Class: Metasploit::Framework::LoginScanner::SyncoveryFileSyncBackup

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::SyncoveryFileSyncBackup

Defined in:

lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb

Constant Summary

DEFAULT_PORT =

HTTP=8999; HTTPS=8943

8999

PRIVATE_TYPES =

[ :password ].freeze

LOGIN_STATUS =

Shorter name

Metasploit::Model::Login::Status

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Attempts to login to Syncovery File Sync & Backup Software.

• #check_setup ⇒ Boolean

  Checks if the target is Syncovery File Sync & Backup Software.

• #get_login_state(username, password) ⇒ Hash

  Actually doing the login.

• #get_version ⇒ String

  Gets the Syncovery version.

Methods inherited from HTTP

#authentication_required?, #send_request

Instance Method Details

#attempt_login(credential) ⇒ Result

Attempts to login to Syncovery File Sync & Backup Software. This is called first.

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result) —

  A Result object indicating success or failure

# File 'lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb', line 102

def attempt_login(credential)
  result_opts = {
    credential: credential,
    status: Metasploit::Model::Login::Status::INCORRECT,
    proof: nil,
    host: host,
    port: port,
    protocol: 'tcp'
  }

  begin
    result_opts.merge!(get_login_state(credential.public, credential.private))
  rescue ::Rex::ConnectionError => e
    # Something went wrong during login. 'e' knows what's up.
    result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message)
  end

  Result.new(result_opts)
end

#check_setup ⇒ Boolean

Checks if the target is Syncovery File Sync & Backup Software. The login module should call this.

Returns:

• (Boolean) —

  TrueClass if target is Syncovery, otherwise FalseClass

# File 'lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb', line 16

def check_setup
  login_uri = normalize_uri("#{uri}/")
  res = send_request({ 'uri' => login_uri })

  if res && res.code == 200 && res.body.include?('Syncovery')
    return true
  end

  false
end

#get_login_state(username, password) ⇒ Hash

Actually doing the login. Called by #attempt_login

Parameters:

• username (String) —

  The username to try

• password (String) —

  The password or token to try

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body or the session token

# File 'lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb', line 49

def get_login_state(username, password)
  # Prep the data needed for login
  if username.present?
    # use username:password
    res = send_request({
      'uri' => normalize_uri("#{uri}/post_applogin.php"),
      'vars_get' => {
        'login' => username.to_s,
        'password' => password.to_s
      },
      'method' => 'GET'
    })
    unless res
      return { status: LOGIN_STATUS::UNABLE_TO_CONNECT }
    end

    # After login, the application should give us a new token
    # session_token is actually just base64(MM/dd/yyyy HH:mm:ss) at the time of the login
    json_res = res.get_json_document
    token = json_res['session_token']
    if token.present?
      return { status: LOGIN_STATUS::SUCCESSFUL, proof: token.to_s }
    end

    return { proof: res.to_s }
  else
    # no username => token is used as password
    res = send_request({
      'uri' => normalize_uri("#{uri}/profiles.json"),
      'vars_get' => {
        'recordstartindex' => '0',
        'recordendindex' => '0'
      },
      'method' => 'GET',
      'headers' => {
        'token' => password
      }
    })
    unless res
      return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
    end
    if !res.body.to_s.include? 'Session Expired'
      return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body.to_s }
    end

    return { proof: res.body.to_s }
  end
end

#get_version ⇒ String

Gets the Syncovery version.

Returns:

• (String) —

  version if version was found, otherwise FalseClass

# File 'lib/metasploit/framework/login_scanner/syncovery_file_sync_backup.rb', line 30

def get_version
  globals = normalize_uri("#{uri}/get_global_variables")
  res = send_request({ 'uri' => globals })
  if res && res.code == 200
    json_res = res.get_json_document
    version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''
    return version
  end

  false
end