Land rapid7#3699, @dmaloney-r7's ipboard login refactor

Author: jvazquez-r7

lib/metasploit/framework/login_scanner/axis2.rb

@@ -20,6 +20,8 @@ def attempt_login(credential)
             host, port, {}, ssl, ssl_version
           )
 
+          http_client = config_client(http_client)
+
           result_opts = {
               credential: credential,
               host: host,

lib/metasploit/framework/login_scanner/http.rb

@@ -29,6 +29,15 @@ class HTTP
         #   @return [String] HTTP method, e.g. "GET", "POST"
         attr_accessor :method
 
+        # @!attribute user_agent
+        #   @return [String] the User-Agent to use for the HTTP requests
+        attr_accessor :user_agent
+
+        # @!attribute vhost
+        #   @return [String] the Virtual Host name for the target Web Server
+        attr_accessor :vhost
+
+
         validates :uri, presence: true, length: { minimum: 1 }
 
         validates :method,
@@ -82,6 +91,9 @@ def attempt_login(credential)
             host, port, {}, ssl, ssl_version,
             nil, credential.public, credential.private
           )
+
+          http_client = config_client(http_client)
+
           if credential.realm
             http_client.set_config('domain' => credential.realm)
           end
@@ -108,6 +120,14 @@ def attempt_login(credential)
 
         private
 
+        def config_client(client)
+          client.set_config(
+            'vhost' => vhost || host,
+            'agent' => user_agent
+          )
+          client
+        end
+
         # This method sets the sane defaults for things
         # like timeouts and TCP evasion options
         def set_sane_defaults

lib/metasploit/framework/login_scanner/ipboard.rb

@@ -0,0 +1,105 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # IP Board login scanner
+      class IPBoard < HTTP
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          http_client = Rex::Proto::Http::Client.new(
+              host, port, {}, ssl, ssl_version
+          )
+
+          http_client = config_client(http_client)
+
+          result_opts = {
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp'
+          }
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
+          begin
+            http_client.connect
+
+            nonce_request = http_client.request_cgi(
+                'uri' => uri,
+                'method'  => 'GET'
+            )
+
+            nonce_response = http_client.send_recv(nonce_request)
+
+            if nonce_response.body =~ /name='auth_key'\s+value='.*?((?:[a-z0-9]*))'/i
+              server_nonce = $1
+
+              if uri.end_with? '/'
+                base_uri = uri.gsub(/\/$/, '')
+              else
+                base_uri = uri
+              end
+
+              auth_uri = "#{base_uri}/index.php"
+
+              request = http_client.request_cgi(
+                'uri' => auth_uri,
+                'method'  => 'POST',
+                'vars_get' => {
+                  'app'     => 'core',
+                  'module'  => 'global',
+                  'section' => 'login',
+                  'do'      => 'process'
+                },
+                'vars_post'      => {
+                  'auth_key'     => server_nonce,
+                  'ips_username' => credential.public,
+                  'ips_password' => credential.private
+                }
+              )
+
+              response = http_client.send_recv(request)
+
+              if response && response.get_cookies.include?('ipsconnect') && response.get_cookies.include?('coppa')
+                result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response)
+              else
+                result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: response)
+              end
+
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Server nonce not present, potentially not an IP Board install or bad URI.")
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+
+          Result.new(result_opts)
+
+        end
+
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/forum/" if self.uri.nil?
+          @method = "POST".freeze
+
+          super
+        end
+
+        # The method *must* be "POST", so don't let the user change it
+        # @raise [RuntimeError]
+        def method=(_)
+          raise RuntimeError, "Method must be POST for IPBoard"
+        end
+
+      end
+    end
+  end
+end
+

modules/auxiliary/scanner/http/axis_login.rb

@@ -82,6 +82,8 @@ def run_host(ip)
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
       connection_timeout: 5,
+      user_agent: datastore['UserAgent'],
+      vhost: datastore['VHOST']
     )
 
     scanner.scan! do |result|

modules/auxiliary/scanner/http/http_login.rb

@@ -140,6 +140,8 @@ def run_host(ip)
       cred_details: cred_collection,
       stop_on_success: datastore['STOP_ON_SUCCESS'],
       connection_timeout: 5,
+      user_agent: datastore['UserAgent'],
+      vhost: datastore['VHOST']
     )
 
