Add the final portion for Glassfish login module
parent
5d8cbe0544
commit
a32ffc4c26
|
@ -5,6 +5,10 @@ module Metasploit
|
|||
module Framework
|
||||
module LoginScanner
|
||||
|
||||
# I don't want to raise RuntimeError to be able to abort login
|
||||
class GlassfishError < StandardError
|
||||
end
|
||||
|
||||
class Glassfish < HTTP
|
||||
|
||||
DEFAULT_PORT = 4848
|
||||
|
@ -24,9 +28,9 @@ module Metasploit
|
|||
|
||||
|
||||
def set_sane_defaults
|
||||
super
|
||||
self.ssl = false
|
||||
self.ssl_version = 'TLS1'
|
||||
super
|
||||
end
|
||||
|
||||
|
||||
|
@ -50,12 +54,12 @@ module Metasploit
|
|||
|
||||
|
||||
#
|
||||
# Starting Glassfish 4, by default bruteforce doesn't work because Secure Admin is enabled,
|
||||
# Starting Glassfish 4, by default bruteforce doesn't work because Secure Admin is disabled,
|
||||
# which means nobody can login remotely. You will only find out about this when you try to
|
||||
# login, so this should be called during the login process
|
||||
#
|
||||
def is_secure_admin_disabled?(res)
|
||||
return (res.body =~ /Secure Admin must be enabled/) ? true : false
|
||||
return (res.body =~ /Secure Admin must be enabled/i) ? true : false
|
||||
end
|
||||
|
||||
|
||||
|
@ -81,7 +85,9 @@ module Metasploit
|
|||
res = send_request(opts)
|
||||
|
||||
if is_secure_admin_disabled?(res)
|
||||
raise RuntimeError, "Secure Admin is enabled. Cannot brute force this."
|
||||
# Using the exact error message Glassfish says, that way the user can google what
|
||||
# it's about.
|
||||
raise GlassfishError, "Secure Admin must be enabled to access the DAS remotely."
|
||||
end
|
||||
|
||||
res
|
||||
|
@ -152,7 +158,7 @@ module Metasploit
|
|||
status = try_glassfish_3(credential)
|
||||
result_opts.merge!(status: status[:status], proof:status[:proof])
|
||||
else
|
||||
raise RuntimeError, "Glassfish version '#{self.version}' not supported"
|
||||
raise GlassfishError, "Glassfish version '#{self.version}' not supported"
|
||||
end
|
||||
rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
|
||||
result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
|
||||
|
|
|
@ -3,8 +3,6 @@
|
|||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
#load "~/rapid7/msf/lib/metasploit/framework/login_scanner/glassfish.rb"
|
||||
|
||||
require 'msf/core'
|
||||
require 'metasploit/framework/login_scanner/glassfish'
|
||||
|
||||
|
@ -150,10 +148,67 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@scanner.ssl_version = datastore['SSLVERSION']
|
||||
end
|
||||
|
||||
def do_report(ip, port, result)
|
||||
service_data = {
|
||||
address: ip,
|
||||
port: port,
|
||||
service_name: 'http',
|
||||
protocol: 'tcp',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
def bruteforce
|
||||
credential_data = {
|
||||
module_fullname: self.fullname,
|
||||
origin_type: :service,
|
||||
private_data: result.credential.private,
|
||||
private_type: :password,
|
||||
username: result.credential.public,
|
||||
}.merge(service_data)
|
||||
|
||||
credential_core = create_credential(credential_data)
|
||||
|
||||
login_data = {
|
||||
core: credential_core,
|
||||
last_attempted_at: DateTime.now,
|
||||
status: result.status
|
||||
}.merge(service_data)
|
||||
|
||||
create_credential_login(login_data)
|
||||
end
|
||||
|
||||
def bruteforce(ip)
|
||||
@scanner.scan! do |result|
|
||||
print_debug(result.inspect)
|
||||
case result.status
|
||||
when Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
|
||||
do_report(ip, rport, result)
|
||||
:next_user
|
||||
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
|
||||
print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
|
||||
invalidate_login(
|
||||
address: ip,
|
||||
port: rport,
|
||||
protocol: 'tcp',
|
||||
public: result.credential.public,
|
||||
private: result.credential.private,
|
||||
realm_key: result.credential.realm_key,
|
||||
realm_value: result.credential.realm,
|
||||
status: result.status
|
||||
)
|
||||
:abort
|
||||
when Metasploit::Model::Login::Status::INCORRECT
|
||||
print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
|
||||
invalidate_login(
|
||||
address: ip,
|
||||
port: rport,
|
||||
protocol: 'tcp',
|
||||
public: result.credential.public,
|
||||
private: result.credential.private,
|
||||
realm_key: result.credential.realm_key,
|
||||
realm_value: result.credential.realm,
|
||||
status: result.status
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -221,7 +276,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
try_glassfish_auth_bypass(version)
|
||||
end
|
||||
|
||||
bruteforce unless version.blank?
|
||||
begin
|
||||
bruteforce(ip) unless version.blank?
|
||||
rescue ::Metasploit::Framework::LoginScanner::GlassfishError => e
|
||||
print_error(e.message)
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue