Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################################################################
- # OpenVAS Vulnerability Test
- # $Id$
- #
- # Graylog Default HTTP Login
- #
- # Authors:
- # Tameem Eissa <tameem.eissa@greenbone.net>
- #
- # Copyright:
- # Copyright (c) 2016 Greenbone Networks GmbH
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation; either version 2
- # of the License, or (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- ###############################################################################
- if (description)
- {
- script_oid("1.3.6.1.4.1.25623.1.0.105756");
- script_version ("$Revision: 3477 $");
- script_tag(name:"cvss_base", value:"7.5");
- script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
- script_name("Loxone Smart Home Default Admin HTTP Login");
- script_tag(name: "impact" , value:"Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.");
- script_tag(name: "vuldetect" , value:"Try to login with default credentials admin:admin");
- script_tag(name: "solution" , value:"Change the password");
- script_tag(name: "summary" , value:"The remote Loxone installation has default credentials set.");
- script_tag(name:"solution_type", value: "Workaround");
- script_tag(name:"qod_type", value:"remote_vul");
- script_tag(name:"last_modification", value:"$Date$");
- script_tag(name:"creation_date", value:"2016-08-31 13:18:59 +0200 (Wed, 31 Aug 2016)");
- script_summary("Try to login with admin:admin");
- script_category(ACT_ATTACK);
- script_family("Web application abuses");
- script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
- script_dependencies("http_version.nasl");
- script_require_ports("Services/www", 12900);
- script_exclude_keys("Settings/disable_cgi_scanning");
- exit(0);
- }
- include("http_func.inc");
- include("http_keepalive.inc");
- include("host_details.inc");
- include("misc_func.inc");
- url = "";
- Banner = "";
- http_port = "";
- ## Get HTTP Port
- http_port = get_http_port(default:80);
- ## Confirm the application before trying exploit
- #Banner = get_http_banner(port: http_port);
- #display("Banner = ", Banner, "\");
- #if(!Banner || "Server: Loxone" >!< Banner){
- # exit(0);
- #}
- user = "admin";
- pass = "admin";
- host = get_host_name();
- rand = rand_str( length:17, charset: "0123456789");
- #data = "admin&password= password";
- #req = http_post_req( port:port,
- # url:'/Login.html',
- # data:data,
- # accept_header:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
- # add_headers: make_array("Cookie", cookie + '; loginName=admin',
- # "Content-Type", "application/x-www-form-urlencoded") );
- req = string("GET /jdev/sys/getkey?0.", rand, " HTTP/1.1\r\n",
- "Host: ", host,":",http_port, "\r\n",
- "Content-Type: application/x-www-form-urlencoded\r\n",
- "Content-Length: ", strlen(data), "\r\n"
- );
- res = http_keepalive_send_recv( port:http_port, data:req, bodyonly:FALSE );
- display ("req = ", req, "\n");
- if ( res !~ "HTTP/1\.. 200" || '{"LL": {' >!< res ) exit( 0 );
- display ("res = ", res, "\n");
- if ( res =~ '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}') display ("success\n");
- json_key = eregmatch (pattern: '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}', string: res, icase:TRUE);
- display ("json_key = ", json_key, "\n");
- key = json_key[1];
- display ("key = ", key, "\n");
- username = "admin";
- password = "admin";
- protocol = HMAC_SHA1(data:username+":"+password, key: key);
- display ("protocol = ", hexstr(protocol), "\n");
- reqws = string("GET /ws HTTP/1.1", "\r\n",
- "Host: ", host, "\r\n",
- "User-Agent: " , OPENVAS_HTTP_USER_AGENT , "\r\n",
- "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
- "Accept-Language: en-US,en;q=0.5\r\n",
- "Accept-Encoding: gzip, deflate\r\n",
- "Sec-WebSocket-Version: 13\r\n",
- "Origin: http://", host, "\r\n",
- "Sec-WebSocket-Protocol: ", hexstr(protocol), "\r\n",
- "Sec-WebSocket-Extensions: permessage-deflate\r\n",
- # "Sec-WebSocket-Key: kfMAoT7HICtP3U0v1AHkuw==\r\n",
- "Connection: keep-alive, Upgrade\r\n",
- "Pragma: no-cache\r\n",
- "Cache-Control: no-cache\r\n",
- "Upgrade: websocket\r\n");
- display ("reqw s= ", reqws, "\n");
- res = http_keepalive_send_recv( port:http_port, data:reqws, bodyonly:FALSE );
- display ("reqws = ", reqws, "\n");
- exit( 99 );
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement