Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #9513, Add private_type to be able to store password for Tomcat #9552

Merged
merged 1 commit into from
Feb 14, 2018
Merged

Fix #9513, Add private_type to be able to store password for Tomcat #9552

merged 1 commit into from
Feb 14, 2018

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Feb 13, 2018
edited by zeroSteiner
Loading

Description

This PR fixes a credential reporting issue with auxiliary/scanner/http/tomcat_mgr_login.

If there is no :private_type, the create_credential method in Metasploit::Credential::Creation will quietly skip the password, which makes it look like a bug when the user is trying to view
the password from the creds command.

Fix #9513

Verification

  • Set up a Tomcat instance (make sure you have Java installed): apache-tomcat-9.0.1.zip
  • Save a new username/password in data/wordlists/tomcat_mgr_default_userpass.txt. Make sure the new user/pass is the last on the list.
  • Start msfconsole
  • Do: use auxiliary/scanner/http/tomcat_mgr_login
  • Do: set rhosts [ip]
  • Do: run
  • Do: creds
  • Make sure you can see your new user/pass, also the private_type on the list.

@wchen-r7
Fix rapid7#9513, Add private_type to be able to store password for To…
fbeba8b 
…mcat

If there is no :private_type, the create_credential method in
Metasploit::Credential::Creation will quietly skip the password,
which makes it look like a bug when the user is trying to view
the password from the creds command.

Fix rapid7#9513
@zeroSteiner zeroSteiner self-assigned this Feb 13, 2018
@zeroSteiner
Copy link
Contributor

Works as intended. The details in the issue report were alot of help in trying to reproduce the problem before verifying this addressed it.

Example with the patch:

metasploit-framework (S:0 J:0) auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS 192.168.254.121
RHOSTS => 192.168.254.121
metasploit-framework (S:0 J:0) auxiliary(scanner/http/tomcat_mgr_login) > run

[-] [2018.02.13-19:22:46] 192.168.254.121:8080 - LOGIN FAILED: admin:admin (Incorrect)
[-] [2018.02.13-19:22:46] 192.168.254.121:8080 - LOGIN FAILED: admin:manager (Incorrect)
[-] [2018.02.13-19:22:46] 192.168.254.121:8080 - LOGIN FAILED: admin:role1 (Incorrect)
...
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: both:vagrant (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: xampp:xampp (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: tomcat:s3cret (Incorrect)
[-] [2018.02.13-19:22:48] 192.168.254.121:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] [2018.02.13-19:22:49] 192.168.254.121:8080 - LOGIN FAILED: admin:vagrant (Incorrect)
[+] [2018.02.13-19:22:49] 192.168.254.121:8080 - Login Successful: msftest:msftest123!
[*] [2018.02.13-19:22:49] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/http/tomcat_mgr_login) > creds 
Credentials
===========

host             origin           service          public   private      realm  private_type
----             ------           -------          ------   -------      -----  ------------
192.168.254.121  192.168.254.121  8080/tcp (http)  msftest  msftest123!         Password

metasploit-framework (S:0 J:0) auxiliary(scanner/http/tomcat_mgr_login) >

I'll get this landed momentarily.

@zeroSteiner zeroSteiner merged commit fbeba8b into rapid7:master Feb 14, 2018
zeroSteiner added a commit that referenced this pull request Feb 14, 2018
@zeroSteiner
Land #9552, add private_type for stored tomcat pw
5063415 
Fixes #9513
@zeroSteiner
Copy link
Contributor

zeroSteiner commented Feb 14, 2018
edited by allrosenthal-r7
Loading

Release Notes

This fix resolves a bug in the auxiliary/scanner/http/tomcat_mgr_login module that was causing a recovered credential pair to not be stored in the database under certain conditions. The module now ensures that the private_type is set to password, causing the information to be stored correctly.

msjenkins-r7 pushed a commit that referenced this pull request Feb 14, 2018
@zeroSteiner @msjenkins-r7
Land #9552, add private_type for stored tomcat pw
bdc0b47 
Fixes #9513
@allrosenthal-r7 allrosenthal-r7 added the rn-fix release notes fix label Feb 27, 2018
@wchen-r7 wchen-r7 deleted the fix_9513 branch August 6, 2018 17:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@zeroSteiner zeroSteiner

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Passwords not being saved in creds DB
3 participants
@wchen-r7 @zeroSteiner @allrosenthal-r7