1
require 'metasploit/framework/login_scanner/http'
2

3
module Metasploit
4
  module Framework
5
    module LoginScanner
6

7
      # Chinese Caidao login scanner
8
      class Caidao < HTTP
9
        # Inherit LIKELY_PORTS, LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
10
        DEFAULT_PORT       = 80
11
        PRIVATE_TYPES      = [ :password ]
12
        LOGIN_STATUS       = Metasploit::Model::Login::Status # Shorter name
13

14
        # Checks if the target is correct
15
        #
16
        # @return [false] Indicates there were no errors
17
        # @return [String] a human-readable error message describing why
18
        #   this scanner can't run
19
        def check_setup
20
          @flag ||= Rex::Text.rand_text_alphanumeric(4)
21
          @lmark ||= Rex::Text.rand_text_alphanumeric(4)
22
          @rmark ||= Rex::Text.rand_text_alphanumeric(4)
23

24
          case uri
25
          when /php$/mi
26
            @payload = "$_=\"#{@flag}\";echo \"#{@lmark}\".$_.\"#{@rmark}\";"
27
            return false
28
          when /asp$/mi
29
            @payload = 'execute("response.write(""'
30
            @payload << "#{@lmark}"
31
            @payload << '""):response.write(""'
32
            @payload << "#{@flag}"
33
            @payload << '""):response.write(""'
34
            @payload << "#{@rmark}"
35
            @payload << '""):response.end")'
36
            return false
37
          when /aspx$/mi
38
            @payload = "Response.Write(\"#{@lmark}\");"
39
            @payload << "Response.Write(\"#{@flag}\");"
40
            @payload << "Response.Write(\"#{@rmark}\")"
41
            return false
42
          end
43
          "Unable to locate target extension in uri. (Is this really caidao?)"
44
        end
45

46
        def set_sane_defaults
47
          self.method = "POST" if self.method.nil?
48
          super
49
        end
50

51
        # Actually doing the login. Called by #attempt_login
52
        #
53
        # @param username [String] The username to try
54
        # @param password [String] The password to try
55
        # @return [Hash]
56
        #   * :status [Metasploit::Model::Login::Status]
57
        #   * :proof [String] the HTTP response body
58
        def try_login(username, password)
59
          res = send_request(
60
            'method'  => method,
61
            'uri'     => uri,
62
            'data'    => "#{password}=#{@payload}"
63
          )
64

65
          unless res
66
            return { :status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s }
67
          end
68

69
          if res && res.code == 200 && res.body.to_s.include?("#{@lmark}#{@flag}#{@rmark}")
70
            return { :status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s }
71
          end
72

73
          { :status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s }
74
        end
75

76
        # Attempts to login to Caidao Backdoor. This is called first.
77
        #
78
        # @param credential [Metasploit::Framework::Credential] The credential object
79
        # @return [Result] A Result object indicating success or failure
80
        def attempt_login(credential)
81
          result_opts = {
82
            credential:  credential,
83
            status: Metasploit::Model::Login::Status::INCORRECT,
84
            proof: nil,
85
            host: host,
86
            port: port,
87
            protocol: 'tcp'
88
          }
89

90
          if ssl
91
            result_opts[:service_name] = 'https'
92
          else
93
            result_opts[:service_name] = 'http'
94
          end
95

96
          begin
97
            result_opts.merge!(try_login(credential.public, credential.private))
98
          rescue ::Rex::ConnectionError => e
99
            result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
100
          end
101
          Result.new(result_opts)
102
        end
103
      end
104
    end
105
  end
106
end
107

108