Untitled

###############################################################################
# OpenVAS Vulnerability Test
# $Id$
#
# Graylog Default HTTP Login
#
# Authors:
# Tameem Eissa <tameem.eissa@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################


if (description)
{
 script_oid("1.3.6.1.4.1.25623.1.0.105756");
 script_version ("$Revision: 3477 $");
 script_tag(name:"cvss_base", value:"7.5");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_name("Loxone Smart Home Default Admin HTTP Login");

 script_tag(name: "impact" , value:"Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.");
 script_tag(name: "vuldetect" , value:"Try to login with default credentials admin:admin");
 script_tag(name: "solution" , value:"Change the password");
 script_tag(name: "summary" , value:"The remote Loxone installation has default credentials set.");
 script_tag(name:"solution_type", value: "Workaround");

 script_tag(name:"qod_type", value:"remote_vul");

 script_tag(name:"last_modification", value:"$Date$");
 script_tag(name:"creation_date", value:"2016-08-31 13:18:59 +0200 (Wed, 31 Aug 2016)");
 script_summary("Try to login with admin:admin");
 script_category(ACT_ATTACK);
 script_family("Web application abuses");
 script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
 script_dependencies("http_version.nasl");
 script_require_ports("Services/www", 12900);
 script_exclude_keys("Settings/disable_cgi_scanning");

 exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("host_details.inc");
include("misc_func.inc");


url = "";
Banner = "";
http_port = "";

## Get HTTP Port
http_port = get_http_port(default:80);

## Confirm the application before trying exploit
#Banner = get_http_banner(port: http_port);
#display("Banner = ", Banner, "\");
#if(!Banner || "Server: Loxone" >!< Banner){
#  exit(0);
#}

user = "admin";
pass = "admin";
host = get_host_name();

rand = rand_str( length:17, charset: "0123456789");

#data = "admin&password= password";
#req = http_post_req( port:port,
#                     url:'/Login.html',
#                     data:data,
#                     accept_header:'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
#                     add_headers: make_array("Cookie", cookie + '; loginName=admin',
#                                             "Content-Type", "application/x-www-form-urlencoded") );
req = string("GET /jdev/sys/getkey?0.", rand, " HTTP/1.1\r\n",
               "Host: ", host,":",http_port, "\r\n",
               "Content-Type: application/x-www-form-urlencoded\r\n",
               "Content-Length: ", strlen(data), "\r\n"
               );
res = http_keepalive_send_recv( port:http_port, data:req, bodyonly:FALSE );
display ("req = ", req, "\n");
if ( res !~ "HTTP/1\.. 200"  || '{"LL": {' >!< res ) exit( 0 );
display ("res = ", res, "\n");
if ( res =~ '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}') display ("success\n");

json_key = eregmatch (pattern: '"LL": [{] "control": "dev/sys/getkey", "value": "([A-F0-9]+)", "Code": "200"}}', string: res, icase:TRUE);
display ("json_key = ", json_key, "\n");
key = json_key[1];
display ("key = ", key, "\n");
username = "admin";
password = "admin";
protocol = HMAC_SHA1(data:username+":"+password, key: key);
display ("protocol = ", hexstr(protocol), "\n");

reqws = string("GET /ws HTTP/1.1", "\r\n",
	      "Host: ", host, "\r\n",
              "User-Agent: " , OPENVAS_HTTP_USER_AGENT , "\r\n",
              "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n",
              "Accept-Language: en-US,en;q=0.5\r\n",
              "Accept-Encoding: gzip, deflate\r\n",
              "Sec-WebSocket-Version: 13\r\n",
              "Origin: http://", host, "\r\n",
              "Sec-WebSocket-Protocol: ", hexstr(protocol), "\r\n",
              "Sec-WebSocket-Extensions: permessage-deflate\r\n",
#              "Sec-WebSocket-Key: kfMAoT7HICtP3U0v1AHkuw==\r\n",
              "Connection: keep-alive, Upgrade\r\n",
              "Pragma: no-cache\r\n",
              "Cache-Control: no-cache\r\n",
              "Upgrade: websocket\r\n");
display ("reqw s= ", reqws, "\n");
res = http_keepalive_send_recv( port:http_port, data:reqws, bodyonly:FALSE );
display ("reqws = ", reqws, "\n");


exit( 99 );