Merge branch 'aux-scan-metasploit' of git://github.com/kost/metasploit-framework into kost-aux-scan-metasploit

2012-11-26 16:26:11 -06:00 · 2012-11-26 16:26:11 -06:00 · 65ac56a7a7
parent 472ec35adb c22335a2f5
commit 65ac56a7a7
2 changed files with 242 additions and 0 deletions
--- a/modules/auxiliary/scanner/msf/msf_rpc_login.rb
+++ b/modules/auxiliary/scanner/msf/msf_rpc_login.rb
@ -0,0 +1,92 @@
+##
+# msf_rpc_login.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/rpc/v10/client'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name' 		=> 'Metasploit RPC interface Login Utility',
+			'Description'	=> %q{
+				This module simply attempts to login to a
+				Metasploit RPC interface using a specific
+				user/pass.
+			},
+			'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(55553),
+				OptString.new('USERNAME', [true, "A specific username to authenticate as. Default is msf", "msf"]),
+				OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
+				OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
+			], self.class)
+		register_autofilter_ports([3790])
+
+	end
+
+	def run_host(ip)
+		begin
+			@rpc = Msf::RPC::Client.new(
+			:host => datastore['rhost'],
+			:port => datastore['rport'],
+			:ssl  => datastore['SSL']
+			)
+		rescue => e
+			vprint_error("#{msg} #{datastore['SSL']} Cannot create RPC client : #{e}")
+			return
+		end
+
+		each_user_pass do |user, pass|
+			do_login(user, pass)
+		end
+	end
+
+	def do_login(user='msf', pass='msf')
+		vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
+		begin
+			res = @rpc.login(user, pass)
+			if res
+				print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
+
+				report_hash = {
+					:host   => datastore['RHOST'],
+					:port   => datastore['RPORT'],
+					:sname  => 'msf-rpc',
+					:user   => user,
+					:pass   => pass,
+					:active => true,
+					:type => 'password'}
+
+				report_auth_info(report_hash)
+				@rpc.close
+				return :next_user
+			end
+		rescue  => e
+			# vprint_status("#{msg} #{datastore['SSL']} - Bad login #{e}")
+			vprint_status("#{msg} #{datastore['SSL']} - Bad login")
+			@rpc.close
+			return :skip_pass
+		end
+	end
+
+	def msg
+		"#{datastore['RHOST']}:#{datastore['RPORT']} Metasploit RPC -"
+	end
+end
--- a/modules/auxiliary/scanner/msf/msf_web_login.rb
+++ b/modules/auxiliary/scanner/msf/msf_web_login.rb
@ -0,0 +1,150 @@
+##
+# msf_web_login.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::AuthBrute
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'Metasploit Web interface Login Utility',
+			'Description'    => %{
+				This module simply attempts to login to a Metasploit
+				web interface using a specific user/pass.
+			},
+			'Author'         => [ 'Vlatko Kosturjak <kost[at]linux.hr>' ],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(3790),
+				OptString.new('URILOGIN', [true, "URI for Metasploit Web login. Default is /login", "/login"]),
+				OptString.new('URIGUESS', [true, "URI for Metasploit Web login. Default is /user_sessions", "/user_sessions"]),
+				OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
+				OptBool.new('SSL', [ true, "Negotiate SSL for outgoing connections", true])
+			], self.class)
+
+		register_autofilter_ports([55553])
+	end
+
+	def run_host(ip)
+		begin
+			res = send_request_cgi({
+				'uri'     => datastore['URILOGIN'],
+				'method'  => 'GET'
+				}, 25)
+			http_fingerprint({ :response => res })
+		rescue ::Rex::ConnectionError => e
+			vprint_error("#{msg} #{datastore['URILOGIN']} - #{e}")
+			return
+		end
+
+		if not res
+			vprint_error("#{msg} #{datastore['URILOGIN']} - No response")
+			return
+		end
+		if !(res.code == 200 or res.code == 302)
+			vprint_error("#{msg} Expected 200 HTTP code - not msf web? Got: #{res.code}")
+			return
+		end
+		if res.body !~ /<title>Metasploit<\/title>/
+			vprint_error("#{msg} Expected metasploit page - not msf web interface? #{res.body}")
+			return
+		end
+
+		each_user_pass do |user, pass|
+			do_login(user, pass)
+		end
+	end
+
+	def do_login(user='msf', pass='msf')
+		vprint_status("#{msg} - Trying username:'#{user}' with password:'#{pass}'")
+		begin
+			res = send_request_cgi({
+				'uri'     => datastore['URILOGIN'],
+				'method'  => 'GET'
+				}, 25)
+
+			token = ''
+			uisession = ''
+			if res and res.code == 200
+				# extract tokens from cookie
+				res.headers['Set-Cookie'].split(';').each {|c|
+					c.split(',').each {|v|
+						if v.split('=')[0] =~ /token/
+							token = v.split('=')[1]
+						elsif v.split('=')[0] =~ /_ui_session/
+							uisession = v.split('=')[1]
+						end
+					}
+				}
+				# extract authenticity_token from hidden field
+				atoken = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*)"/)[0][0]
+			else
+				print_error("#{msg} Failed to get login cookies, aborting")
+				return :abort
+			end
+
+			# vprint_status("#{msg} '#{user}' with '#{pass}': #{atoken} - #{token} - #{uisession}")
+			res = send_request_cgi(
+			{
+				'uri'     => datastore['URIGUESS'],
+				'method'  => 'POST',
+				'cookie'	=> "token=#{token}; _ui_session=#{uisession}",
+				'vars_post' =>
+					{
+						'commit' => 'Sign in',
+						'utf8' => "\xE2\x9C\x93",
+						'authenticity_token' => atoken,
+						'user_session[username]' => user,
+						'user_session[password]' => pass
+					}
+			}, 25)
+
+			if not res or res.code != 302
+				vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' with code #{res.code}")
+				return :skip_pass
+			end
+			if res.headers['Location'] =~ /\/login/
+				vprint_error("#{msg} FAILED LOGIN. '#{user}' : '#{pass}' with wrong redirect")
+				return :skip_pass
+			else
+				print_good("#{msg} SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
+
+				report_hash = {
+					:host   => datastore['RHOST'],
+					:port   => datastore['RPORT'],
+					:sname  => 'msf-web',
+					:user   => user,
+					:pass   => pass,
+					:active => true,
+					:type => 'password'}
+
+				report_auth_info(report_hash)
+				return :next_user
+			end
+		rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
+			print_error("#{msg} HTTP Connection Failed, Aborting")
+			return :abort
+		end
+	end
+
+	def msg
+		"#{vhost}:#{rport} Metasploit Web -"
+	end
+end