Class: Metasploit::Framework::LoginScanner::DirectAdmin

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::DirectAdmin

Defined in:

lib/metasploit/framework/login_scanner/directadmin.rb

Constant Summary

DEFAULT_PORT =

443

PRIVATE_TYPES =

[ :password ]

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempts to login to DirectAdmin Web Control Panel.

• #check_setup ⇒ false, String

  Checks if the target is correct.

• #get_last_sid ⇒ String

  Returns the latest sid from DirectAdmin Control Panel.

• #get_login_state(username, password) ⇒ Hash

  Actually doing the login.

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to DirectAdmin Web Control Panel. This is called first.

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 97

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp',
    service_name: ssl ? 'https' : 'http'
  }

  begin
    result_opts.merge!(get_login_state(credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setup ⇒ false, String

Checks if the target is correct

Returns:

• (false) —

  Indicates there were no errors

• (String) —

  a human-readable error message describing why this scanner can’t run

# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 18

def check_setup
  login_uri = normalize_uri("#{uri}/CMD_LOGIN")
  res = send_request({'uri'=> login_uri})

  if res && res.body.include?('DirectAdmin Login')
    return false
  end

  'Unable to locate "DirectAdmin Login" in body. (Is this really DirectAdmin?)'
end

#get_last_sid ⇒ String

Returns the latest sid from DirectAdmin Control Panel

Returns:

• (String) —

  The PHP Session ID for DirectAdmin Web Control login

# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 33

def get_last_sid
  @last_sid ||= lambda {
    # We don't have a session ID. Well, let's grab one right quick from the login page.
    # This should probably only happen once (initially).
    login_uri = normalize_uri("#{uri}/CMD_LOGIN")
    res = send_request({'uri' => login_uri})

    return '' unless res

    cookies = res.get_cookies
    @last_sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
  }.call
end

#get_login_state(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

• username (String) —

  The username to try

• password (String) —

  The password to try

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/directadmin.rb', line 55

def get_login_state(username, password)
  # Prep the data needed for login
  sid       = get_last_sid
  protocol  = ssl ? 'https' : 'http'
  peer      = "#{host}:#{port}"
  login_uri = normalize_uri("#{uri}/CMD_LOGIN")

  res = send_request({
    'uri' => login_uri,
    'method' => 'POST',
    'cookie' => sid,
    'headers' => {
      'Referer' => "#{protocol}://#{peer}/#{login_uri}"
    },
    'vars_post' => {
      'username' => username,
      'password' => password,
      'referer' => '%2F'
    }
  })

  unless res
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.to_s}
  end

  # After login, the application should give us a new SID
  cookies = res.get_cookies
  sid = cookies.scan(/(session=\w+);*/).flatten[0] || ''
  @last_sid = sid # Update our SID

  if res.headers['Location'].to_s.include?('/') && !sid.blank?
    return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s}
  end

  {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s}
end