Land #2720, @wchen-r7's httpserver test module
commit
2284763922
|
@ -0,0 +1,154 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Basic HttpServer Simulator',
|
||||
'Description' => %q{
|
||||
This is example of a basic HttpServer simulator, good for PR scenarios when a module
|
||||
is made, but the author no longer has access to the test box, no pcap or screenshot -
|
||||
Basically no way to prove the functionality.
|
||||
|
||||
This particular simulator will pretend to act like a Cisco ASA ASDM, so the
|
||||
cisco_asa_asdm.rb module can do a live test against it.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2720' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SRVPORT' => 443,
|
||||
'SSL' => true,
|
||||
'URIPATH' => '/'
|
||||
},
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [true, "The valid default username", "cisco"]),
|
||||
OptString.new('PASSWORD', [true, "The valid default password", "cisco"])
|
||||
], self.class)
|
||||
|
||||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns a response when the client is trying to check the connection
|
||||
#
|
||||
def res_check_conn(cli, req)
|
||||
send_response(cli, '')
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Returns a response when the client is trying to authenticate
|
||||
#
|
||||
def res_login(cli, req)
|
||||
case req.method
|
||||
when 'GET'
|
||||
# This must be the is_app_asdm? method asking
|
||||
print_status("Responding to the is_app_asdm? method")
|
||||
send_response(cli, '', {'Set-Cookie'=>'webvpn'})
|
||||
|
||||
when 'POST'
|
||||
# This must be the do_login method. But before it can login, it must meet
|
||||
# the cookie requirement
|
||||
if req.headers['Cookie'] == /webvpnlogin=1; tg=0DefaultADMINGroup/
|
||||
send_redirect(cli)
|
||||
return
|
||||
end
|
||||
|
||||
# Process the post data
|
||||
vars_post = {}
|
||||
req.body.scan(/(\w+=\w+)/).flatten.each do |param|
|
||||
k, v = param.split('=')
|
||||
vars_post[k] = v
|
||||
end
|
||||
|
||||
# Auth
|
||||
if vars_post['username'] == datastore['USERNAME'] and vars_post['password'] == datastore['PASSWORD']
|
||||
print_good("Authenticated")
|
||||
|
||||
fake_success_body = %Q|
|
||||
SSL VPN Service
|
||||
Success
|
||||
success
|
||||
|
|
||||
|
||||
send_response(cli, fake_success_body)
|
||||
else
|
||||
print_error("Bad login")
|
||||
resp = create_response(403, "Access Denied")
|
||||
resp.body = ''
|
||||
cli.send_response(resp)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, req)
|
||||
print_status("Received request: #{req.uri}")
|
||||
|
||||
case req.uri
|
||||
when '/'
|
||||
res_check_conn(cli, req)
|
||||
when /\+webvpn\+\/index\.html/
|
||||
res_login(cli, req)
|
||||
end
|
||||
|
||||
# Request not processed, send a 404
|
||||
send_not_found(cli)
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
exploit
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
Test Results - clinet output:
|
||||
msf auxiliary(cisco_asa_asdm) > run
|
||||
|
||||
[+] 10.0.1.76:443 - Server is responsive...
|
||||
[*] 10.0.1.76:443 - Application appears to be Cisco ASA ASDM. Module will continue.
|
||||
[*] 10.0.1.76:443 - Starting login brute force...
|
||||
[*] 10.0.1.76:443 - [1/2] - Trying username:"cisco" with password:""
|
||||
[-] 10.0.1.76:443 - [1/2] - FAILED LOGIN - "cisco":""
|
||||
[*] 10.0.1.76:443 - [2/2] - Trying username:"cisco" with password:"cisco"
|
||||
[+] 10.0.1.76:443 - SUCCESSFUL LOGIN - "cisco":"cisco"
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(cisco_asa_asdm) >
|
||||
|
||||
Test Results - Fake server output:
|
||||
|
||||
msf auxiliary(httpserver) > run
|
||||
|
||||
[*] Using URL: https://0.0.0.0:443/
|
||||
[*] Local IP: https://10.0.1.76:443/
|
||||
[*] Server started.
|
||||
[*] 10.0.1.76 httpserver - Received request: /
|
||||
[*] 10.0.1.76 httpserver - Received request: /+webvpn+/index.html
|
||||
[*] 10.0.1.76 httpserver - Responding to the is_app_asdm? method
|
||||
[*] 10.0.1.76 httpserver - Received request: /+webvpn+/index.html
|
||||
[-] 10.0.1.76 httpserver - Bad login
|
||||
[*] 10.0.1.76 httpserver - Received request: /+webvpn+/index.html
|
||||
[+] Authenticated
|
||||
|
||||
|
||||
=end
|
Loading…
Reference in New Issue