Create exploit for CVE-2015-2996/8 (sysaid SQL database cred disclosure)

[pedrib]

This module exploits two vulnerabilities in SysAid Help Desk 14.4 to obtain the SQL database credentials. This module has been tested on Windows and Linux.

[void-in]

@pedrib You can omit the OSVDB and reference URL entries that is currently having TODO entries. These are causing the travis to fail. Once the OSVDB entries are allocated, another commit can be pushed then.

[void-in]

I think this rescue statement should be right after the line:

db_address = Rex::Socket.getaddress(db_address, true)

and all other statements should be outside the begin rescue block. This way it is easy to determine what it is rescue-ing.

[pedrib]

Thanks for the comment - what should be the db_address set to then? 127.0.0.1?

[void-in]

Actually I was suggesting like:

if database_url['localhost'] == 'localhost'
  db_address = rhost
else
  begin
    db_address = matches.captures[2]
    db_address = (db_address.index(':') ? db_address[0, db_address.index(':')] : db_address)
    db_address = Rex::Socket.getaddress(db_address, true)
  rescue
    print_error "Could not resolve database server hostname."
  end
end

This way the rescue is more easy to follow with the begin.

[wchen-r7]

Delayed label applied. Author pinged.

[pedrib]

Addressed two of your comments, please see my comment above for the other one.

[jvazquez-r7]

I'm downloading the beta from the home page. If the beta isn't vulnerable anymore would be nice if you could provide us with installer URL if available or just a PCAP for verification (without SSL pls, otherwise a ssl capable proxy would be good enough :))

[jvazquez-r7]

Prolly has more sense to rescue Rex::ConnectionError which will also take care of Rex::ConnectionRefused

[pedrib]

@jvazquez-r7 I've uploaded the vulnerable version to dropbox:
https://www.dropbox.com/s/fbkydxrcbfl9j0y/SysAidServer64.exe?dl=0 (Windows)
https://www.dropbox.com/s/k0zr201ef1kfts3/sysaid-server-linux.tar.gz?dl=0 (Linux)

These are the vulnerable 14.2 version. Let me know if you need anything else!

[jvazquez-r7]

Thanks @pedrib, landed after some cleanup, see final result here: 29718ce

Test:

cremsf auxiliary(sysaid_sql_creds) > run

[*] 172.16.158.131:8080 - Stored SQL credentials sa:Password1 for localhost:1450
[*] Auxiliary module execution completed
msf auxiliary(sysaid_sql_creds) > creds
Credentials
===========

host            service           public  private    realm  private_type
----            -------           ------  -------    -----  ------------
172.16.158.131  1450/tcp (mssql)  sa      Password1         Password

msf auxiliary(sysaid_sql_creds) > exit

[pedrib]

@jvazquez-r7 I'm getting this on mine with your version:

msf auxiliary(sysaid_db) > run

[-] Auxiliary failed: NoMethodError undefined method +' for nil:NilClass [-] Call stack: [-] /usr/share/metasploit-framework/modules/auxiliary/admin/http/sysaid_db.rb:95:inrun'
[*] Auxiliary module execution completed

???