Merge pull request #25 from rapid7/feature/MSP-9673/axis2-login-scanner

Add axis2 login scanner
2014-05-29 11:22:22 -05:00 · 2014-05-29 11:22:22 -05:00 · e669324366
parent dcc4d25f15 572e4f2bdf
commit e669324366
3 changed files with 92 additions and 14 deletions
--- a/lib/metasploit/framework/login_scanner/axis2.rb
+++ b/lib/metasploit/framework/login_scanner/axis2.rb
@ -0,0 +1,55 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Tomcat Manager login scanner
+      class Axis2 < HTTP
+
+        DEFAULT_PORT = 8080
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          http_client = Rex::Proto::Http::Client.new(
+            host, port, {}, ssl, ssl_version
+          )
+
+          begin
+            http_client.connect
+            body = "userName=#{Rex::Text.uri_encode(credential.public)}&password=#{Rex::Text.uri_encode(credential.private)}&submit=+Login+"
+            request = http_client.request_cgi(
+              'uri' => uri,
+              'method' => "POST",
+              'data' => body,
+            )
+            response = http_client.send_recv(request)
+          end
+
+          if response && response.code == 200 && response.body.include?("upload")
+            Result.new(status: :success, credential: credential, proof: response)
+          else
+            Result.new(status: :failed, credential: credential, proof: response)
+          end
+        end
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/axis2/axis2-admin/login" if self.uri.nil?
+          @method = "POST".freeze
+
+          super
+        end
+
+        # The method *must* be "POST", so don't let the user change it
+        # @raise [RuntimeError]
+        def method=(_)
+          raise RuntimeError, "Method must be POST for Axis2"
+        end
+
+      end
+    end
+  end
+end
+
--- a/modules/auxiliary/scanner/http/axis_login.rb
+++ b/modules/auxiliary/scanner/http/axis_login.rb
@ -17,10 +17,12 @@ class Metasploit3 < Msf::Auxiliary

  def initialize
    super(
-      'Name'           => 'Apache Axis2 v1.4.1 Brute Force Utility',
-      'Description'    => %q{This module attempts to login to an Apache Axis2 v1.4.1
-        instance using username and password combindations indicated by the USER_FILE,
-        PASS_FILE, and USERPASS_FILE options.
+      'Name'           => 'Apache Axis2 Brute Force Utility',
+      'Description'    => %q{
+        This module attempts to login to an Apache Axis2 instance using
+        username and password combindations indicated by the USER_FILE,
+        PASS_FILE, and USERPASS_FILE options. It has been verified to
+        work on at least versions 1.4.1 and 1.6.2.
      },
      'Author'         =>
        [
@ -35,9 +37,9 @@ class Metasploit3 < Msf::Auxiliary
      'License'        => MSF_LICENSE
    )

-    register_options(
-      [ Opt::RPORT(8080),
-        OptString.new('URI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
+    register_options( [
+      Opt::RPORT(8080),
+      OptString.new('URI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
    ], self.class)
  end

@ -49,10 +51,10 @@ class Metasploit3 < Msf::Auxiliary

    print_status("Verifying login exists at #{target_url}")
    begin
-      res = send_request_cgi({
-          'method'  => 'GET',
-          'uri'     => datastore['URI']
-        }, 20)
+      send_request_cgi({
+        'method'  => 'GET',
+        'uri'     => datastore['URI']
+      }, 20)
    rescue
      print_error("The Axis2 login page does not exist at #{target_url}")
      return
@ -77,12 +79,12 @@ class Metasploit3 < Msf::Auxiliary
        'data'    => post_data,
      }, 20)

-      if (res and res.code == 200 and res.body.to_s.match(/upload/) != nil)
+      if res && res.code == 200 && res.body.to_s.match(/upload/) != nil
        print_good("#{target_url} - Apache Axis - SUCCESSFUL login for '#{user}' : '#{pass}'")
        report_auth_info(
          :host   => rhost,
          :port   => rport,
-          :sname => (ssl ? 'https' : 'http'),
+          :sname  => (ssl ? 'https' : 'http'),
          :user   => user,
          :pass   => pass,
          :proof  => "WEBAPP=\"Apache Axis\", VHOST=#{vhost}",
@ -91,7 +93,7 @@ class Metasploit3 < Msf::Auxiliary
          :active => true
        )

-      elsif(res and res.code == 200)
+      elsif res && res.code == 200
        vprint_error("#{target_url} - Apache Axis - Failed to login as '#{user}'")
      else
        vprint_error("#{target_url} - Apache Axis - Unable to authenticate.")
--- a/spec/lib/metasploit/framework/login_scanner/axis2_spec.rb
+++ b/spec/lib/metasploit/framework/login_scanner/axis2_spec.rb
@ -0,0 +1,21 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/winrm'
+
+describe Metasploit::Framework::LoginScanner::WinRM do
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+  context "#method=" do
+    subject(:scanner) { described_class.new }
+
+    it "should raise, warning that the :method can't be changed" do
+      expect { scanner.method = "GET" }.to raise_error(RuntimeError)
+      expect(scanner.method).to eq("POST")
+    end
+  end
+
+end
+