Land rapid7#8489, more httpClient modules use store_valid_credential

Author: jinq102030

modules/exploits/linux/http/atutor_filemanager_traversal.rb

@@ -293,37 +293,10 @@ def login(username, password, check=false)
     return nil
   end
 
-  def report_cred(opts)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: ssl ? 'https' : 'http',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: fullname,
-      post_reference_name: self.refname,
-      private_data: opts[:password],
-      origin_type: :service,
-      private_type: :password,
-      username: opts[:user]
-    }.merge(service_data)
-
-    login_data = {
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      last_attempted_at: Time.now
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def exploit
     # login if needed
     if (not datastore['USERNAME'].empty? and not datastore['PASSWORD'].empty?)
-      report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
+      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
       student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
       print_good("Logged in as #{datastore['USERNAME']}")
     # else, we reset the students password via a type juggle vulnerability
@@ -352,6 +325,10 @@ def exploit
   end
 end
 
+def service_details
+  super.merge({ post_reference_name: self.refname })
+end
+
 =begin
 php.ini settings:
 display_errors = On  

modules/exploits/linux/http/cisco_firepower_useradd.rb

@@ -158,33 +158,6 @@ def generate_new_password
     datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
   end
 
-  def report_cred(opts)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: 'cisco',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      origin_type: :service,
-      module_fullname: fullname,
-      username: opts[:user],
-      private_data: opts[:password],
-      private_type: :password
-    }.merge(service_data)
-
-    login_data = {
-      last_attempted_at: DateTime.now,
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      proof: opts[:proof]
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def do_login
     console_user = datastore['USERNAME']
     console_pass = datastore['PASSWORD']
@@ -211,7 +184,7 @@ def do_login
       cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
       print_status("CGI Session ID: #{cgi_sid}")
       print_good("Authenticated as #{console_user}:#{console_pass}")
-      report_cred(username: console_user, password: console_pass)
+      store_valid_credential(user: console_user, private: console_pass) # changes service_name to http || https
       return cgi_sid
     end
 

modules/exploits/linux/http/kloxo_sqli.rb

@@ -71,33 +71,6 @@ def initialize(info = {})
       ])
   end
 
-  def report_cred(opts)
-    service_data = {
-      address: opts[:ip],
-      port: opts[:port],
-      service_name: opts[:service_name],
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: fullname,
-      post_reference_name: self.refname,
-      private_data: opts[:password],
-      origin_type: :service,
-      private_type: :password,
-      username: opts[:user]
-    }.merge(service_data)
-
-    login_data = {
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      last_attempted_at: opts[:attempt_time]
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def check
     return Exploit::CheckCode::Safe unless webcommand_exists?
     return Exploit::CheckCode::Safe if exploit_sqli(1, bad_char(0))
@@ -119,14 +92,7 @@ def exploit
     @session = send_login
     fail_with(Failure::NoAccess, "#{peer} - Login with admin/#{@password} failed...") if @session.nil?
 
-    report_cred(
-      ip: rhost,
-      port: rport,
-      user: 'admin',
-      service_name: 'http',
-      password: @password,
-      attempt_time: DateTime.now
-    )
+    store_valid_credential(user: 'admin', private: @password)
 
     print_status("Retrieving the server name...")
     @server = server_info

modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb

@@ -156,48 +156,16 @@ def do_login
          'encode_params' => false,
          'data'     => post_data
        })
-
-       sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
-       print_status("Saving login credentials into Metasploit DB")
-       report_cred(uname, passwd)
     else
        print_status("Valid login credentials provided. Successfully logged in")
-       sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
-       print_status("Saving login credentials into Metasploit DB")
-       report_cred(uname, passwd)
     end
 
-    return sessid_cookie
+    sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
+    print_status("Saving login credentials into Metasploit DB")
+    store_valid_credential(user: uname, private: passwd)
 
-  end
+    return sessid_cookie
 
-  def report_cred(username, password)
-    # Function used to save login credentials into Metasploit database
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: ssl ? 'https' : 'http',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: self.fullname,
-      origin_type: :service,
-      username: username,
-      private_data: password,
-      private_type: :password
-    }.merge(service_data)
-
-    credential_core = create_credential(credential_data)
-
-    login_data = {
-      core: credential_core,
-      last_attempted_at: DateTime.now,
-      status: Metasploit::Model::Login::Status::SUCCESSFUL
-    }.merge(service_data)
-
-    create_credential_login(login_data)
   end
 
   def create_user

modules/exploits/linux/http/symantec_web_gateway_restore.rb

@@ -187,34 +187,6 @@ def inject_exec(sid)
     })
   end
 
-  def save_cred(username, password)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: protocol,
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: self.fullname,
-      origin_type: :service,
-      username: username,
-      private_data: password,
-      private_type: :password
-    }.merge(service_data)
-
-    credential_core = create_credential(credential_data)
-
-    login_data = {
-      core: credential_core,
-      last_attempted_at: DateTime.now,
-      status: Metasploit::Model::Login::Status::SUCCESSFUL
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def exploit
     print_status("Getting the PHPSESSID...")
     sid = get_sid
@@ -230,7 +202,7 @@ def exploit
       return
     else
       # Good password, keep it
-      save_cred(datastore['USERNAME'], datastore['PASSWORD'])
+      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
     end
 
     print_status("Trying restore.php...")

modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb

@@ -89,7 +89,7 @@ def test_login(user, pass)
             fail_with(Failure::Unknown, "Could not connect to web service - invalid credentials (response code: #{res.code}")
           else
             print_good("Successful login #{user} : #{pass}")
-            save_cred(user, pass)
+            store_valid_credential(user: user, private: pass) # service_name becomes http || https, a conflicting service_details could occur in future. Telnet lib does not yet provide service_details.
           end
         rescue ::Rex::ConnectionError
           fail_with(Failure::Unknown, "Could not connect to the web service")
@@ -172,32 +172,4 @@ def negotiate_telnet(sock)
         return nil
       end
     end
-
-  def save_cred(username, password)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: 'telnet',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: self.fullname,
-      origin_type: :service,
-      username: username,
-      private_data: password,
-      private_type: :password
-    }.merge(service_data)
-
-    credential_core = create_credential(credential_data)
-
-    login_data = {
-      core: credential_core,
-      last_attempted_at: DateTime.now,
-      status: Metasploit::Model::Login::Status::SUCCESSFUL
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
 end

modules/exploits/linux/http/trendmicro_sps_exec.rb

@@ -154,46 +154,13 @@ def login
           sid = res.get_cookies.scan(/([^=]*)=[^;]*;/).last.first
           sid_value = res.get_cookies.scan(/#{sid}=([^;]*);/).last.first
         end
-        report_cred(
-            ip: datastore['RHOST'],
-            port: datastore['RPORT'],
-            service_name: (ssl ? "https" : "http"),
-            user: datastore['ADMINACCOUNT'],
-            password: datastore['ADMINPASS'],
-            proof: "#{sid}=#{sid_value}"
-        )
+        store_valid_credential(user: datastore['ADMINACCOUNT'], private: datastore['ADMINPASS'], proof: "#{sid}=#{sid_value}")
         return {"sid" => sid, "sid_value" => sid_value}
       end
     end
     nil
   end
 
-  def report_cred(opts)
-    service_data = {
-        address: opts[:ip],
-        port: opts[:port],
-        service_name: opts[:service_name],
-        protocol: 'tcp',
-        workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-        origin_type: :service,
-        module_fullname: fullname,
-        username: opts[:user],
-        private_data: opts[:password],
-        private_type: :password
-    }.merge(service_data)
-
-    login_data = {
-        core: create_credential(credential_data),
-        status: Metasploit::Model::Login::Status::SUCCESSFUL,
-        proof: opts[:proof]
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-
   def exploit
     opts = login
     if opts

modules/exploits/multi/http/atutor_sqli.rb

@@ -136,7 +136,7 @@ def login(username, hash)
     cookie = "ATutorID=#{$4};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
     if res && res.code == 302 && res.redirection.to_s.include?('admin/index.php')
       # if we made it here, we are admin
-      report_cred(user: username, password: hash)
+      store_valid_credential(user: username, private: hash, private_type: :nonreplayable_hash)
       return cookie
     end
     # auth failed if we land here, bail
@@ -227,32 +227,8 @@ def test_injection
     return false
   end
 
-  def report_cred(opts)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: ssl ? 'https' : 'http',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: fullname,
-      post_reference_name: self.refname,
-      private_data: opts[:password],
-      origin_type: :service,
-      private_type: :nonreplayable_hash,
-      jtr_format: 'sha512',
-      username: opts[:user]
-    }.merge(service_data)
-
-    login_data = {
-      core: create_credential(credential_data),
-      status: Metasploit::Model::Login::Status::SUCCESSFUL,
-      last_attempted_at: Time.now
-    }.merge(service_data)
-
-    create_credential_login(login_data)
+  def service_details
+    super.merge({ post_reference_name: self.refname, jtr_format: 'sha512' })
   end
 
   def exploit