infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rebuild / add check_setup / send_request

bug/bundler_fix
nixawk 2016-01-05 15:10:26 +08:00
parent a6914df3e3
commit c3158497c0
2 changed files with 150 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
lib/metasploit/framework/login_scanner/caidao.rb
View File

@ -9,14 +9,76 @@ module Metasploit
# Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
DEFAULT_PORT = 80
PRIVATE_TYPES = [ :password ]
LOGIN_STATUS = Metasploit::Model::Login::Status # Shorter name
# Checks if the target is Caidao Backdoor. The login module should call this.
#
# @return [Boolean] TrueClass if target is Caidao, otherwise FalseClass
def check_setup
@flag = Rex::Text.rand_text_alphanumeric(4)
@lmark = Rex::Text.rand_text_alphanumeric(4)
@rmark = Rex::Text.rand_text_alphanumeric(4)
case uri
when /php$/mi
@payload = "$_=\"#{@flag}\";echo \"#{@lmark}\".$_.\"#{@rmark}\";"
return true
when /asp$/mi
@payload = 'execute("response.write(""'
@payload << "#{@lmark}"
@payload << '""):response.write(""'
@payload << "#{@flag}"
@payload << '""):response.write(""'
@payload << "#{@rmark}"
@payload << '""):response.end")'
return true
when /aspx$/mi
@payload = "Response.Write(\"#{@lmark}\");"
@payload << "Response.Write(\"#{@flag}\");"
@payload << "Response.Write(\"#{@rmark}\")"
return true
end
false
end
def set_sane_defaults
self.method = "POST" if self.method.nil?
end
# Actually doing the login. Called by #attempt_login
#
# @param username [String] The username to try
# @param password [String] The password to try
# @return [Hash]
# * :status [Metasploit::Model::Login::Status]
# * :proof [String] the HTTP response body
def try_login(username, password)
res = send_request(
'method' => method,
'uri' => uri,
'data' => "#{password}=#{@payload}"
)
unless res
return { :status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s }
end
if res && res.code == 200 && res.body.to_s.include?("#{@lmark}#{@flag}#{@rmark}")
return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s }
end
{ :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s }
end
# Attempts to login to Caidao Backdoor. This is called first.
#
# @param credential [Metasploit::Framework::Credential] The credential object
# @return [Result] A Result object indicating success or failure
def attempt_login(credential)
result_opts = {
credential: credential,
status: Metasploit::Model::Login::Status::INCORRECT,
proof: nil,
host: host,
port: port,
protocol: 'tcp'
@ -29,55 +91,12 @@ module Metasploit
end
begin
status = try_login(credential)
result_opts.merge!(status)
rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
result_opts.merge!(try_login(credential.public, credential.private))
rescue ::Rex::ConnectionError => e
result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
end
Result.new(result_opts)
end
def try_login(credential)
cli = Rex::Proto::Http::Client.new(host, port, { 'Msf' => framework, 'MsfExploit' => framework_module }, ssl, ssl_version, proxies)
configure_http_client(cli)
cli.connect
flag = Rex::Text.rand_text_alphanumeric(4)
lmark = Rex::Text.rand_text_alphanumeric(4)
rmark = Rex::Text.rand_text_alphanumeric(4)
case self.uri
when /php$/mi
payload = "$_=\"#{flag}\";echo \"#{lmark}\".$_.\"#{rmark}\";"
when /asp$/mi
payload = 'execute("response.write(""'
payload << "#{lmark}"
payload << '""):response.write(""'
payload << "#{flag}"
payload << '""):response.write(""'
payload << "#{rmark}"
payload << '""):response.end")'
when /aspx$/mi
payload = "Response.Write(\"#{lmark}\");"
payload << "Response.Write(\"#{flag}\");"
payload << "Response.Write(\"#{rmark}\")"
else
print_error("Backdoor type is not support")
return
end
req = cli.request_cgi({
'method' => method,
'uri' => uri,
'data' => "#{credential.private}=#{payload}"
})
res = cli.send_recv(req)
if res && res.code == 200 && res.body.to_s.include?("#{lmark}#{flag}#{rmark}")
return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body }
end
{ :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body }
end
end
end
end

119
modules/auxiliary/scanner/http/caidao_bruteforce_login.rb
View File

@ -39,44 +39,95 @@ class Metasploit4 < Msf::Auxiliary
], self.class)
end
def run_host(ip)
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
scanner = Metasploit::Framework::LoginScanner::Caidao.new(
configure_http_login_scanner(
uri: datastore['TARGETURI'],
method: datastore['HTTP_METHOD'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 10
def scanner(ip)
@scanner ||= lambda {
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
return Metasploit::Framework::LoginScanner::Caidao.new(
configure_http_login_scanner(
host: ip,
port: datastore['RPORT'],
uri: datastore['TARGETURI'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 5
))
}.call
end
def report_good_cred(ip, port, result)
service_data = {
address: ip,
port: port,
service_name: 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
private_data: result.credential.private,
private_type: :password,
username: result.credential.public,
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
last_attempted_at: DateTime.now,
status: result.status,
proof: result.proof
}.merge(service_data)
create_credential_login(login_data)
end
def report_bad_cred(ip, rport, result)
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status,
proof: result.proof
)
end
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
)
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
else
invalidate_login(credential_data)
vprint_error "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
# Attempts to login
def bruteforce(ip)
scanner(ip).scan! do |result|
case result.status
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")
report_good_cred(ip, rport, result)
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
report_bad_cred(ip, rport, result)
when Metasploit::Model::Login::Status::INCORRECT
vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")
report_bad_cred(ip, rport, result)
end
end
end
def run_host(ip)
unless scanner(ip).check_setup
print_brute(:level => :error, :ip => ip, :msg => 'Backdoor type is not support')
return
end
bruteforce(ip)
end
end