     msg = scanner.check_setup

modules/auxiliary/scanner/http/ipboard_login.rb

@@ -1,5 +1,6 @@
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/ipboard'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -25,115 +26,51 @@ def initialize
   end
 
   def run_host(ip)
-    connect
-
-    each_user_pass do |user, pass|
-      do_login(user, pass, ip)
-    end
-  end
-
-  def do_login(user, pass, ip)
-    begin
-      print_status "Connecting to target, searching for IP Board server nonce..."
-
-      # Perform the initial request and find the server nonce, which is required to log
-      # into IP Board
-      res = send_request_cgi({
-        'uri'     => normalize_uri(target_uri.path),
-        'method'  => 'GET'
-        }, 10)
-
-      unless res
-        print_error "No response when trying to connect to #{vhost}"
-        return :connection_error
-      end
-
-      # Grab the key from within the body, or alert that it can't be found and exit out
-      if res.body =~ /name='auth_key'\s+value='.*?((?:[a-z0-9]*))'/i
-        server_nonce = $1
-        print_status "Server nonce found, attempting to log in..."
-      else
-        print_error "Server nonce not present, potentially not an IP Board install or bad URI."
-        print_error "Skipping #{vhost}.."
-        return :abort
-      end
-
-      # With the server nonce found, try to log into IP Board with the user provided creds
-      res2 = send_request_cgi({
-        'uri'     => normalize_uri(target_uri.path, "index.php?app=core&module=global&section=login&do=process"),
-        'method'  => 'POST',
-        'vars_post'      => {
-          'auth_key'     => server_nonce,
-          'ips_username' => user,
-          'ips_password' => pass
-        }
-        })
-
-      # Default value of no creds found
-      valid_creds = false
-
-      # Iterate over header response.  If the server is setting the ipsconnect and coppa cookie
-      # then we were able to log in successfully.  If they are not set, invalid credentials were
-      # provided.
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+    )
 
-      if res2.get_cookies.include?('ipsconnect') && res2.get_cookies.include?('coppa')
-        valid_creds = true
-      end
+    scanner = Metasploit::Framework::LoginScanner::IPBoard.new(
+        host: ip,
+        port: rport,
+        uri: normalize_uri(target_uri.path),
+        proxies: datastore["PROXIES"],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 5,
+        user_agent: datastore['UserAgent'],
+        vhost: datastore['VHOST']
+    )
 
-      # Inform the user if the user supplied credentials were valid or not
-      if valid_creds
-        print_good "Username: #{user} and Password: #{pass} are valid credentials!"
-        register_creds(user, pass, ip)
-        return :next_user
-      else
-        vprint_error "Username: #{user} and Password: #{pass} are invalid credentials!"
-        return nil
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+          module_fullname: self.fullname,
+          workspace_id: myworkspace_id
+      )
+      case result.status
+        when Metasploit::Model::Login::Status::SUCCESSFUL
+          print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+          credential_core = create_credential(credential_data)
+          credential_data[:core] = credential_core
+          create_credential_login(credential_data)
+          :next_user
+        when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+          invalidate_login(credential_data)
+          :abort
+        when Metasploit::Model::Login::Status::INCORRECT
+          print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+          invalidate_login(credential_data)
       end
-
-    rescue ::Timeout::Error
-      print_error "Connection timed out while attempting to reach #{vhost}!"
-      return :connection_error
-
-    rescue ::Errno::EPIPE
-      print_error "Broken pipe error when connecting to #{vhost}!"
-      return :connection_error
     end
-  end
-
-  def register_creds(username, password, ipaddr)
-    # Build service information
-    service_data = {
-      address: ipaddr,
-      port: datastore['RPORT'],
-      service_name: 'http',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    # Build credential information
-    credential_data = {
-      origin_type: :service,
-      module_fullname: self.fullname,
-      private_data: password,
-      private_type: :password,
-      username: username,
-      workspace_id: myworkspace_id
-    }
-
-    credential_data.merge!(service_data)
-    credential_core = create_credential(credential_data)
-
-    # Assemble the options hash for creating the Metasploit::Credential::Login object
-    login_data = {
-      access_level: "user",
-      core: credential_core,
-      last_attempted_at: DateTime.now,
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      workspace_id: myworkspace_id
-    }
 
-    login_data.merge!(service_data)
-    create_credential_login(login_data)
   end
 
 end