Converting Module to LoginScanner w/ Specs

nstarke · nstarke · commit b8c2643d566c · 2014-10-06T21:14:10.000-05:00
The previous commits for this Jenkins CI module relied on an
obsolete pattern.  Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
diff --git a/lib/metasploit/framework/login_scanner/jenkins.rb b/lib/metasploit/framework/login_scanner/jenkins.rb
@@ -0,0 +1,60 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Tomcat Manager login scanner
+      class Jenkins < HTTP
+
+        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
+        CAN_GET_SESSION = true
+        DEFAULT_PORT    = 8080
+        PRIVATE_TYPES   = [ :password ]
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/j_acegi_security_check" if self.uri.nil?
+          self.method = "POST" if self.method.nil?
+
+          super
+        end
+
+        def attempt_login(credential)
+          result_opts = {
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp'
+          }
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+          begin
+            cli = Rex::Proto::Http::Client.new(host, port, {}, ssl, ssl_version)
+            cli.connect
+            req = cli.request_cgi({
+              'method'=>'POST',
+              'uri'=>'/j_acegi_security_check',
+              'vars_post'=> {
+                'j_username' => credential.public,
+                'j_password'=>credential.private
+                }
+            })
+            res = cli.send_recv(req)
+            if res && !res.headers['location'].include?('loginError')
+              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+          Result.new(result_opts)
+        end
+      end
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/jenkins_login.rb b/modules/auxiliary/scanner/http/jenkins_login.rb
@@ -4,14 +4,16 @@
 ##
 require 'pry'
 require 'msf/core'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/jenkins'
 
 class Metasploit3 < Msf::Auxiliary
-
+  
+  include Msf::Auxiliary::Scanner
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
-  include Msf::Auxiliary::Scanner
-
+  
   def initialize
     super(
       'Name'           => 'Jenkins-CI Login Utility',
@@ -22,59 +24,52 @@ def initialize
 
     register_options(
       [
-        Opt::RPORT(8080),
-        OptAddress.new('RHOST', [ true, "The target address", true])
+        Opt::RPORT(8080)
       ], self.class)
 
     register_autofilter_ports([ 80, 443, 8080, 8081, 8000 ])
-    deregister_options('RHOSTS')
   end
 
-  def run
-    each_user_pass do |user, pass|
-      next if (user.blank? or pass.blank?)
-      vprint_status("Trying #{user} : #{pass}")
-      if (datastore['SSL'].to_s.match(/^(t|y|1)/i))
-        protocol = 'https://'
+  def run_host(ip)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+            blank_passwords: datastore['BLANK_PASSWORDS'],
+            pass_file: datastore['PASS_FILE'],
+            password: datastore['PASSWORD'],
+            user_file: datastore['USER_FILE'],
+            userpass_file: datastore['USERPASS_FILE'],
+            username: datastore['USERNAME'],
+            user_as_pass: datastore['USER_AS_PASS'],
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
+      host: ip,
+      port: rport,
+      proxies: datastore['PROXIES'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 10,
+      user_agent: datastore['UserAgent'],
+      vhost: datastore['VHOST']
+    )
+   
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(
+          module_fullname: self.fullname,
+          workspace_id: myworkspace_id
+      )
+      if result.success?
+        credential_core = create_credential(credential_data)
+        credential_data[:core] = credential_core
+        create_credential_login(credential_data)
+
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
       else
-        protocol = 'http://'
-      do_login(user, pass)
+        invalidate_login(credential_data)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
     end
-  end
 
-  def do_login(user, pass)
-    begin
-      post_data = {
-        'j_username' => user,
-        'j_password' => pass
-      }
-      res = send_request_cgi({
-        'uri' => '/j_acegi_security_check',
-        'method' => 'POST',
-        'vars_post' => post_data
-      })
-    rescue ::Rex::ConnectionError => e
-      vprint_error("#{rhost}:#{rport}#{url} - #{e}")
-      return
-    end
-    if not res
-      vprint_error("#{rhost}:#{rport}#{url} - #{e}")
-      return
-    end
-    if !res.headers['location'].include? 'loginError'
-      print_good("SUCCESSFUL LOGIN. '#{user} : #{pass}'")
-      report_hash = {
-        :host => datastore['RHOST'],
-        :port => datastore['RPORT'],
-        :sname => 'jenkins',
-        :user => user,
-        :pass => pass,
-        :active => true,
-        :type => 'password'
-      }
-      report_auth_info(report_hash)
-      return :next_user
-    end
   end
+
 end
diff --git a/spec/lib/metasploit/framework/login_scanner/jenkins_spec.rb b/spec/lib/metasploit/framework/login_scanner/jenkins_spec.rb
@@ -0,0 +1,10 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/jenkins'
+
+describe Metasploit::Framework::LoginScanner::Jenkins do
+
+    it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+    it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+    it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+end
