y no update challenge

h00die · h00die · commit 260f793f2cfb · 2016-11-30T22:57:12.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/varnish.rb b/lib/metasploit/framework/login_scanner/varnish.rb
@@ -24,17 +24,16 @@ class VarnishCLI
         def attempt_login(credential)
           begin
             connect
+            success = login(credential.private)
+            close_session
+            disconnect
+          rescue RuntimeError => e
+            return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => e.message}
           rescue Rex::ConnectionError, EOFError, Timeout::Error
             status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
-          else
-            begin
-              success = login(credential.private)
-            rescue RuntimeError => e
-              return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => e.message}
-            end
-
-            status = (success == true) ? Metasploit::Model::Login::Status::SUCCESSFUL : Metasploit::Model::Login::Status::INCORRECT
           end
+          status = (success == true) ? Metasploit::Model::Login::Status::SUCCESSFUL : Metasploit::Model::Login::Status::INCORRECT
+
           result = Result.new(credential: credential, status: status)
           result.host         = host
           result.port         = port
diff --git a/lib/metasploit/framework/varnish/client.rb b/lib/metasploit/framework/varnish/client.rb
@@ -7,22 +7,31 @@ module Framework
     module Varnish
       module Client
 
-        @AUTH_REQUIRED_REGEX = /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required\./ # 107 auth
-        @AUTH_SUCCESS_REGEX = /200 \d+/ # 200 ok
+        @@AUTH_REQUIRED_REGEX = /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required\./ # 107 auth
+        @@AUTH_SUCCESS_REGEX = /200 \d+/ # 200 ok
+
+        def require_auth?
+          # function returns false if no auth is required, else the challenge string
+          sock.put("auth #{Rex::Text.rand_text_alphanumeric(64)}\n") # Cause a login fail to get the challenge. Length is correct, but this has upper chars, subtle diff
+          res = sock.get_once(-1,3) # grab challenge
+          if res && res =~ @@AUTH_REQUIRED_REGEX
+            return $1
+          end
+          return false
+        end
 
         def login(pass)
           # based on https://www.varnish-cache.org/trac/wiki/CLI
           begin
-            auth = require_auth?
-            if not !!auth
-              #raise RuntimeError, $1 + "\n" + pass.strip + "\n" + $1 + "\n" + "auth " + Digest::SHA256.hexdigest("#{$1}\n#{pass.strip}\n#{$1}\n")
-              response = Digest::SHA256.hexdigest("#{$1}\n#{pass.strip}\n#{$1}\n")
+            challenge = require_auth?
+            if !!challenge
+              response = Digest::SHA256.hexdigest("#{challenge}\n#{pass.strip}\n#{challenge}\n")
               sock.put("auth #{response}\n")
               res = sock.get_once(-1,3)
-              raise RuntimeError, res
-              if res && res =~ @AUTH_SUCCESS_REGEX
+              if res && res =~ @@AUTH_SUCCESS_REGEX
                 return true
               else
+                raise RuntimeError, "|||#{challenge}|||#{pass.strip}|||#{response}"
                 return false
               end
             else
@@ -36,16 +45,6 @@ def login(pass)
         def close_session
           sock.put('quit')
         end
-        
-        def require_auth?
-          # function returns false if no auth is required, else
-          sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail to get the challenge
-          res = sock.get_once(-1,3) # grab challenge
-          if res && res =~ @AUTH_REQUIRED_REGEX
-            return $1
-          end
-          return false
-        end
 
       end
     end
