Land rapid7#3748, @wchen-r7's HP System Management Homepage LoginScanner Upgrade

jvazquez-r7 · jvazquez-r7 · commit e810acd4e924 · 2014-09-12T11:13:14.000-05:00
diff --git a/lib/metasploit/framework/login_scanner/smh.rb b/lib/metasploit/framework/login_scanner/smh.rb
@@ -0,0 +1,58 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # HP System Management login scanner tested on v6.3.1.24 upto v7.2.1.3 and 7.4
+      class Smh < HTTP
+
+        DEFAULT_PORT  = 4848
+        PRIVATE_TYPES = [ :password ]
+        CAN_GET_SESSION = true
+
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential
+          }
+
+          req_opts = {
+            'method' => 'POST',
+            'uri'    => '/proxy/ssllogin',
+            'vars_post' => {
+              'redirecturl'         => '',
+              'redirectquerystring' => '',
+              'user'                => credential.public,
+              'password'            => credential.private
+            }
+          }
+
+          res = nil
+
+          begin
+            cli = Rex::Proto::Http::Client.new(host, port, {}, ssl, ssl_version)
+            cli.connect
+            req = cli.request_cgi(req_opts)
+            res = cli.send_recv(req)
+
+          rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, ::EOFError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+            return Result.new(result_opts)
+          end
+
+          if res && res.headers['CpqElm-Login'].to_s =~ /success/
+            result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL)
+          else
+            result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/smh'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -21,81 +22,172 @@ def initialize(info={})
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
-      'DefaultOptions' => { 'SSL' => true }
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'RPORT' => 2381,
+          'USERPASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_userpass.txt"),
+          'USER_FILE' => File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt"),
+          'PASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "unix_passwords.txt")
+        }
     ))
+  end
 
-    register_options(
-      [
-        Opt::RPORT(2381),
-        OptPath.new('USERPASS_FILE',  [ false, "File containing users and passwords separated by space, one pair per line",
-          File.join(Msf::Config.data_directory, "wordlists", "http_default_userpass.txt") ]),
-        OptPath.new('USER_FILE',  [ false, "File containing users, one per line",
-          File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),
-        OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
-          File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),
-      ], self.class)
+  def get_version(res)
+    if res
+      return res.body.scan(/smhversion = "HP System Management Homepage v([\d\.]+)"/i).flatten[0] || ''
+    end
+
+    ''
+  end
+
+  def is_version_tested?(version)
+    # As of Sep 4 2014, version 7.4 is the latest and that's the last one we've tested
+    if Gem::Version.new(version) < Gem::Version.new('7.5')
+      return true
+    end
+
+    false
   end
 
-  def anonymous_access?
-    res = send_request_raw({'uri' => '/'})
+  def get_system_name(res)
+    if res
+      return res.body.scan(/fullsystemname = "(.+)"/i).flatten[0] || ''
+    end
+
+    ''
+  end
+
+  def anonymous_access?(res)
     return true if res and res.body =~ /username = "hpsmh_anonymous"/
     false
   end
 
-  def do_login(user, pass)
-    begin
-      res = send_request_cgi({
-        'method' => 'POST',
-        'uri'    => '/proxy/ssllogin',
-        'vars_post' => {
-          'redirecturl'         => '',
-          'redirectquerystring' => '',
-          'user'                => user,
-          'password'            => pass
-        }
-      })
+  def init_loginscanner(ip)
+    @cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file:       datastore['PASS_FILE'],
+      password:        datastore['PASSWORD'],
+      user_file:       datastore['USER_FILE'],
+      userpass_file:   datastore['USERPASS_FILE'],
+      username:        datastore['USERNAME'],
+      user_as_pass:    datastore['USER_AS_PASS']
+    )
 
-      if not res
-        vprint_error("#{peer} - Connection timed out")
-        return :abort
-      end
-    rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
-      vprint_error("#{peer} - Failed to response")
-      return :abort
-    end
+    @scanner = Metasploit::Framework::LoginScanner::Smh.new(
+      host:               ip,
+      port:               rport,
+      uri:                datastore['URI'],
+      proxies:            datastore["PROXIES"],
+      cred_details:       @cred_collection,
+      stop_on_success:    datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 5
+    )
+
+    @scanner.ssl         = datastore['SSL']
+    @scanner.ssl_version = datastore['SSLVERSION']
+  end
+
+ def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
 
