Class: Metasploit::Framework::LoginScanner::Zabbix

Inherits:

HTTP

• Object
• HTTP
• Metasploit::Framework::LoginScanner::Zabbix

Defined in:

lib/metasploit/framework/login_scanner/zabbix.rb

Overview

The Zabbix HTTP LoginScanner class provides methods to do login routines for Zabbix 2.4 and 2.2 as well as versions 3, 4, and 5.

Constant Summary

DEFAULT_PORT =

80

PRIVATE_TYPES =

[ :password ]

Constants inherited from HTTP

HTTP::AUTHORIZATION_HEADER, HTTP::DEFAULT_HTTP_NOT_AUTHED_CODES, HTTP::DEFAULT_HTTP_SUCCESS_CODES, HTTP::DEFAULT_REALM, HTTP::DEFAULT_SSL_PORT, HTTP::LIKELY_PORTS, HTTP::LIKELY_SERVICE_NAMES, HTTP::REALM_KEY

Instance Attribute Summary

• #version ⇒ String

  Product version.

• #zsession ⇒ String

  Cookie session.

Attributes inherited from HTTP

#digest_auth_iis, #evade_header_folding, #evade_method_random_case, #evade_method_random_invalid, #evade_method_random_valid, #evade_pad_fake_headers, #evade_pad_fake_headers_count, #evade_pad_get_params, #evade_pad_get_params_count, #evade_pad_method_uri_count, #evade_pad_method_uri_type, #evade_pad_post_params, #evade_pad_post_params_count, #evade_pad_uri_version_count, #evade_pad_uri_version_type, #evade_shuffle_get_params, #evade_shuffle_post_params, #evade_uri_dir_fake_relative, #evade_uri_dir_self_reference, #evade_uri_encode_mode, #evade_uri_fake_end, #evade_uri_fake_params_start, #evade_uri_full_url, #evade_uri_use_backslashes, #evade_version_random_invalid, #evade_version_random_valid, #http_password, #http_success_codes, #http_username, #keep_connection_alive, #kerberos_authenticator_factory, #method, #ntlm_domain, #ntlm_send_lm, #ntlm_send_ntlm, #ntlm_send_spn, #ntlm_use_lm_key, #ntlm_use_ntlmv2, #ntlm_use_ntlmv2_session, #uri, #user_agent, #vhost

Instance Method Summary

• #attempt_login(credential) ⇒ Result

  Decides which login routine and returns the results.

• #check_setup ⇒ Object
• #perform_login_attempt(url) ⇒ Object
• #send_request(opts) ⇒ Rex::Proto::Http::Response

  Sends a HTTP request with Rex.

• #try_credential(credential) ⇒ Rex::Proto::Http::Response

  Sends a login request.

• #try_login(credential) ⇒ Hash

  Tries to login to Zabbix.

Methods inherited from HTTP

#authentication_required?

Instance Attribute Details

#version ⇒ String

Returns Product version.

Returns:

• (String) —

  Product version

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 17

def version
  @version
end

#zsession ⇒ String

Returns Cookie session.

Returns:

• (String) —

  Cookie session

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 21

def zsession
  @zsession
end

Instance Method Details

#attempt_login(credential) ⇒ Result

Decides which login routine and returns the results

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Result)

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 27

def attempt_login(credential)
  result_opts = { credential: credential }

  begin
    status = try_login(credential)
    result_opts.merge!(status)
  rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error => e
    result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
  end

  Result.new(result_opts)
end

#check_setup ⇒ Object

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 42

def check_setup
  begin
    res = send_request({
      'uri' => normalize_uri('/')
    })
    return "Connection failed" if res.nil?

    if res.code != 200
      return "Unexpected HTTP response code #{res.code} (is this really Zabbix?)"
    end

    if res.body.to_s !~ /Zabbix ([^\s]+) Copyright .* by Zabbix/m # Regex check for older versions of Zabbix prior to version 3.
      if res.body.to_s !~ /href="http[sS]{0,1}:\/\/www\.zabbix\.com\/documentation\/(\d+\.\d+)\/">Help<\/a>/m
       return "Unexpected HTTP body (is this really Zabbix?)" # If both the regex for the old and new versions
                                                               # fail to match, the target likely isn't Zabbix.
      end
    end

    self.version = $1

  rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
    return "Unable to connect to target"
  end

  false
end

#perform_login_attempt(url) ⇒ Object

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 109

def perform_login_attempt(url)
  opts = {
    'uri'     => normalize_uri(url),
    'method'  => 'GET',
    'headers' => {
      'Cookie'  => "#{self.zsession}"
    }
  }
  send_request(opts)
end

#send_request(opts) ⇒ Rex::Proto::Http::Response

Sends a HTTP request with Rex

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP response

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 73

def send_request(opts)
  res = super(opts)

  # Found a cookie? Set it. We're going to need it.
  if res && res.get_cookies =~ /(zbx_session(?:id)?=\w+(?:%3D){0,2};)/i
    self.zsession = $1
  end

  res
end

#try_credential(credential) ⇒ Rex::Proto::Http::Response

Sends a login request

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Rex::Proto::Http::Response) —

  The HTTP auth response

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 88

def try_credential(credential)

  data  = "request="
  data << "&name=#{Rex::Text.uri_encode(credential.public)}"
  data << "&password=#{Rex::Text.uri_encode(credential.private)}"
  data << "&autologin=1"
  data << "&enter=Sign%20in"

  opts = {
    'uri'     => normalize_uri('index.php'),
    'method'  => 'POST',
    'data'    => data,
    'headers' => {
      'Content-Type'   => 'application/x-www-form-urlencoded'
    }
  }

  send_request(opts)
end

#try_login(credential) ⇒ Hash

Tries to login to Zabbix

Parameters:

• credential (Metasploit::Framework::Credential) —

  The credential object

Returns:

• (Hash) —

  • :status [Metasploit::Model::Login::Status]

  • :proof [String] the HTTP response body

# File 'lib/metasploit/framework/login_scanner/zabbix.rb', line 126

def try_login(credential)
  begin
    res = try_credential(credential)

    if res && res.code == 302
      res = perform_login_attempt('profile.php') # profile.php exists in Zabbix versions up to Zabbix 5.x
      if (res && res.code == 200 && res.body.to_s =~ /<title>.*: User profile<\/title>/)
        return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
      else
        res = perform_login_attempt('/zabbix.php?action=userprofile.edit') # On version 5.x and later of Zabbix, profile.php was replaced with /zabbix.php?action=userprofile.edit
        if (res && res.code == 200 && res.body.to_s =~ /<title>.*: User profile<\/title>/)
          return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
        end
      end
    end

    {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}

  rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
    return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e}
  end
end