This one is good to go

2014-09-04 14:13:33 -05:00 · 2014-09-04 14:13:33 -05:00 · 0dcf481d76
parent dd4fd7bb39
commit 0dcf481d76
3 changed files with 90 additions and 8 deletions
--- a/lib/metasploit/framework/login_scanner/smh.rb
+++ b/lib/metasploit/framework/login_scanner/smh.rb
@ -15,6 +15,8 @@ module Metasploit

        DEFAULT_PORT  = 4848
        PRIVATE_TYPES = [ :password ]
+        CAN_GET_SESSION = true
+

        #
        # Decides which login routine and returns the results
@ -48,6 +50,7 @@ module Metasploit

          rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, ::EOFError, ::Timeout::Error
            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+            return Result.new(result_opts)
          end

          if res && res.headers['CpqElm-Login'].to_s =~ /success/
--- a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
+++ b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-#load "/Users/wchen/rapid7/msf/lib/metasploit/framework/login_scanner/smh.rb"
-
 require 'msf/core'
 require 'metasploit/framework/login_scanner/smh'

@ -29,14 +27,38 @@ class Metasploit3 < Msf::Auxiliary
          'SSL' => true,
          'RPORT' => 2381,
          'USERPASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_userpass.txt"),
-          'USER_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt"),
-          'PASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt")
+          'USER_FILE' => File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt"),
+          'PASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt")
        }
    ))
  end

-  def anonymous_access?
-    res = send_request_raw({'uri' => '/'})
+  def get_version(res)
+    if res
+      return res.body.scan(/smhversion = "HP System Management Homepage v([\d\.]+)"/i).flatten[0] || ''
+    end
+
+    ''
+  end
+
+  def is_version_tested?(version)
+    # As of Sep 4 2014, version 7.4 is the latest and that's the last one we've tested
+    if version < '7.5'
+      return true
+    end
+
+    false
+  end
+
+  def get_system_name(res)
+    if res
+      return res.body.scan(/fullsystemname = "(.+)"/i).flatten[0] || ''
+    end
+
+    ''
+  end
+
+  def anonymous_access?(res)
    return true if res and res.body =~ /username = "hpsmh_anonymous"/
    false
  end
@ -132,8 +154,35 @@ class Metasploit3 < Msf::Auxiliary


  def run_host(ip)
-    if anonymous_access?
-      print_status("#{peer} - No login necessary. Server allows anonymous access.")
+    res = send_request_cgi({
+      'uri' => '/cpqlogin.htm',
+      'method' => 'GET',
+      'vars_get' => {
+        'RedirectUrl' => '/cpqlogin',
+        'RedirectQueryString' => ''
+      }
+    })
+
+    version = get_version(res)
+    unless version.blank?
+      print_status("#{peer} - Version detected: #{version}")
+      unless is_version_tested?(version)
+        print_warning("#{peer} - You're running the module against a version we have not tested")
+      end
+    end
+
+    sys_name = get_system_name(res)
+    unless sys_name.blank?
+      print_status("#{peer} - System name detected: #{sys_name}")
+      report_note(
+        :host => ip,
+        :type => "system.name",
+        :data => sys_name
+      )
+    end
+
+    if anonymous_access?(res)
+      print_good("#{peer} - No login necessary. Server allows anonymous access.")
      return
    end

--- a/spec/lib/metasploit/framework/login_scanner/smh_spec.rb
+++ b/spec/lib/metasploit/framework/login_scanner/smh_spec.rb
@ -7,4 +7,34 @@ describe Metasploit::Framework::LoginScanner::Smh do
  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'

+  subject(:smh_cli) { described_class.new }
+
+  context "#attempt_login" do
+    let(:cred) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: 'admin',
+        private: 'password'
+      )
+    end
+
+    it 'Rex::ConnectionError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Rex::ConnectionError)
+      expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it 'Timeout::Error should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Timeout::Error)
+
+      expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it 'EOFError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(EOFError)
+
+      expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+  end
+
 end