014-07-14 22:14:10 +00:00
|
|
|
),
|
|
|
|
'Author' => ['patrick'],
|
2013-08-30 21:28:54 +00:00
|
|
|
'License' => MSF_LICENSE))
|
2009-12-13 05:24:48 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
2014-07-14 22:14:10 +00:00
|
|
|
OptString.new('PATH', [true, 'The path to test', '/']),
|
|
|
|
OptString.new('XMLNAMESPACE', [true, 'XML Web Service Namespace', 'http://tempuri.org/']),
|
|
|
|
OptString.new('XMLINSTANCE', [true, 'XML Schema Instance', 'http://www.w3.org/2001/XMLSchema-instance']),
|
|
|
|
OptString.new('XMLSCHEMA', [true, 'XML Schema', 'http://www.w3.org/2001/XMLSchema']),
|
|
|
|
OptString.new('XMLSOAP', [true, 'XML SOAP', 'http://schemas.xmlsoap.org/soap/envelope/']),
|
|
|
|
OptString.new('CONTENTTYPE', [true, 'The HTTP Content-Type Header', 'application/x-www-form-urlencoded']),
|
|
|
|
OptInt.new('SLEEP', [true, 'Sleep this many milliseconds between requests', 0]),
|
|
|
|
OptBool.new('DISPLAYHTML', [true, 'Display HTML response', false]),
|
|
|
|
OptBool.new('SSL', [true, 'Use SSL', false]),
|
|
|
|
OptBool.new('VERB_DELETE', [false, 'Enable DELETE verb', false])
|
2013-08-30 21:28:54 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
2009-04-23 03:16:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Fingerprint a single host
|
|
|
|
def run_host(ip)
|
2014-07-14 22:14:10 +00:00
|
|
|
verbs = %w(
|
|
|
|
get
|
|
|
|
active
|
|
|
|
activate
|
|
|
|
create
|
|
|
|
change
|
|
|
|
set
|
|
|
|
put
|
|
|
|
do
|
|
|
|
go
|
|
|
|
resolve
|
|
|
|
start
|
|
|
|
recover
|
|
|
|
initiate
|
|
|
|
negotiate
|
|
|
|
define
|
|
|
|
stop
|
|
|
|
begin
|
|
|
|
end
|
|
|
|
manage
|
|
|
|
administer
|
|
|
|
modify
|
|
|
|
register
|
|
|
|
log
|
|
|
|
add
|
|
|
|
list
|
|
|
|
query
|
|
|
|
)
|
2009-04-23 03:16:29 +00:00
|
|
|
|
2014-07-14 22:14:10 +00:00
|
|
|
verbs << 'delete' if datastore['VERB_DELETE']
|
|
|
|
|
|
|
|
nouns = %w(
|
|
|
|
password
|
|
|
|
task
|
|
|
|
tasks
|
|
|
|
pass
|
|
|
|
administration
|
|
|
|
account
|
|
|
|
accounts
|
|
|
|
admin
|
|
|
|
login
|
|
|
|
logins
|
|
|
|
token
|
|
|
|
tokens
|
|
|
|
credential
|
|
|
|
credentials
|
|
|
|
key
|
|
|
|
keys
|
|
|
|
guid
|
|
|
|
message
|
|
|
|
messages
|
|
|
|
user
|
|
|
|
users
|
|
|
|
username
|
|
|
|
usernames
|
|
|
|
load
|
|
|
|
list
|
|
|
|
name
|
|
|
|
names
|
|
|
|
file
|
|
|
|
files
|
|
|
|
path
|
|
|
|
paths
|
|
|
|
directory
|
|
|
|
directories
|
|
|
|
configuration
|
|
|
|
configurations
|
|
|
|
config
|
|
|
|
configs
|
|
|
|
setting
|
|
|
|
settings
|
|
|
|
registry
|
|
|
|
on
|
|
|
|
off
|
|
|
|
)
|
2012-03-06 17:43:28 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
vhost = datastore['VHOST'] || wmap_target_host || ip
|
2009-04-23 03:16:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# regular expressions for common rejection messages
|
|
|
|
reject_regexen = []
|
2014-07-14 22:14:10 +00:00
|
|
|
reject_regexen << Regexp.new('method \\S+ is not valid', true)
|
|
|
|
reject_regexen << Regexp.new('Method \\S+ not implemented', true)
|
|
|
|
reject_regexen << Regexp.new('unable to resolve WSDL method name', true)
|
2012-01-16 18:44:17 +00:00
|
|
|
|
2014-08-19 15:30:21 +00:00
|
|
|
print_status("Starting scan with #{datastore['SLEEP']}ms delay between requests")
|
2014-07-14 22:14:10 +00:00
|
|
|
verbs.each do |v|
|
|
|
|
nouns.each do |n|
|
|
|
|
begin
|
2013-08-30 21:28:54 +00:00
|
|
|
data_parts = []
|
2014-09-12 18:18:48 +00:00
|
|
|
data_parts << '<?xml version="1.0" encoding="utf-8"?>'
|
2013-08-30 21:28:54 +00:00
|
|
|
data_parts << "<soap:Envelope xmlns:xsi=\"#{datastore['XMLINSTANCE']}\" xmlns:xsd=\"#{datastore['XMLSCHEMA']}\" xmlns:soap=\"#{datastore['XMLSOAP']}\">"
|
2014-07-14 22:14:10 +00:00
|
|
|
data_parts << '<soap:Body>'
|
2013-08-30 21:28:54 +00:00
|
|
|
data_parts << "<#{v}#{n} xmlns=\"#{datastore['XMLNAMESPACE']}\">"
|
|
|
|
data_parts << "</#{v}#{n}>"
|
2014-07-14 22:14:10 +00:00
|
|
|
data_parts << '</soap:Body>'
|
|
|
|
data_parts << '</soap:Envelope>'
|
2013-08-30 21:28:54 +00:00
|
|
|
data_parts << nil
|
|
|
|
data_parts << nil
|
|
|
|
data = data_parts.join("\r\n")
|
2012-03-06 17:43:28 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
uri = normalize_uri(datastore['PATH'])
|
2014-07-14 22:14:10 +00:00
|
|
|
uri += '/' unless uri =~ /^\/$/
|
|
|
|
uri += v + n
|
|
|
|
|
|
|
|
vprint_status("Sending request #{uri} #{wmap_target_host}:#{datastore['RPORT']}")
|
|
|
|
|
|
|
|
res = send_request_raw(
|
|
|
|
{
|
|
|
|
'uri' => uri,
|
|
|
|
'method' => 'POST',
|
|
|
|
'vhost' => vhost,
|
|
|
|
'data' => data,
|
|
|
|
'headers' =>
|
|
|
|
{
|
|
|
|
'Content-Length' => data.length,
|
|
|
|
'SOAPAction' => '"' + datastore['XMLNAMESPACE'] + v + n + '"',
|
|
|
|
'Expect' => '100-continue',
|
|
|
|
'Content-Type' => datastore['CONTENTTYPE']
|
|
|
|
}
|
|
|
|
}, 15)
|
|
|
|
|
|
|
|
if res && !(res.body.empty?)
|
|
|
|
if reject_regexen.any? { |r| res.body =~ r }
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
2014-07-14 22:14:10 +00:00
|
|
|
elsif res.message =~ /Cannot process the message because the content type/
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} rejected CONTENTTYPE: HTTP: #{res.code} #{res.message}.")
|
|
|
|
res.message =~ /was not the expected type\s\'([^']+)'/
|
|
|
|
print_status("Set CONTENTTYPE to \"#{$1}\"")
|
|
|
|
return false
|
2014-07-14 22:14:10 +00:00
|
|
|
elsif res.code == 404
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} returned HTTP 404 for #{datastore['PATH']}. Use a different one.")
|
|
|
|
return false
|
|
|
|
else
|
|
|
|
print_status("Server #{wmap_target_host}:#{datastore['RPORT']} responded to SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}.")
|
2015-04-03 11:12:23 +00:00
|
|
|
# Add Report
|
2013-08-30 21:28:54 +00:00
|
|
|
report_note(
|
2014-07-14 22:14:10 +00:00
|
|
|
host: ip,
|
|
|
|
proto: 'tcp',
|
|
|
|
sname: (ssl ? 'https' : 'http'),
|
|
|
|
port: rport,
|
|
|
|
type: "SOAPAction: #{v}#{n}",
|
|
|
|
data: "SOAPAction: #{v}#{n} with HTTP: #{res.code} #{res.message}."
|
2013-08-30 21:28:54 +00:00
|
|
|
)
|
|
|
|
if datastore['DISPLAYHTML']
|
2014-07-14 22:14:10 +00:00
|
|
|
print_status('The HTML content follows:')
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status(res.body + "\r\n")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-07-14 22:14:10 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
|
|
|
|
print_error(e.message)
|
|
|
|
ensure
|
|
|
|
Rex.sleep(sleep_time)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-07-14 22:14:10 +00:00
|
|
|
|
|
|
|
def sleep_time
|
|
|
|
datastore['SLEEP'] / 1000.0
|
|
|
|
end
|
2009-04-23 03:16:29 +00:00
|
|
|
end
|