-    if res.headers['CpqElm-Login'].to_s =~ /success/
-      print_good("#{peer} - Successful login: '#{user}:#{pass}'")
-      report_auth_info({
-        :host  => rhost,
-        :port  => rport,
-        :sname => 'https',
-        :user  => user,
-        :pass  => pass,
-        :proof => "CpqElm-Login: #{res.headers['CpqElm-Login']}"
-      })
-
-      return :next_user
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def bruteforce(ip)
+    @scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+        do_report(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+      end
     end
   end
 
 
   def run_host(ip)
-    if anonymous_access?
-      print_status("#{peer} - No login necessary. Server allows anonymous access.")
-      return
+    res = send_request_cgi({
+      'uri' => '/cpqlogin.htm',
+      'method' => 'GET',
+      'vars_get' => {
+        'RedirectUrl' => '/cpqlogin',
+        'RedirectQueryString' => ''
+      }
+    })
+
+    version = get_version(res)
+    unless version.blank?
+      print_status("#{peer} - Version detected: #{version}")
+      unless is_version_tested?(version)
+        print_warning("#{peer} - You're running the module against a version we have not tested")
+      end
+    end
+
+    sys_name = get_system_name(res)
+    unless sys_name.blank?
+      print_status("#{peer} - System name detected: #{sys_name}")
+      report_note(
+        :host => ip,
+        :type => "system.name",
+        :data => sys_name
+      )
     end
 
-    each_user_pass { |user, pass|
-      # Actually respect the BLANK_PASSWORDS option
-      next if not datastore['BLANK_PASSWORDS'] and pass.blank?
+    if anonymous_access?(res)
+      print_good("#{peer} - No login necessary. Server allows anonymous access.")
+      return
+    end
 
-      vprint_status("#{peer} - Trying: '#{user}:#{pass}'")
-      do_login(user, pass)
-    }
+    init_loginscanner(ip)
+    bruteforce(ip)
   end
 end
 
-=begin
-Tested: v6.3.1.24 upto v7.2.1.3
-=end
diff --git a/spec/lib/metasploit/framework/login_scanner/smh_spec.rb b/spec/lib/metasploit/framework/login_scanner/smh_spec.rb
@@ -0,0 +1,90 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/smh'
+
+describe Metasploit::Framework::LoginScanner::Smh do
+
+  subject(:smh_cli) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  context "#attempt_login" do
+
+    let(:username) { 'admin' }
+    let(:password) { 'password' }
+
+    let(:cred) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: username,
+        private: password
+      )
+    end
+
+    let(:invalid_cred) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: 'username',
+        private: 'novalid'
+      )
+    end
+
+    context "when Rex::Proto::Http::Client#connect raises Rex::ConnectionError" do
+      it 'returns status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+        allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Rex::ConnectionError)
+        expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+    end
+
+    context "when Rex::Proto::Http::Client#connect raises Timeout::Error" do
+      it 'returns status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+        allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Timeout::Error)
+        expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+    end
+
+    context "when Rex::Proto::Http::Client#connect raises EOFError" do
+      it 'returns status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+        allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(EOFError)
+        expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+    end
+
+    context "when valid HP System Management application" do
+      before :each do
+        allow_any_instance_of(Rex::Proto::Http::Client).to receive(:send_recv) do |cli, req|
+
+          if req.opts['uri'] && req.opts['uri'].include?('/proxy/ssllogin') &&
+              req.opts['vars_post'] &&
+              req.opts['vars_post']['user'] &&
+              req.opts['vars_post']['user'] == username &&
+              req.opts['vars_post']['password'] &&
+              req.opts['vars_post']['password'] == password
+            res = Rex::Proto::Http::Response.new(200)
+            res.headers['CpqElm-Login'] = 'success'
+            res
+          else
+            res = Rex::Proto::Http::Response.new(404)
+          end
+
+          res
+        end
+      end
+
+      context "when valid login" do
+        it 'returns status Metasploit::Model::Login::Status::SUCCESSFUL' do
+          expect(smh_cli.attempt_login(cred).status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        end
+      end
+
+      context "when invalid login" do
+        it 'returns status Metasploit::Model::Login::Status::INCORRECT' do
+          expect(smh_cli.attempt_login(invalid_cred).status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+        end
+      end
+
+    end
+  end
+
+end
