Add the final portion for Glassfish login module

2014-08-27 15:09:11 -05:00 · 2014-08-27 15:09:11 -05:00 · a32ffc4c26
parent 5d8cbe0544
commit a32ffc4c26
2 changed files with 75 additions and 10 deletions
--- a/lib/metasploit/framework/login_scanner/glassfish.rb
+++ b/lib/metasploit/framework/login_scanner/glassfish.rb
@ -5,6 +5,10 @@ module Metasploit
  module Framework
    module LoginScanner

+      # I don't want to raise RuntimeError to be able to abort login
+      class GlassfishError < StandardError
+      end
+
      class Glassfish < HTTP

        DEFAULT_PORT  = 4848
@ -24,9 +28,9 @@ module Metasploit


        def set_sane_defaults
+          super
          self.ssl = false
          self.ssl_version = 'TLS1'
-          super
        end


@ -50,12 +54,12 @@ module Metasploit


        #
-        # Starting Glassfish 4, by default bruteforce doesn't work because Secure Admin is enabled,
+        # Starting Glassfish 4, by default bruteforce doesn't work because Secure Admin is disabled,
        # which means nobody can login remotely. You will only find out about this when you try to
        # login, so this should be called during the login process
        #
        def is_secure_admin_disabled?(res)
-          return (res.body =~ /Secure Admin must be enabled/) ? true : false
+          return (res.body =~ /Secure Admin must be enabled/i) ? true : false
        end


@ -81,7 +85,9 @@ module Metasploit
          res = send_request(opts)

          if is_secure_admin_disabled?(res)
-            raise RuntimeError, "Secure Admin is enabled. Cannot brute force this."
+            # Using the exact error message Glassfish says, that way the user can google what
+            # it's about.
+            raise GlassfishError, "Secure Admin must be enabled to access the DAS remotely."
          end

          res
@ -152,7 +158,7 @@ module Metasploit
              status = try_glassfish_3(credential)
              result_opts.merge!(status: status[:status], proof:status[:proof])
           else
-              raise RuntimeError, "Glassfish version '#{self.version}' not supported"
+              raise GlassfishError, "Glassfish version '#{self.version}' not supported"
            end
          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
--- a/modules/auxiliary/scanner/http/glassfish_login.rb
+++ b/modules/auxiliary/scanner/http/glassfish_login.rb
@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-#load "~/rapid7/msf/lib/metasploit/framework/login_scanner/glassfish.rb"
-
 require 'msf/core'
 require 'metasploit/framework/login_scanner/glassfish'

@ -150,10 +148,67 @@ class Metasploit3 < Msf::Auxiliary
    @scanner.ssl_version = datastore['SSLVERSION']
  end

+  def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }

-  def bruteforce
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def bruteforce(ip)
    @scanner.scan! do |result|
-      print_debug(result.inspect)
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+        do_report(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+      end
    end
  end

@ -221,7 +276,11 @@ class Metasploit3 < Msf::Auxiliary
      try_glassfish_auth_bypass(version)
    end

-    bruteforce unless version.blank?
+    begin
+      bruteforce(ip) unless version.blank?
+    rescue ::Metasploit::Framework::LoginScanner::GlassfishError => e
+      print_error(e.message)
+    end
  end

 end